* [PATCH for-4.7] flask/policy: don't audit version queries
@ 2016-05-04 17:20 Daniel De Graaf
2016-05-04 19:25 ` Konrad Rzeszutek Wilk
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Daniel De Graaf @ 2016-05-04 17:20 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf
Reported-by: Doug Goldstein <cardoe@cardoe.com>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
---
tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index bef33b0..fed09a9 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -155,6 +155,16 @@ allow domain_type xen_t:version {
xen_changeset xen_pagesize xen_guest_handle
};
+# Version queries don't need auditing when denied. They can be
+# encountered in normal operation by xl or by reading sysfs files in
+# Linux, so without this they will show up in the logs. Since these
+# operations return valid responses (like "denied"), hiding the denials
+# should not break anything.
+dontaudit domain_type xen_t:version {
+ xen_extraversion xen_compile_info xen_capabilities xen_changeset
+ xen_pagesize xen_guest_handle xen_commandline xen_build_id
+};
+
###############################################################################
#
# Domain creation
--
2.5.5
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.7] flask/policy: don't audit version queries
2016-05-04 17:20 [PATCH for-4.7] flask/policy: don't audit version queries Daniel De Graaf
@ 2016-05-04 19:25 ` Konrad Rzeszutek Wilk
2016-05-04 19:44 ` Doug Goldstein
2016-05-05 16:49 ` [PATCH] flask/policy: don't audit commandline / build_id queries Doug Goldstein
2 siblings, 0 replies; 7+ messages in thread
From: Konrad Rzeszutek Wilk @ 2016-05-04 19:25 UTC (permalink / raw)
To: Daniel De Graaf, cardoe; +Cc: xen-devel
On Wed, May 04, 2016 at 01:20:46PM -0400, Daniel De Graaf wrote:
> Reported-by: Doug Goldstein <cardoe@cardoe.com>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Wait, why don't we give Doug a chance to respond about the
policy he is using. I am really not sure how we would deny
permission to these using the default policy.
Doug, can you confirm what/when you built the policy?
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..fed09a9 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,16 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# Version queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_extraversion xen_compile_info xen_capabilities xen_changeset
> + xen_pagesize xen_guest_handle xen_commandline xen_build_id
> +};
> +
> ###############################################################################
> #
> # Domain creation
> --
> 2.5.5
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.7] flask/policy: don't audit version queries
2016-05-04 17:20 [PATCH for-4.7] flask/policy: don't audit version queries Daniel De Graaf
2016-05-04 19:25 ` Konrad Rzeszutek Wilk
@ 2016-05-04 19:44 ` Doug Goldstein
2016-05-04 19:59 ` Konrad Rzeszutek Wilk
2016-05-05 16:49 ` [PATCH] flask/policy: don't audit commandline / build_id queries Doug Goldstein
2 siblings, 1 reply; 7+ messages in thread
From: Doug Goldstein @ 2016-05-04 19:44 UTC (permalink / raw)
To: xen-devel; +Cc: Daniel De Graaf
[-- Attachment #1.1.1: Type: text/plain, Size: 1455 bytes --]
On 5/4/16 12:20 PM, Daniel De Graaf wrote:
> Reported-by: Doug Goldstein <cardoe@cardoe.com>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
> 1 file changed, 10 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..fed09a9 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,16 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# Version queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_extraversion xen_compile_info xen_capabilities xen_changeset
> + xen_pagesize xen_guest_handle xen_commandline xen_build_id
> +};
> +
> ###############################################################################
> #
> # Domain creation
>
Daniel,
Locally I did:
dontaudit domain_type xen_t:version {
xen_commandline xen_build_id
};
and that made the denies disappear for running "xl devd".
--
Doug Goldstein
[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 959 bytes --]
[-- Attachment #2: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH for-4.7] flask/policy: don't audit version queries
2016-05-04 19:44 ` Doug Goldstein
@ 2016-05-04 19:59 ` Konrad Rzeszutek Wilk
0 siblings, 0 replies; 7+ messages in thread
From: Konrad Rzeszutek Wilk @ 2016-05-04 19:59 UTC (permalink / raw)
To: Doug Goldstein; +Cc: Daniel De Graaf, xen-devel
On Wed, May 04, 2016 at 02:44:56PM -0500, Doug Goldstein wrote:
> On 5/4/16 12:20 PM, Daniel De Graaf wrote:
> > Reported-by: Doug Goldstein <cardoe@cardoe.com>
> > Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> > ---
> > tools/flask/policy/policy/modules/xen/xen.te | 10 ++++++++++
> > 1 file changed, 10 insertions(+)
> >
> > diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> > index bef33b0..fed09a9 100644
> > --- a/tools/flask/policy/policy/modules/xen/xen.te
> > +++ b/tools/flask/policy/policy/modules/xen/xen.te
> > @@ -155,6 +155,16 @@ allow domain_type xen_t:version {
> > xen_changeset xen_pagesize xen_guest_handle
> > };
> >
> > +# Version queries don't need auditing when denied. They can be
> > +# encountered in normal operation by xl or by reading sysfs files in
> > +# Linux, so without this they will show up in the logs. Since these
> > +# operations return valid responses (like "denied"), hiding the denials
> > +# should not break anything.
> > +dontaudit domain_type xen_t:version {
> > + xen_extraversion xen_compile_info xen_capabilities xen_changeset
> > + xen_pagesize xen_guest_handle xen_commandline xen_build_id
> > +};
> > +
> > ###############################################################################
> > #
> > # Domain creation
> >
>
> Daniel,
>
> Locally I did:
>
> dontaudit domain_type xen_t:version {
> xen_commandline xen_build_id
> };
ah, so the only ones that keep on coming back (after you reloaded the policy)
where those two? (which is expected as those should only be provided to dom0?)
In which case - yes your patch sounds most definitly correct.
>
> and that made the denies disappear for running "xl devd".
>
> --
> Doug Goldstein
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] flask/policy: don't audit commandline / build_id queries
2016-05-04 17:20 [PATCH for-4.7] flask/policy: don't audit version queries Daniel De Graaf
2016-05-04 19:25 ` Konrad Rzeszutek Wilk
2016-05-04 19:44 ` Doug Goldstein
@ 2016-05-05 16:49 ` Doug Goldstein
2016-05-05 18:00 ` Konrad Rzeszutek Wilk
2016-05-05 19:37 ` Wei Liu
2 siblings, 2 replies; 7+ messages in thread
From: Doug Goldstein @ 2016-05-05 16:49 UTC (permalink / raw)
To: xen-devel; +Cc: Ian Jackson, Daniel De Graaf, Wei Liu, Doug Goldstein
From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
---
tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
index bef33b0..0b1c955 100644
--- a/tools/flask/policy/policy/modules/xen/xen.te
+++ b/tools/flask/policy/policy/modules/xen/xen.te
@@ -155,6 +155,15 @@ allow domain_type xen_t:version {
xen_changeset xen_pagesize xen_guest_handle
};
+# These queries don't need auditing when denied. They can be
+# encountered in normal operation by xl or by reading sysfs files in
+# Linux, so without this they will show up in the logs. Since these
+# operations return valid responses (like "denied"), hiding the denials
+# should not break anything.
+dontaudit domain_type xen_t:version {
+ xen_commandline xen_build_id
+};
+
###############################################################################
#
# Domain creation
--
2.7.3
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] flask/policy: don't audit commandline / build_id queries
2016-05-05 16:49 ` [PATCH] flask/policy: don't audit commandline / build_id queries Doug Goldstein
@ 2016-05-05 18:00 ` Konrad Rzeszutek Wilk
2016-05-05 19:37 ` Wei Liu
1 sibling, 0 replies; 7+ messages in thread
From: Konrad Rzeszutek Wilk @ 2016-05-05 18:00 UTC (permalink / raw)
To: Doug Goldstein; +Cc: Wei Liu, Daniel De Graaf, Ian Jackson, xen-devel
On Thu, May 05, 2016 at 11:49:55AM -0500, Doug Goldstein wrote:
> From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..0b1c955 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,15 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# These queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_commandline xen_build_id
> +};
> +
> ###############################################################################
> #
> # Domain creation
> --
> 2.7.3
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] flask/policy: don't audit commandline / build_id queries
2016-05-05 16:49 ` [PATCH] flask/policy: don't audit commandline / build_id queries Doug Goldstein
2016-05-05 18:00 ` Konrad Rzeszutek Wilk
@ 2016-05-05 19:37 ` Wei Liu
1 sibling, 0 replies; 7+ messages in thread
From: Wei Liu @ 2016-05-05 19:37 UTC (permalink / raw)
To: Doug Goldstein; +Cc: Wei Liu, Daniel De Graaf, Ian Jackson, xen-devel
On Thu, May 05, 2016 at 11:49:55AM -0500, Doug Goldstein wrote:
> From: Daniel De Graaf <dgdegra@tycho.nsa.gov>
>
> Signed-off-by: Daniel De Graaf <dgdegra@tycho.nsa.gov>
> Signed-off-by: Doug Goldstein <cardoe@cardoe.com>
Reviewed-by: Wei Liu <wei.liu2@citrix.com>
Release-acked-by: Wei Liu <wei.liu2@citrix.com>
> ---
> tools/flask/policy/policy/modules/xen/xen.te | 9 +++++++++
> 1 file changed, 9 insertions(+)
>
> diff --git a/tools/flask/policy/policy/modules/xen/xen.te b/tools/flask/policy/policy/modules/xen/xen.te
> index bef33b0..0b1c955 100644
> --- a/tools/flask/policy/policy/modules/xen/xen.te
> +++ b/tools/flask/policy/policy/modules/xen/xen.te
> @@ -155,6 +155,15 @@ allow domain_type xen_t:version {
> xen_changeset xen_pagesize xen_guest_handle
> };
>
> +# These queries don't need auditing when denied. They can be
> +# encountered in normal operation by xl or by reading sysfs files in
> +# Linux, so without this they will show up in the logs. Since these
> +# operations return valid responses (like "denied"), hiding the denials
> +# should not break anything.
> +dontaudit domain_type xen_t:version {
> + xen_commandline xen_build_id
> +};
> +
> ###############################################################################
> #
> # Domain creation
> --
> 2.7.3
>
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xen.org
> http://lists.xen.org/xen-devel
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-05-05 19:37 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-04 17:20 [PATCH for-4.7] flask/policy: don't audit version queries Daniel De Graaf
2016-05-04 19:25 ` Konrad Rzeszutek Wilk
2016-05-04 19:44 ` Doug Goldstein
2016-05-04 19:59 ` Konrad Rzeszutek Wilk
2016-05-05 16:49 ` [PATCH] flask/policy: don't audit commandline / build_id queries Doug Goldstein
2016-05-05 18:00 ` Konrad Rzeszutek Wilk
2016-05-05 19:37 ` Wei Liu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).