From: russell@coker.com.au (Russell Coker) Date: Wed, 5 Sep 2012 10:30:20 +1000 Subject: [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request In-Reply-To: <50468741.6070303@trentalancia.com> References: <1346793669-26282-1-git-send-email-bigon@debian.org> <1346793669-26282-3-git-send-email-bigon@debian.org> <50468741.6070303@trentalancia.com> Message-ID: <201209051030.20351.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 5 Sep 2012, Guido Trentalancia wrote: > > +kernel_request_load_module(iptables_t) > > > > allow iptables_t self:capability { dac_read_search dac_override > >net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config; > > allow iptables_t self:fifo_file rw_fifo_file_perms; > > Is this for IPv6 ? It was not recommended in NSA security guidelines. > Has this now been changed ? If not, then perhaps it can be enclosed in > tunable policy ? No, it happened on systems that didn't use any ip6tables commands. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/