From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 2 Aug 2016 19:38:02 -0400 Subject: [refpolicy] [PATCH] ifconfig loads kernel modules In-Reply-To: <20160731094815.hnl6jvjkbi77vwoc@athena.coker.com.au> References: <20160731094815.hnl6jvjkbi77vwoc@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 07/31/16 05:48, Russell Coker wrote: > The following patch allows ifconfig to trigger module loads. > > > diff -ruN /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te ./policy/modules/system/sysnetwork.te > --- /home/rjc/src/pol-git/policy/modules/system/sysnetwork.te 2016-07-28 20:33:39.971961928 +1000 > +++ ./policy/modules/system/sysnetwork.te 2016-07-31 19:47:25.822898970 +1000 > @@ -261,6 +261,7 @@ > # Ifconfig local policy > # > > +kernel_load_module(ifconfig_t) > allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config }; > allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; > allow ifconfig_t self:fd use; Is this a current denial? If so, what version of net-tools is that on? ifconfig_t already has kernel_request_load_module(ifconfig_t) so I'm unclear why it would be directly loading modules itself. -- Chris PeBenito