| Message ID | 1462466995-32290-1-git-send-email-cardoe@cardoe.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Thu, May 05, 2016 at 11:49:55AM -0500, Doug Goldstein wrote: > From: Daniel De Graaf <dgdegra@tycho.nsa.gov> > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> > --- > tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te > index bef33b0..0b1c955 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -155,6 +155,15 @@ allow domain_type xen_t:version { > xen_changeset xen_pagesize xen_guest_handle > }; > > +# These queries don't need auditing when denied. They can be > +# encountered in normal operation by xl or by reading sysfs files in > +# Linux, so without this they will show up in the logs. Since these > +# operations return valid responses (like "denied"), hiding the denials > +# should not break anything. > +dontaudit domain_type xen_t:version { > + xen_commandline xen_build_id > +}; > + > ############################################################################### > # > # Domain creation > -- > 2.7.3 > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel
On Thu, May 05, 2016 at 11:49:55AM -0500, Doug Goldstein wrote: > From: Daniel De Graaf <dgdegra@tycho.nsa.gov> > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Release-acked-by: Wei Liu <wei.liu2@citrix.com> > --- > tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++ > 1 file changed, 9 insertions(+) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te > index bef33b0..0b1c955 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -155,6 +155,15 @@ allow domain_type xen_t:version { > xen_changeset xen_pagesize xen_guest_handle > }; > > +# These queries don't need auditing when denied. They can be > +# encountered in normal operation by xl or by reading sysfs files in > +# Linux, so without this they will show up in the logs. Since these > +# operations return valid responses (like "denied"), hiding the denials > +# should not break anything. > +dontaudit domain_type xen_t:version { > + xen_commandline xen_build_id > +}; > + > ############################################################################### > # > # Domain creation > -- > 2.7.3 > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bef33b0..0b1c955 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -155,6 +155,15 @@ allow domain_type xen_t:version { xen_changeset xen_pagesize xen_guest_handle }; +# These queries don't need auditing when denied. They can be +# encountered in normal operation by xl or by reading sysfs files in +# Linux, so without this they will show up in the logs. Since these +# operations return valid responses (like "denied"), hiding the denials +# should not break anything. +dontaudit domain_type xen_t:version { + xen_commandline xen_build_id +}; + ############################################################################### # # Domain creation