From: aranea@aixah.de (Luis Ressel)
Date: Sun, 27 Nov 2016 23:30:54 +0100
Subject: [refpolicy] [PATCH 2/2] system/modutils: Allow kmod to use the
 sys_admin cap
In-Reply-To: <20161127222218.1ae86825@gentp.lnet>
References: <20161127164146.3773-1-aranea@aixah.de>
	<20161127164146.3773-2-aranea@aixah.de>
	<1480278785.620.4.camel@trentalancia.net>
	<20161127222218.1ae86825@gentp.lnet>
Message-ID: <20161127233054.41f8f921@gentp.lnet>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 27 Nov 2016 22:22:18 +0100
Luis Ressel via refpolicy <refpolicy@oss.tresys.com> wrote:

> Possible explanations in order of descending probability:
> (1) Are you using another kmod version?
> (2) GRSecurity (I think grsec sometimes requires specific capabilities
>     in situations where vanilla doesn't.)
> (3) A difference between 4.8.8 and 4.8.10.

I've checked the (short) list of places where grsec adds
capable(CAP_SYS_ADMIN) requirements. None of them seem to be related to
the pseudo filesystem used by the drm code.

-- 
Luis Ressel