On Wed, Mar 04, 2015 at 11:04:34PM +0100, Luis Ressel wrote: > On Wed, 4 Mar 2015 20:21:08 +0000 > Sven Vermeulen <[email protected]> wrote: > > > 1. I can temporarily ignore the issue, perhaps hiding the cosmetic > > denial behind dontaudit statements > > 2. I can restrictively add to kernel_t those rules that do not > > trigger the neverallow rules and ignore/dontaudit the rest > > 3. I can break isolation a bit and explicitly add kernel_t to the > > neverallow rule exemption > > 4. I can move the necessary attributes and statements into the devices > > module (which is part of the base) > > 5. I can move forward with the storage-becomes-base approach > > I've been allowing this in my local policy since 2013. I'm sure it was > neccessary for something to work, however I don't recall what for. But > that means 1. is not really an option. > > For now, I'd just wait for more feedback on the refpolicy ML. This is > not an urgent problem, so I'd prefer not to diverge further from > upstream if we can avoid it.
I also think we should deviate as little as possible from upstream. > > 5. seems to be the cleanest solution, but I've got to dig around a bit > in the refpolicy to estimate the amount of work it'd require. > > If we want a temporary fix, I'd go with 3. It's only a tiny change, so > it wouldn't cause too much confusing upstream divergence. I dont think this is a very high priority issue so we can probably upstream it first and then fix it in gentoo. Storage becoming base makes sense since storage is pretty important. The patch in the email seemed reasonable. although i think we'd also need to add to the eclass that when inserting a new module it will check priority 100 and remove it after inserting the new module. -- Jason
