From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 05 Sep 2012 00:57:05 +0200
Subject: [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request
In-Reply-To: <1346793669-26282-3-git-send-email-bigon@debian.org>
References: <1346793669-26282-1-git-send-email-bigon@debian.org>
	<1346793669-26282-3-git-send-email-bigon@debian.org>
Message-ID: <50468741.6070303@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/09/2012 23:21, Laurent Bigonville wrote:
> From: Mika Pfl?ger <debian@mikapflueger.de>
>
> ---
>   policy/modules/system/iptables.te |    1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index 0646ee7..6f2fb69 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -30,6 +30,7 @@ files_pid_file(iptables_var_run_t)
>   # Iptables local policy
>   #
>
> +kernel_request_load_module(iptables_t)
>   allow iptables_t self:capability { dac_read_search dac_override net_admin net_raw };
>   dontaudit iptables_t self:capability sys_tty_config;
>   allow iptables_t self:fifo_file rw_fifo_file_perms;

Is this for IPv6 ? It was not recommended in NSA security guidelines. 
Has this now been changed ? If not, then perhaps it can be enclosed in 
tunable policy ?

Regards,

Guido