This should now be possible since the policy.30 support is available in libsepol/checkpolicy and the kernel. Requires use of a CIL policy module to define ioctl whitelists, since we have not implemented support in the old binary module format and do not plan to do so.
Resolved via b6e5e01a282582322185d67eb628569ac1a9f2dc.
This relies on an extension to the binary module format to support ioctl xperms rather than using a CIL module.
This should now be possible since the policy.30 support is available in libsepol/checkpolicy and the kernel. Requires use of a CIL policy module to define ioctl whitelists, since we have not implemented support in the old binary module format and do not plan to do so.