|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH] flask/policy: don't audit commandline / build_id queries
On Thu, May 05, 2016 at 11:49:55AM -0500, Doug Goldstein wrote:
> From: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
>
> Signed-off-by: Daniel De Graaf <dgdegra@xxxxxxxxxxxxx>
> Signed-off-by: Doug Goldstein <cardoe@xxxxxxxxxx>
Reviewed-by: Wei Liu <wei.liu2@xxxxxxxxxx>
Release-acked-by: Wei Liu <wei.liu2@xxxxxxxxxx>
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te
> b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..0b1c955 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,15 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# These queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_commandline xen_build_id
> +};
> +
>
> ###############################################################################
> #
> # Domain creation
> --
> 2.7.3
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxx
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |