From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 27 Nov 2016 21:33:05 +0100
Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the
 sys_admin cap
In-Reply-To: <20161127164146.3773-2-aranea@aixah.de>
References: <20161127164146.3773-1-aranea@aixah.de>
	<20161127164146.3773-2-aranea@aixah.de>
Message-ID: <1480278785.620.4.camel@trentalancia.net>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello.

I have the same graphic card and I am not experiencing this problem
with kernel 4.8.8...

Strange, are you using vanilla kernels ?

On Sun, 27/11/2016 at 17.41 +0100, Luis Ressel via refpolicy wrote:
> Since Linux 4.8, kmod seems to require this capability for loading
> certain modules. For example, trying to load my graphics driver i915
> without this permission fails with the dmesg error message
> 
> [drm:ffffffff81497d70] *ERROR* Cannot mount pseudo fs: -1
> [drm:ffffffff81497d92] *ERROR* Cannot allocate anonymous inode: -1
> i915 0000:00:02.0: [drm:i915_driver_load] allocation failed
> i915: probe of 0000:00:02.0 failed with error -1
> ---
> ?policy/modules/system/modutils.te | 2 +-
> ?1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/modutils.te
> b/policy/modules/system/modutils.te
> index afe11af..104a72d 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -27,7 +27,7 @@ files_pid_file(kmod_var_run_t)
> ?# insmod local policy
> ?#
> ?
> -allow kmod_t self:capability { dac_override net_raw sys_nice
> sys_tty_config };
> +allow kmod_t self:capability { dac_override net_raw sys_admin
> sys_nice sys_tty_config };
> ?allow kmod_t self:process { execmem sigchld sigkill sigstop signull
> signal };
> ?
> ?allow kmod_t self:udp_socket create_socket_perms;

Regards,

Guido