From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Date: Fri, 6 May 2016 10:03:28 +0000 (+0200)
Subject: flask/policy: don't audit commandline / build_id queries
X-Git-Tag: archive/raspbian/4.8.0-1+rpi1~1^2~1156
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=1fb8dc56e7d5284f8006ded76f8452f18ad9b0d2;p=xen.git

flask/policy: don't audit commandline / build_id queries

Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>
---

diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index bef33b03c3..0b1c955b4f 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -155,6 +155,15 @@ allow domain_type xen_t:version {
     xen_changeset xen_pagesize xen_guest_handle
 };
 
+# These queries don't need auditing when denied.  They can be
+# encountered in normal operation by xl or by reading sysfs files in
+# Linux, so without this they will show up in the logs.  Since these
+# operations return valid responses (like "denied"), hiding the denials
+# should not break anything.
+dontaudit domain_type xen_t:version {
+    xen_commandline xen_build_id
+};
+
 ###############################################################################
 #
 # Domain creation