From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 05 Sep 2012 10:48:44 +0200
Subject: [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request
In-Reply-To: <201209051030.20351.russell@coker.com.au>
References: <1346793669-26282-1-git-send-email-bigon@debian.org>
	<1346793669-26282-3-git-send-email-bigon@debian.org>
	<50468741.6070303@trentalancia.com>
	<201209051030.20351.russell@coker.com.au>
Message-ID: <504711EC.8030106@trentalancia.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/09/2012 02:30, Russell Coker wrote:
> On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com> wrote:
>>> +kernel_request_load_module(iptables_t)
>>>
>>>    allow iptables_t self:capability { dac_read_search dac_override
>>> net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config;
>>>    allow iptables_t self:fifo_file rw_fifo_file_perms;
>>
>> Is this for IPv6 ? It was not recommended in NSA security guidelines.
>> Has this now been changed ? If not, then perhaps it can be enclosed in
>> tunable policy ?
>
> No, it happened on systems that didn't use any ip6tables commands.

So, what is the module that it needs to load ?

Guido