From: aranea@aixah.de (Luis Ressel) Date: Sun, 27 Nov 2016 22:55:43 +0100 Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the sys_admin cap In-Reply-To: <20161127222218.1ae86825@gentp.lnet> References: <20161127164146.3773-1-aranea@aixah.de> <20161127164146.3773-2-aranea@aixah.de> <1480278785.620.4.camel@trentalancia.net> <20161127222218.1ae86825@gentp.lnet> Message-ID: <20161127225543.49cc6698@gentp.lnet> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com By the way, I just had a quick look at the relevant kernel code. Those error messages are printed by drivers/gpu/drm/drm_drv.c:drm_dev_init(). I assume one of the security_sb_... calls in fs/super.c:mount_fs() checks for CAP_SYS_ADMIN and subsequently returns -EPERM. I haven't noticed any relevant differences between my kernel and vanilla 4.8. They might be hidden in one of the aforementioned security_sb_... functions, though. -- Regards, Luis Ressel