From: bigon@debian.org (Laurent Bigonville) Date: Wed, 5 Sep 2012 11:23:53 +0200 Subject: [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request In-Reply-To: <504711EC.8030106@trentalancia.com> References: <1346793669-26282-1-git-send-email-bigon@debian.org> <1346793669-26282-3-git-send-email-bigon@debian.org> <50468741.6070303@trentalancia.com> <201209051030.20351.russell@coker.com.au> <504711EC.8030106@trentalancia.com> Message-ID: <20120905112353.0d5cf2a4@eldamar.bigon.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Le Wed, 05 Sep 2012 10:48:44 +0200, Guido Trentalancia a ?crit : > On 05/09/2012 02:30, Russell Coker wrote: > > On Wed, 5 Sep 2012, Guido Trentalancia > > wrote: > >>> +kernel_request_load_module(iptables_t) > >>> > >>> allow iptables_t self:capability { dac_read_search dac_override > >>> net_admin net_raw }; dontaudit iptables_t self:capability > >>> sys_tty_config; allow iptables_t self:fifo_file > >>> rw_fifo_file_perms; > >> > >> Is this for IPv6 ? It was not recommended in NSA security > >> guidelines. Has this now been changed ? If not, then perhaps it > >> can be enclosed in tunable policy ? > > > > No, it happened on systems that didn't use any ip6tables commands. > > So, what is the module that it needs to load ? On my debian machine, running "iptables -vL" is automatically loading iptable_filter, ip_tables, x_tables. But anyway, it seems that iptables.te file on git master is already containing that line (from 2009) a bit later in the code, so I guess that patch can just be dropped. Sorry for the noise, Cheers Laurent Bigonville