On 06/22/2016 09:02 PM, Jeffrey Vander Stoep wrote: > selinux@xxxxxxxxxxxxx to bcc > > Hi Ravi, > > The intent is not to restrict which processes may load modules, but to > place restrictions on the origin of the module itself. Modules, like the > kernel, should live on a verity protected partition. > > If you want system apps to load a kernel module from the system partition > you just need to add an allow rule. e.g. > > # system_app loads /system/lib/module/wlan.ko > allow system_app system_file:system module_load; > > Similar rules may be added for platform_app or system_server. > In Fedora rawhide i see these where the target is "self". example: allow kmod self:system module_load; is that intended? -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
