From: jason@perfinion.com (Jason Zaman) Date: Wed, 3 Aug 2016 10:37:33 +0800 Subject: [refpolicy] [PATCH] ifconfig loads kernel modules In-Reply-To: <201608031228.53604.russell@coker.com.au> References: <20160731094815.hnl6jvjkbi77vwoc@athena.coker.com.au> <201608031228.53604.russell@coker.com.au> Message-ID: <20160803023733.GA29738@meriadoc.perfinion.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, Aug 03, 2016 at 12:28:53PM +1000, Russell Coker wrote: > On Wed, 3 Aug 2016 09:38:02 AM Chris PeBenito wrote: > > > +kernel_load_module(ifconfig_t) > > > > > > allow ifconfig_t self:capability { net_raw net_admin sys_admin > > >sys_tty_config }; allow ifconfig_t self:process ~{ ptrace setcurrent > > >setexec setfscreate setrlimit execmem execheap execstack }; allow > > >ifconfig_t self:fd use; > > > > Is this a current denial? If so, what version of net-tools is that on? > > > > ifconfig_t already has kernel_request_load_module(ifconfig_t) so I'm > > unclear why it would be directly loading modules itself. > > It's been in my tree for years. I'll remove it and see what happens. I've seen this on my gentoo machines for a fair while too but not dug deeper into why. I assumed it was something to do with firmware loading when the wifi modules come up but could be completely wrong. I think I only see it during first boot tho not later on. -- Jason > > -- > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy