On Thu, May 05, 2016 at 11:49:55AM -0500, Doug Goldstein wrote:
> From: Daniel De Graaf <dgde...@tycho.nsa.gov>
>
> Signed-off-by: Daniel De Graaf <dgde...@tycho.nsa.gov>
> Signed-off-by: Doug Goldstein <car...@cardoe.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.w...@oracle.com>
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te
> b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..0b1c955 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,15 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# These queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_commandline xen_build_id
> +};
> +
>
> ###############################################################################
> #
> # Domain creation
> --
> 2.7.3
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
