From: guido@trentalancia.net (Guido Trentalancia)
Date: Mon, 08 Aug 2016 21:43:08 +0200
Subject: [refpolicy] [PATCH] Ifconfig should be able to read firmware
 files and load kernel modules
In-Reply-To: <83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com>
References: <1470676296.2540.1.camel@trentalancia.net>
	<83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com>
Message-ID: <1470685388.5377.1.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Dominick.

On Mon, 08/08/2016 at 19.18 +0200, Dominick Grift wrote:
> On 08/08/2016 07:11 PM, Guido Trentalancia wrote:
> > Ifconfig should be able to read firmware files (i.e. some network
> > cards need
> > to load their firmware) and it should also be able to load kernel
> > modules.
> > 
> > Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> > ---
> > ?policy/modules/system/sysnetwork.te |????4 +++-
> > ?1 file changed, 3 insertions(+), 1 deletion(-)
> > 
> > --- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te
> > 	2016-08-06 21:26:43.309774442 +0200
> > +++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	
> > 2016-08-08 18:29:45.342636241 +0200
> > @@ -261,7 +261,7 @@ optional_policy(`
> > ?# Ifconfig local policy
> > ?#
> > ?
> > -allow ifconfig_t self:capability { net_raw net_admin sys_admin
> > sys_tty_config };
> > +allow ifconfig_t self:capability { net_raw net_admin sys_admin
> > sys_module sys_tty_config };
> 
> neverallow ~can_load_kernmodule self:capability sys_module;

Apparently, even using the kernel_load_module() interface, it does not
let ifconfig load the modules it needs...

Guido