On 06/22/2016 03:02 PM, Jeffrey Vander Stoep wrote: > selinux@xxxxxxxxxxxxx <mailto:selinux@xxxxxxxxxxxxx> to bcc > > Hi Ravi, > > The intent is not to restrict which processes may load modules, but to > place restrictions on the origin of the module itself. Modules, like the > kernel, should live on a verity protected partition. > > If you want system apps to load a kernel module from the system > partition you just need to add an allow rule. e.g. > > # system_app loads /system/lib/module/wlan.ko > allow system_app system_file:system module_load; > > Similar rules may be added for platform_app or system_server. Actually, that probably won't work for any app domains, as they can't pass the sys_module capability check. So hopefully you only truly need it for system_server. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
