On Wed, 4 Mar 2015 20:21:08 +0000 Sven Vermeulen <sw...@gentoo.org> wrote:
> 1. I can temporarily ignore the issue, perhaps hiding the cosmetic > denial behind dontaudit statements > 2. I can restrictively add to kernel_t those rules that do not > trigger the neverallow rules and ignore/dontaudit the rest > 3. I can break isolation a bit and explicitly add kernel_t to the > neverallow rule exemption > 4. I can move the necessary attributes and statements into the devices > module (which is part of the base) > 5. I can move forward with the storage-becomes-base approach I've been allowing this in my local policy since 2013. I'm sure it was neccessary for something to work, however I don't recall what for. But that means 1. is not really an option. For now, I'd just wait for more feedback on the refpolicy ML. This is not an urgent problem, so I'd prefer not to diverge further from upstream if we can avoid it. 5. seems to be the cleanest solution, but I've got to dig around a bit in the refpolicy to estimate the amount of work it'd require. If we want a temporary fix, I'd go with 3. It's only a tiny change, so it wouldn't cause too much confusing upstream divergence. -- Luis Ressel <ara...@aixah.de> GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
pgp6GX1UZbZZp.pgp
Description: OpenPGP digital signature
