From: aranea@aixah.de (Luis Ressel)
Date: Sun, 27 Nov 2016 17:41:46 +0100
Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the
	sys_admin cap
In-Reply-To: <20161127164146.3773-1-aranea@aixah.de>
References: <20161127164146.3773-1-aranea@aixah.de>
Message-ID: <20161127164146.3773-2-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Since Linux 4.8, kmod seems to require this capability for loading
certain modules. For example, trying to load my graphics driver i915
without this permission fails with the dmesg error message

[drm:ffffffff81497d70] *ERROR* Cannot mount pseudo fs: -1
[drm:ffffffff81497d92] *ERROR* Cannot allocate anonymous inode: -1
i915 0000:00:02.0: [drm:i915_driver_load] allocation failed
i915: probe of 0000:00:02.0 failed with error -1
---
 policy/modules/system/modutils.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index afe11af..104a72d 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -27,7 +27,7 @@ files_pid_file(kmod_var_run_t)
 # insmod local policy
 #
 
-allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config };
+allow kmod_t self:capability { dac_override net_raw sys_admin sys_nice sys_tty_config };
 allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
 
 allow kmod_t self:udp_socket create_socket_perms;
-- 
2.10.2