From patchwork Thu May 5 16:49:55 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Douglas Goldstein X-Patchwork-Id: 9026221 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 5ED92BF29F for ; Thu, 5 May 2016 16:52:11 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id 91960203E3 for ; Thu, 5 May 2016 16:52:10 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id AFF252035D for ; Thu, 5 May 2016 16:52:09 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ayMTa-0005Uu-6x; Thu, 05 May 2016 16:50:10 +0000 Received: from mail6.bemta3.messagelabs.com ([195.245.230.39]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ayMTY-0005Uo-VL for xen-devel@lists.xen.org; Thu, 05 May 2016 16:50:09 +0000 Received: from [85.158.137.68] by server-6.bemta-3.messagelabs.com id 1F/1E-23864-0C97B275; Thu, 05 May 2016 16:50:08 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrJIsWRWlGSWpSXmKPExsVyMXThQd39ldr hBhPv6Fos+biYxYHR4+ju30wBjFGsmXlJ+RUJrBlPXt5jKTjBUbHgX0ED4z72LkYuDiGBiYwS T2f1M4M4LALzmCW2vN3LCuJICPSzSuw4s5Cpi5ETyImReNoxnQXCLpP4MOc2mC0koCDxe8IhJ ohRk5kkdl9/zAiSYBPQkHjyawYbiC0iIC1x7fNlsDizwCxGiXlb9UBsYQFPiRMPVjGD2CwCqh IrOu6C1fMKOEqcn/EP6AoOoGVyEgve+4CEOQVcJXY9WMgCEhYScJGY+UNkAqPAAkaGVYzqxal FZalFumZ6SUWZ6RkluYmZObqGBsZ6uanFxYnpqTmJScV6yfm5mxiBQVXPwMC4g/FKm/MhRkkO JiVR3u1K2uFCfEn5KZUZicUZ8UWlOanFhxhlODiUJHgXVwDlBItS01Mr0jJzgOENk5bg4FES4 Z0LkuYtLkjMLc5Mh0idYrTk2PL72lomjk8b7wDJbVPvrWUSYsnLz0uVEuf9BdIgANKQUZoHNw 4Wg5cYZaWEeRkZGBiEeApSi3IzS1DlXzGKczAqCfOuA5nCk5lXArf1FdBBTEAHvZ+rCXJQSSJ CSqqBccWn3dvfxmwLUrjwr89k0v45pyscXxrOtnyvajhbj6lyZaZmK6+0+y8nl58xWVsvCnCn aB8++MPE9cyOs0fDGLw+lBz9tntrpXtJ2fSCvUwhlh1W6WIFTrnxWa/MI1RfT97AnRDW8ea3p sUTftfQWqdf+z0CXdjlWY4sN13jcGmGjsva1yUzlFiKMxINtZiLihMBKjIYs7wCAAA= X-Env-Sender: cardoe@cardoe.com X-Msg-Ref: server-5.tower-31.messagelabs.com!1462467006!35539486!1 X-Originating-IP: [209.85.161.193] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.34; banners=-,-,- X-VirusChecked: Checked Received: (qmail 12675 invoked from network); 5 May 2016 16:50:07 -0000 Received: from mail-yw0-f193.google.com (HELO mail-yw0-f193.google.com) (209.85.161.193) by server-5.tower-31.messagelabs.com with AES128-GCM-SHA256 encrypted SMTP; 5 May 2016 16:50:07 -0000 Received: by mail-yw0-f193.google.com with SMTP id y6so12212614ywe.0 for ; Thu, 05 May 2016 09:50:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cardoe.com; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=bOfR4X2DauYsG2oh/kEGGBoWevh+Sld/2ERAQNQ9HIU=; b=ZxuI9Ta5ihaDnbRdBSIdikWwBZiCDkLQAH6RccjaYMppwXydtG9NF7xQwNO33lhbto gBPKx4GDrte0yMMDz2cVhzWNvgHeSl0bZhhP1B8S5t8WJ1+Rr+lNcNHwwX4J4v92jH7S gHOSslwtiX9tROuRLWKc8j/f94QJdx/botZL0= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=bOfR4X2DauYsG2oh/kEGGBoWevh+Sld/2ERAQNQ9HIU=; b=X/W3tV3XnAPN20D5b1OVba4OyHqY2uos1XKKl5UC5bZ/GM2OikqYSjQdn0QDYfNo35 v72Omwk036ftWTNUsh2Boke+dugqs+LBQPj56ZPjnogEsnsDcvHWRunCmFOTZdtxhbtt AIBsSN3f/+18gedpXc8SwGqe8N10WqpVODNajEiS+JoohKADXJ31gfjQzsKxw/byIvl9 +BxkJDWBhgCM5nyiXNp/CCnSnZQ9yaIW+6aI6VmHy7vghyJEtrYLf4TGZU5tLstlpAhI FBKAoYT+6vl5F+eBOF1I6e0M4GJwkZ/xMyTMe4lnXoP4OZGcMem17ZWI+kCN45R8BNcV Nkww== X-Gm-Message-State: AOPr4FX60Tb9zPgH3VDYM0feeB9Y0msC9dEVVqUiY6OtV4We42UXG7B5KEICWfUJ7ETfMQ== X-Received: by 10.37.4.210 with SMTP id 201mr125421ybe.17.1462467006271; Thu, 05 May 2016 09:50:06 -0700 (PDT) Received: from swanson.lan (c-68-46-196-185.hsd1.al.comcast.net. [68.46.196.185]) by smtp.gmail.com with ESMTPSA id p17sm5992735ywp.45.2016.05.05.09.50.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 05 May 2016 09:50:04 -0700 (PDT) From: Doug Goldstein To: xen-devel@lists.xen.org Date: Thu, 5 May 2016 11:49:55 -0500 Message-Id: <1462466995-32290-1-git-send-email-cardoe@cardoe.com> X-Mailer: git-send-email 2.7.3 In-Reply-To: <1462382446-6680-1-git-send-email-dgdegra@tycho.nsa.gov> References: <1462382446-6680-1-git-send-email-dgdegra@tycho.nsa.gov> Cc: Ian Jackson , Daniel De Graaf , Wei Liu , Doug Goldstein Subject: [Xen-devel] [PATCH] flask/policy: don't audit commandline / build_id queries X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, RCVD_IN_DNSWL_MED, T_DKIM_INVALID, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Daniel De Graaf Signed-off-by: Daniel De Graaf Signed-off-by: Doug Goldstein Reviewed-by: Konrad Rzeszutek Wilk Reviewed-by: Wei Liu --- tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bef33b0..0b1c955 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -155,6 +155,15 @@ allow domain_type xen_t:version { xen_changeset xen_pagesize xen_guest_handle }; +# These queries don't need auditing when denied. They can be +# encountered in normal operation by xl or by reading sysfs files in +# Linux, so without this they will show up in the logs. Since these +# operations return valid responses (like "denied"), hiding the denials +# should not break anything. +dontaudit domain_type xen_t:version { + xen_commandline xen_build_id +}; + ############################################################################### # # Domain creation