From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 08 Aug 2016 19:11:36 +0200
Subject: [refpolicy] [PATCH] Ifconfig should be able to read firmware files
 and load kernel modules
Message-ID: <1470676296.2540.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Ifconfig should be able to read firmware files (i.e. some network cards need
to load their firmware) and it should also be able to load kernel modules.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/sysnetwork.te |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-08 18:29:45.342636241 +0200
@@ -261,7 +261,7 @@ optional_policy(`
 # Ifconfig local policy
 #
 
-allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_module sys_tty_config };
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -305,6 +305,8 @@ domain_use_interactive_fds(ifconfig_t)
 files_read_etc_files(ifconfig_t)
 files_read_etc_runtime_files(ifconfig_t)
 
+files_read_firmware_files(ifconfig_t)
+
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)