From: guido@trentalancia.com (Guido Trentalancia) Date: Wed, 05 Sep 2012 00:57:05 +0200 Subject: [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request In-Reply-To: <1346793669-26282-3-git-send-email-bigon@debian.org> References: <1346793669-26282-1-git-send-email-bigon@debian.org> <1346793669-26282-3-git-send-email-bigon@debian.org> Message-ID: <50468741.6070303@trentalancia.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/09/2012 23:21, Laurent Bigonville wrote: > From: Mika Pfl?ger > > --- > policy/modules/system/iptables.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te > index 0646ee7..6f2fb69 100644 > --- a/policy/modules/system/iptables.te > +++ b/policy/modules/system/iptables.te > @@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t) > # Iptables local policy > # > > +kernel_request_load_module(iptables_t) > allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw }; > dontaudit iptables_t self:capability sys_tty_config; > allow iptables_t self:fifo_file rw_fifo_file_perms; Is this for IPv6 ? It was not recommended in NSA security guidelines. Has this now been changed ? If not, then perhaps it can be enclosed in tunable policy ? Regards, Guido