From patchwork Wed May 4 17:20:46 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel De Graaf X-Patchwork-Id: 9017091 Return-Path: X-Original-To: patchwork-xen-devel@patchwork.kernel.org Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.136]) by patchwork2.web.kernel.org (Postfix) with ESMTP id 97D16BF29F for ; Wed, 4 May 2016 17:22:52 +0000 (UTC) Received: from mail.kernel.org (localhost [127.0.0.1]) by mail.kernel.org (Postfix) with ESMTP id CD6F4203B7 for ; Wed, 4 May 2016 17:22:51 +0000 (UTC) Received: from lists.xenproject.org (lists.xenproject.org [192.237.175.120]) (using TLSv1.2 with cipher AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id EEE99203B4 for ; Wed, 4 May 2016 17:22:50 +0000 (UTC) Received: from localhost ([127.0.0.1] helo=lists.xenproject.org) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ay0Tp-0007uS-Ny; Wed, 04 May 2016 17:20:57 +0000 Received: from mail6.bemta14.messagelabs.com ([193.109.254.103]) by lists.xenproject.org with esmtp (Exim 4.84_2) (envelope-from ) id 1ay0To-0007uG-2S for xen-devel@lists.xen.org; Wed, 04 May 2016 17:20:56 +0000 Received: from [193.109.254.147] by server-7.bemta-14.messagelabs.com id 91/23-03757-77F2A275; Wed, 04 May 2016 17:20:55 +0000 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrMLMWRWlGSWpSXmKPExsXCoZPKqVumrxV usGKZjMWSj4tZHBg9ju7+zRTAGMWamZeUX5HAmnHm/Azmgl8cFWc/nmRsYPzE3sXIwSEh4Cfx YX55FyMXB6fAfBaJKxtvAsU5geLrGSWWbzIGSQgJLGWUOHX+ExuEs5VR4tX3v2wgVWwCuhILD q5kArFFBKQlrn2+zAhiMwtoSzS/mwk2SVjASWLCsVtgNSwCqhKTWr6C9fIKuEg8ujSNEWKbnM S2LXsYJzDyLGBkWMWoUZxaVJZapGtoopdUlJmeUZKbmJmjawjk5qYWFyemp+YkJhXrJefnbmI Eer6egYFxB+P3056HGCU5mJREeSdpaYUL8SXlp1RmJBZnxBeV5qQWH2KU4eBQkuD9qguUEyxK TU+tSMvMAYYgTFqCg0dJhFdIDyjNW1yQmFucmQ6ROsWoKCXOux+kTwAkkVGaB9cGC/tLjLJSw ryMDAwMQjwFqUW5mSWo8q8YxTkYlYR5f4NM4cnMK4Gb/gpoMRPQ4vdzNUEWlyQipKQaGHkDo9 bV/OvtcHyq6HRhQ8xJx3M+Jeocz+rir6zW6zNyEgs1m2ybemeHzxV2ZRudRcY8Wxvnr31bEOQ acf1WxMotnwWfTAtrKis2m7zK3/2CpvSrvzc2dd32zpxR9/VQqZehvkxc0N5Ls9bOCDK9+V+u adc9vt7oXdmiPqveS/EZXZpot/iVoxJLcUaioRZzUXEiAM2aL+F2AgAA X-Env-Sender: dgdegra@tycho.nsa.gov X-Msg-Ref: server-3.tower-27.messagelabs.com!1462382453!39272323!1 X-Originating-IP: [8.44.101.9] X-SpamReason: No, hits=0.0 required=7.0 tests= X-StarScan-Received: X-StarScan-Version: 8.34; banners=-,-,- X-VirusChecked: Checked Received: (qmail 50040 invoked from network); 4 May 2016 17:20:54 -0000 Received: from emsm-gh1-uea11.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) (8.44.101.9) by server-3.tower-27.messagelabs.com with DHE-RSA-AES256-GCM-SHA384 encrypted SMTP; 4 May 2016 17:20:54 -0000 X-IronPort-AV: E=Sophos;i="5.24,578,1454976000"; d="scan'208";a="15879862" IronPort-PHdr: =?us-ascii?q?9a23=3AMy7iwRx3yGdsdRnXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0ewVIJqq85mqBkHD//Il1AaPBtWKraoewLOP6ujJYi8p39WoiDg6aptCVhsI24?= =?us-ascii?q?09vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6kO74TNaIBjjLw09?= =?us-ascii?q?fr2zQd6DyZztnLnrotX6WEZhunmUWftKNhK4rAHc5IE9oLBJDeIP8CbPuWZCYO?= =?us-ascii?q?9MxGlldhq5lhf44dqsrtY4q3wD888784Z8dYmyP+FiFf0LRAghZnA44ojnuAfO?= =?us-ascii?q?SSOL52AASSMGnxwOBBLKvz/gWZKkniL8t+d5kAWXdeLsRLk6EWCu4KtmRwXhoD?= =?us-ascii?q?sWPD4+tmfMg4p/i7wN80HpnAB234OBONLdD/F5ZK6IOIlCSA=3D=3D?= X-IPAS-Result: =?us-ascii?q?A2EgBQAWLypX/wHyM5BeHAGDG4FQt1qEExKFfoE5TAEBAQE?= =?us-ascii?q?BAQICYieCLYMUKIEpiCq9VyqPeIUNBYdzhxeJD44YAolQhUGPNGKEByAwiDwBA?= =?us-ascii?q?QE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 May 2016 17:20:52 +0000 Received: from moss-nexus.infosec.tycho.ncsc.mil (moss-nexus [192.168.25.48]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u44HKqmI000913; Wed, 4 May 2016 13:20:52 -0400 From: Daniel De Graaf To: xen-devel@lists.xen.org Date: Wed, 4 May 2016 13:20:46 -0400 Message-Id: <1462382446-6680-1-git-send-email-dgdegra@tycho.nsa.gov> X-Mailer: git-send-email 2.5.5 Cc: Daniel De Graaf Subject: [Xen-devel] [PATCH for-4.7] flask/policy: don't audit version queries X-BeenThere: xen-devel@lists.xen.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Xen developer discussion List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: xen-devel-bounces@lists.xen.org Sender: "Xen-devel" X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP Reported-by: Doug Goldstein Signed-off-by: Daniel De Graaf --- tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te index bef33b0..fed09a9 100644 --- a/tools/flask/policy/policy/modules/xen/xen.te +++ b/tools/flask/policy/policy/modules/xen/xen.te @@ -155,6 +155,16 @@ allow domain_type xen_t:version { xen_changeset xen_pagesize xen_guest_handle }; +# Version queries don't need auditing when denied. They can be +# encountered in normal operation by xl or by reading sysfs files in +# Linux, so without this they will show up in the logs. Since these +# operations return valid responses (like "denied"), hiding the denials +# should not break anything. +dontaudit domain_type xen_t:version { + xen_extraversion xen_compile_info xen_capabilities xen_changeset + xen_pagesize xen_guest_handle xen_commandline xen_build_id +}; + ############################################################################### # # Domain creation