This was covered on the seandroid mailing list. Please see https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02418.html
A few things you can do: 1) Patch the kernel to not attempt module loading for alternate execution environments. This code never worked in the kernel anyway, so no harm in pulling it. Something like: diff --git a/kernel/exec_domain.c b/kernel/exec_domain.c index 0dbeae3..a66ea19 100644 --- a/kernel/exec_domain.c +++ b/kernel/exec_domain.c @@ -68,7 +68,8 @@ goto out; } -#ifdef CONFIG_MODULES + +#if 0 read_unlock(&exec_domains_lock); request_module("personality-%d", pers); read_lock(&exec_domains_lock); 2) Add a dontaudit SELinux rule to suppress these: Add the following to your device specific policy: dontaudit domain kernel:system module_request; However, please read https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02433.html before doing so. 3) Backport the patches from https://www.mail-archive.com/seandroid-list@tycho.nsa.gov/msg02418.html -- Nick On Monday, October 12, 2015 at 8:55:28 PM UTC-7, Vishal Mahaveer wrote: > > Hi, > > > In Android-M, below change in bionic was introduced > > https://android-review.googlesource.com/122131 > > > > Which caused lot of SELinux denials to be logged regarding module_request > (similar to below one) for 32bit systems, There is quite a lot of > module_request denials when any 32bit executable is executed. > > > > type=1400 audit(946685139.719:12): avc: denied { module_request } for > pid=1970 comm="tzdatacheck" kmod="personality-8" > scontext=u:r:tzdatacheck:s0 tcontext=u:r:kernel:s0 tclass=system > permissive=1 > > > > > The issue is discussed here > > http://marc.info/?t=144190478400004&r=1&w=2 > > > > For kernel version < 4.0, is there any resolution available for resolving > these denials with out having to backport the removal of execution domain > patches from kernel 4.0? > > Is adding a dontaudit for kernel module_request good option? > > > In our system disabling modules (CONFIG_MODULES=n) is currently not an > option. > > > > > Regards, > > Vishal > -- -- unsubscribe: android-porting+unsubscr...@googlegroups.com website: http://groups.google.com/group/android-porting --- You received this message because you are subscribed to the Google Groups "android-porting" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-porting+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.