commit: b1ab644ac721bca04de70d98abb9aa060e1539e4
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:52:07 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b1ab644a
Ifconfig should be able to read firmware files in /lib (i.e. some network cards
need to load their firmware) and it should not audit attempts to load kernel
modules directly.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index c67494e..59541ff 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -267,6 +267,7 @@ optional_policy(`
#
allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config
};
+dontaudit ifconfig_t self:capability sys_module;
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
