From: guido@trentalancia.net (Guido Trentalancia) Date: Sun, 27 Nov 2016 21:33:05 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <20161127164146.3773-2-aranea@aixah.de> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> Message-ID: <1480278785.620.4.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello. I have the same graphic card and I am not experiencing this problem with kernel 4.8.8... Strange, are you using vanilla kernels ? On Sun, 27/11/2016 at 17.41 +0100, Luis Ressel via refpolicy wrote: > Since Linux 4.8, kmod seems to require this capability for loading > certain modules. For example, trying to load my graphics driver i915 > without this permission fails with the dmesg error message > > [drm:ffffffff81497d70] *ERROR* Cannot mount pseudo fs: -1 > [drm:ffffffff81497d92] *ERROR* Cannot allocate anonymous inode: -1 > i915 0000:00:02.0: [drm:i915_driver_load] allocation failed > i915: probe of 0000:00:02.0 failed with error -1 > --- > ?policy/modules/system/modutils.te | 2 +- > ?1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/system/modutils.te > b/policy/modules/system/modutils.te > index afe11af..104a72d 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -27,7 +27,7 @@ files_pid_file(kmod_var_run_t) > ?# insmod local policy > ?# > ? > -allow kmod_t self:capability { dac_override net_raw sys_nice > sys_tty_config }; > +allow kmod_t self:capability { dac_override net_raw sys_admin > sys_nice sys_tty_config }; > ?allow kmod_t self:process { execmem sigchld sigkill sigstop signull > signal }; > ? > ?allow kmod_t self:udp_socket create_socket_perms; Regards, Guido