I have a bit of a conundrum - I have confined a propriety code with my
own policy file. As part of (normal) operation this program tries to
load the "net-pf-10" kernel module and since IPv6 is completely disabled
on the target system (via sysctl) that raises "kernel_t:system {
module_request }" avc.
I know I could add "dontaudit propriety_code_t kernel_t:system {
module_request };", but that would apply to *all* kernel modules, which
is not what I'd like (I want avc raised when this propriety code tries
to load any kernel module *except* "net-pf-10").
Is it possible to use dontaudit statement and include a specific kernel
module - net-pf-10 in my case - or is there a more appropriate solution
to this?
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
