>>>>> kernel_request_load_module(openvpn_t) >>>>> >>> create module that allows openvpn_t to request the kernel to load a module: >>> >>> mkdir ~/myopenvpn; cd ~/myopenvpn; >>> echo "policy_module(myopenvpn, 1.0.0)" > myopenvpn.te; >>> echo "gen_require(\`" >> myopenvpn.te; >>> echo "type openvpn_t;" >> myopenvpn.te; >>> echo "')" >> myopenvpn.te; >>> echo "kernel_request_load_module(openvpn_t)" >> myopenvpn.te; >>> make -f /usr/share/selinux/devel/Makefile myopenvpn.pp >>> sudo semodule -i myopenvpn.pp >>> I see that this change has been adopted with the -47 version of the policy (FC13) - that was pretty quick! There was a suggestion for change to tor.te a while ago as well (see tor: dac_override, dac_read_search, name_bind and net_bind_service thread) - the new version of tor (2.x) provides dns resolution as part of the service it runs, so it needs to bind to udp/53 and the statement: corenet_udp_bind_dns_port(tor_t) does the trick when it is included in tor.te. Currently I do this with patching, but it would be nice to have it as part of the policy in a similar way it was done with openvpn. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
