[Xen-devel] [PATCH for-4.7] flask/policy: don't audit version queries

Daniel De Graaf Wed, 04 May 2016 10:21:25 -0700

Reported-by: Doug Goldstein <car...@cardoe.com>
Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov>
---
 tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
 1 file changed, 10 insertions(+)


diff --git a/tools/flask/policy/policy/modules/xen/xen.te 
b/tools/flask/policy/policy/modules/xen/xen.te
index bef33b0..fed09a9 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -155,6 +155,16 @@ allow domain_type xen_t:version {
     xen_changeset xen_pagesize xen_guest_handle
 };
 
+# Version queries don't need auditing when denied.  They can be
+# encountered in normal operation by xl or by reading sysfs files in
+# Linux, so without this they will show up in the logs.  Since these
+# operations return valid responses (like "denied"), hiding the denials
+# should not break anything.
+dontaudit domain_type xen_t:version {
+       xen_extraversion xen_compile_info xen_capabilities xen_changeset
+       xen_pagesize xen_guest_handle xen_commandline xen_build_id
+};
+
 ###############################################################################
 #
 # Domain creation
-- 
2.5.5


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

[Xen-devel] [PATCH for-4.7] flask/policy: don't audit version queries

Reply via email to