[refpolicy] [PATCH 3/3] Allow iptables_t to do module_request

Laurent Bigonville bigon at debian.org
Wed Sep 5 04:23:53 CDT 2012


Le Wed, 05 Sep 2012 10:48:44 +0200,
Guido Trentalancia <guido at trentalancia.com> a écrit :

> On 05/09/2012 02:30, Russell Coker wrote:
> > On Wed, 5 Sep 2012, Guido Trentalancia <guido at trentalancia.com>
> > wrote:
> >>> +kernel_request_load_module(iptables_t)
> >>>
> >>>    allow iptables_t self:capability { dac_read_search dac_override
> >>> net_admin net_raw }; dontaudit iptables_t self:capability
> >>> sys_tty_config; allow iptables_t self:fifo_file
> >>> rw_fifo_file_perms;
> >>
> >> Is this for IPv6 ? It was not recommended in NSA security
> >> guidelines. Has this now been changed ? If not, then perhaps it
> >> can be enclosed in tunable policy ?
> >
> > No, it happened on systems that didn't use any ip6tables commands.
> 
> So, what is the module that it needs to load ?

On my debian machine, running "iptables -vL" is automatically loading
iptable_filter, ip_tables, x_tables.

But anyway, it seems that iptables.te file on git master is already
containing that line (from 2009) a bit later in the code, so I guess
that patch can just be dropped.

Sorry for the noise,

Cheers

Laurent Bigonville


More information about the refpolicy mailing list