Description of problem: Add support for allowxperm and related policy constructs in the SELinux module policy so that the fine grained ioctl controls can be utilized in modular policy. Additional info: More information on allowxperm and the fine grained ioctl controls can be found at the link below. -> http://selinuxproject.org/page/XpermRules
It works with CIL on Fedora 24 and later: $ cat localallowxperm.cil (allowx staff_t etc_t (ioctl file (0x40))) $ sudo semodule -i localallowxperm.cil $ sudo semodule -l | grep allowxperm localallowxperm
Goodie, thanks!
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-84d1f77e58
checkpolicy-2.5-6.fc24, libselinux-2.5-9.fc24, libsemanage-2.5-5.fc24, libsepol-2.5-8.fc24, policycoreutils-2.5-12.fc24, secilc-2.5-4.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.