From: russell@coker.com.au (Russell Coker) Date: Sun, 31 Jul 2016 19:48:15 +1000 Subject: [refpolicy] [PATCH] ifconfig loads kernel modules Message-ID: <20160731094815.hnl6jvjkbi77vwoc@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch allows ifconfig to trigger module loads. diff -ruN /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te ./policy/modules/system/sysnetwork.te --- /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te 2016-07-28 20:33:39.971961928 +1000 +++ ./policy/modules/system/sysnetwork.te 2016-07-31 19:47:25.822898970 +1000 @@ -261,6 +261,7 @@ # Ifconfig local policy # +kernel_load_module(ifconfig_t) allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config }; allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow ifconfig_t self:fd use;