dontaudit statement specifics

Saturday, 16 April 2011

I have a bit of a conundrum - I have confined a propriety code with my 
own policy file. As part of (normal) operation this program tries to 
load the "net-pf-10" kernel module and since IPv6 is completely disabled 
on the target system (via sysctl) that raises "kernel_t:system { 
module_request }" avc.

I know I could add "dontaudit propriety_code_t kernel_t:system { 
module_request };", but that would apply to *all* kernel modules, which 
is not what I'd like (I want avc raised when this propriety code tries 
to load any kernel module *except* "net-pf-10").

Is it possible to use dontaudit statement and include a specific kernel 
module - net-pf-10 in my case - or is there a more appropriate solution 
to this?

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

dontaudit statement specifics