| Message ID | 1462382446-6680-1-git-send-email-dgdegra@tycho.nsa.gov (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
On Wed, May 04, 2016 at 01:20:46PM -0400, Daniel De Graaf wrote: > Reported-by: Doug Goldstein <cardoe@cardoe.com> > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> Wait, why don't we give Doug a chance to respond about the policy he is using. I am really not sure how we would deny permission to these using the default policy. Doug, can you confirm what/when you built the policy? > --- > tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te > index bef33b0..fed09a9 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -155,6 +155,16 @@ allow domain_type xen_t:version { > xen_changeset xen_pagesize xen_guest_handle > }; > > +# Version queries don't need auditing when denied. They can be > +# encountered in normal operation by xl or by reading sysfs files in > +# Linux, so without this they will show up in the logs. Since these > +# operations return valid responses (like "denied"), hiding the denials > +# should not break anything. > +dontaudit domain_type xen_t:version { > + xen_extraversion xen_compile_info xen_capabilities xen_changeset > + xen_pagesize xen_guest_handle xen_commandline xen_build_id > +}; > + > ############################################################################### > # > # Domain creation > -- > 2.5.5 > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel
On 5/4/16 12:20 PM, Daniel De Graaf wrote: > Reported-by: Doug Goldstein <cardoe@cardoe.com> > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > --- > tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te > index bef33b0..fed09a9 100644 > --- a/tools/flask/policy/policy/modules/xen/xen.te > +++ b/tools/flask/policy/policy/modules/xen/xen.te > @@ -155,6 +155,16 @@ allow domain_type xen_t:version { > xen_changeset xen_pagesize xen_guest_handle > }; > > +# Version queries don't need auditing when denied. They can be > +# encountered in normal operation by xl or by reading sysfs files in > +# Linux, so without this they will show up in the logs. Since these > +# operations return valid responses (like "denied"), hiding the denials > +# should not break anything. > +dontaudit domain_type xen_t:version { > + xen_extraversion xen_compile_info xen_capabilities xen_changeset > + xen_pagesize xen_guest_handle xen_commandline xen_build_id > +}; > + > ############################################################################### > # > # Domain creation > Daniel, Locally I did: dontaudit domain_type xen_t:version { xen_commandline xen_build_id }; and that made the denies disappear for running "xl devd".
On Wed, May 04, 2016 at 02:44:56PM -0500, Doug Goldstein wrote: > On 5/4/16 12:20 PM, Daniel De Graaf wrote: > > Reported-by: Doug Goldstein <cardoe@cardoe.com> > > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> > > --- > > tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te > > index bef33b0..fed09a9 100644 > > --- a/tools/flask/policy/policy/modules/xen/xen.te > > +++ b/tools/flask/policy/policy/modules/xen/xen.te > > @@ -155,6 +155,16 @@ allow domain_type xen_t:version { > > xen_changeset xen_pagesize xen_guest_handle > > }; > > > > +# Version queries don't need auditing when denied. They can be > > +# encountered in normal operation by xl or by reading sysfs files in > > +# Linux, so without this they will show up in the logs. Since these > > +# operations return valid responses (like "denied"), hiding the denials > > +# should not break anything. > > +dontaudit domain_type xen_t:version { > > + xen_extraversion xen_compile_info xen_capabilities xen_changeset > > + xen_pagesize xen_guest_handle xen_commandline xen_build_id > > +}; > > + > > ############################################################################### > > # > > # Domain creation > > > > Daniel, > > Locally I did: > > dontaudit domain_type xen_t:version { > xen_commandline xen_build_id > }; ah, so the only ones that keep on coming back (after you reloaded the policy) where those two? (which is expected as those should only be provided to dom0?) In which case - yes your patch sounds most definitly correct. > > and that made the denies disappear for running "xl devd". > > -- > Doug Goldstein > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xen.org > http://lists.xen.org/xen-devel
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bef33b0..fed09a9 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -155,6 +155,16 @@ allow domain_type xen_t:version { xen_changeset xen_pagesize xen_guest_handle }; +# Version queries don't need auditing when denied. They can be +# encountered in normal operation by xl or by reading sysfs files in +# Linux, so without this they will show up in the logs. Since these +# operations return valid responses (like "denied"), hiding the denials +# should not break anything. +dontaudit domain_type xen_t:version { + xen_extraversion xen_compile_info xen_capabilities xen_changeset + xen_pagesize xen_guest_handle xen_commandline xen_build_id +}; + ############################################################################### # # Domain creation
Reported-by: Doug Goldstein <cardoe@cardoe.com> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov> --- tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++ 1 file changed, 10 insertions(+)