From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 14 Aug 2016 20:29:05 +0200
Subject: [refpolicy] [PATCH v4] Ifconfig should be able to read firmware
	files
In-Reply-To: <1326307832.942736.1471125859717.JavaMail.open-xchange@popper02.register.it>
References: <1470676296.2540.1.camel@trentalancia.net>
	<83b01d15-48f4-0d32-27de-9881c49e402b@gmail.com>
	<1470687673.2643.3.camel@trentalancia.net>
	<1326307832.942736.1471125859717.JavaMail.open-xchange@popper02.register.it>
Message-ID: <1471199345.27146.9.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Ifconfig should be able to read firmware files in /lib (i.e. some network
cards need to load their firmware) and it should not audit attempts
to load kernel modules directly. 

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/sysnetwork.te |    3 +++
 1 file changed, 3 insertions(+)

--- refpolicy-git-06082016-orig/policy/modules/system/sysnetwork.te	2016-08-06 21:26:43.309774442 +0200
+++ refpolicy-git-06082016/policy/modules/system/sysnetwork.te	2016-08-14 20:17:19.170766644 +0200
@@ -262,6 +269,7 @@ optional_policy(`
 #
 
 allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;
@@ -308,6 +316,8 @@ files_read_etc_runtime_files(ifconfig_t)
 fs_getattr_xattr_fs(ifconfig_t)
 fs_search_auto_mountpoints(ifconfig_t)
 
+libs_read_lib_files(ifconfig_t)
+
 selinux_dontaudit_getattr_fs(ifconfig_t)
 
 term_dontaudit_use_console(ifconfig_t)