From: jason@perfinion.com (Jason Zaman)
Date: Wed, 3 Aug 2016 10:37:33 +0800
Subject: [refpolicy] [PATCH] ifconfig loads kernel modules
In-Reply-To: <201608031228.53604.russell@coker.com.au>
References: <20160731094815.hnl6jvjkbi77vwoc@athena.coker.com.au>
	<c0563d49-fd21-b30b-98ad-dbbe5a09fb04@ieee.org>
	<201608031228.53604.russell@coker.com.au>
Message-ID: <20160803023733.GA29738@meriadoc.perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Wed, Aug 03, 2016 at 12:28:53PM +1000, Russell Coker wrote:
> On Wed, 3 Aug 2016 09:38:02 AM Chris PeBenito wrote:
> > > +kernel_load_module(ifconfig_t)
> > >
> > >  allow ifconfig_t self:capability { net_raw net_admin sys_admin
> > >sys_tty_config }; allow ifconfig_t self:process ~{ ptrace setcurrent
> > >setexec setfscreate setrlimit execmem execheap execstack }; allow
> > >ifconfig_t self:fd use;
> > 
> > Is this a current denial?  If so, what version of net-tools is that on?
> > 
> > ifconfig_t already has kernel_request_load_module(ifconfig_t) so I'm 
> > unclear why it would be directly loading modules itself.
> 
> It's been in my tree for years.  I'll remove it and see what happens.

I've seen this on my gentoo machines for a fair while too but not dug
deeper into why. I assumed it was something to do with firmware loading
when the wifi modules come up but could be completely wrong. I think I
only see it during first boot tho not later on.

-- Jason
> 
> -- 
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy