From: bigon@debian.org (Laurent Bigonville)
Date: Wed, 5 Sep 2012 11:23:53 +0200
Subject: [refpolicy] [PATCH 3/3] Allow iptables_t to do module_request
In-Reply-To: <504711EC.8030106@trentalancia.com>
References: <1346793669-26282-1-git-send-email-bigon@debian.org>
	<1346793669-26282-3-git-send-email-bigon@debian.org>
	<50468741.6070303@trentalancia.com>
	<201209051030.20351.russell@coker.com.au>
	<504711EC.8030106@trentalancia.com>
Message-ID: <20120905112353.0d5cf2a4@eldamar.bigon.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Le Wed, 05 Sep 2012 10:48:44 +0200,
Guido Trentalancia <guido@trentalancia.com> a ?crit :

> On 05/09/2012 02:30, Russell Coker wrote:
> > On Wed, 5 Sep 2012, Guido Trentalancia <guido@trentalancia.com>
> > wrote:
> >>> +kernel_request_load_module(iptables_t)
> >>>
> >>>    allow iptables_t self:capability { dac_read_search dac_override
> >>> net_admin net_raw }; dontaudit iptables_t self:capability
> >>> sys_tty_config; allow iptables_t self:fifo_file
> >>> rw_fifo_file_perms;
> >>
> >> Is this for IPv6 ? It was not recommended in NSA security
> >> guidelines. Has this now been changed ? If not, then perhaps it
> >> can be enclosed in tunable policy ?
> >
> > No, it happened on systems that didn't use any ip6tables commands.
> 
> So, what is the module that it needs to load ?

On my debian machine, running "iptables -vL" is automatically loading
iptable_filter, ip_tables, x_tables.

But anyway, it seems that iptables.te file on git master is already
containing that line (from 2009) a bit later in the code, so I guess
that patch can just be dropped.

Sorry for the noise,

Cheers

Laurent Bigonville