[refpolicy] [PATCH 3/3] Allow iptables_t to do module_request

Guido Trentalancia guido at trentalancia.com
Wed Sep 5 03:48:44 CDT 2012


On 05/09/2012 02:30, Russell Coker wrote:
> On Wed, 5 Sep 2012, Guido Trentalancia <guido at trentalancia.com> wrote:
>>> +kernel_request_load_module(iptables_t)
>>>
>>>    allow iptables_t self:capability { dac_read_search dac_override
>>> net_admin net_raw }; dontaudit iptables_t self:capability sys_tty_config;
>>>    allow iptables_t self:fifo_file rw_fifo_file_perms;
>>
>> Is this for IPv6 ? It was not recommended in NSA security guidelines.
>> Has this now been changed ? If not, then perhaps it can be enclosed in
>> tunable policy ?
>
> No, it happened on systems that didn't use any ip6tables commands.

So, what is the module that it needs to load ?

Guido


More information about the refpolicy mailing list