From: russell@coker.com.au (Russell Coker)
Date: Wed, 5 Sep 2012 10:30:20 +1000
Subject: [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request
In-Reply-To: <50468741.6070303@trentalancia.com>
References: <1346793669-26282-1-git-send-email-bigon@debian.org>
	<1346793669-26282-3-git-send-email-bigon@debian.org>
	<50468741.6070303@trentalancia.com>
Message-ID: <201209051030.20351.russell@coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote:
> > +kernel_request_load_module(iptables_t)
> >
> >   allow iptables_t self:capability { dac_read_search dac_override
> >net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config;
> >   allow iptables_t self:fifo_file rw_fifo_file_perms;
> 
> Is this for IPv6 ? It was not recommended in NSA security guidelines. 
> Has this now been changed ? If not, then perhaps it can be enclosed in 
> tunable policy ?

No, it happened on systems that didn't use any ip6tables commands.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/