diff mbox series

[meta-selinux,PATCH/V2] kmod: add net_admin capability to kmod_t

Message ID 20260306062840.3814265-1-sasikuma@qti.qualcomm.com
State New
Headers show
Series [meta-selinux,PATCH/V2] kmod: add net_admin capability to kmod_t | expand

Commit Message

Sasi Kumar Maddineni March 6, 2026, 6:28 a.m. UTC 
The kmod_t domain attempted network administration operations resulting
in SELinux denials.

Adding net_admin to the capability set resolves the
issue.

Signed-off-by: Sasi Kumar Maddineni <sasikuma@qti.qualcomm.com>
---
 ...d-add-net_admin-capability-to-kmod_t.patch | 34 +++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  3 +-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 recipes-security/refpolicy/refpolicy/0060-kmod-add-net_admin-capability-to-kmod_t.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy/0060-kmod-add-net_admin-capability-to-kmod_t.patch b/recipes-security/refpolicy/refpolicy/0060-kmod-add-net_admin-capability-to-kmod_t.patch
new file mode 100644
index 0000000..ebc0d98
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0060-kmod-add-net_admin-capability-to-kmod_t.patch
@@ -0,0 +1,34 @@ 
+From 89379c0b2430e80d345e6552c8b8b151c12dc24d Mon Sep 17 00:00:00 2001
+From: Sasi Kumar Maddineni <sasikuma@qti.qualcomm.com>
+Date: Thu, 26 Feb 2026 11:46:19 +0530
+Subject: [PATCH] kmod: add net_admin capability to kmod_t
+
+The kmod_t domain attempted network administration operations resulting
+in SELinux denials.
+
+Adding net_admin to the capability set resolves the
+issue.
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/89379c0b2430e80d345e6552c8b8b151c12dc24d]
+
+Signed-off-by: Sasi Kumar Maddineni <sasikuma@qti.qualcomm.com>
+---
+ policy/modules/system/modutils.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
+index 271cdb1d4..7355255e0 100644
+--- a/policy/modules/system/modutils.te
++++ b/policy/modules/system/modutils.te
+@@ -33,7 +33,7 @@ ifdef(`init_systemd',`
+ # insmod local policy
+ #
+ 
+-allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
++allow kmod_t self:capability { dac_override dac_read_search net_raw net_admin sys_nice sys_tty_config };
+ allow kmod_t self:process { execmem sigchld sigkill signal signull sigstop };
+ # for the radeon/amdgpu modules
+ dontaudit kmod_t self:capability sys_admin;
+-- 
+2.43.0
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 2e1a929..3bd43cb 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -74,7 +74,8 @@  SRC_URI += " \
         file://0056-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
         file://0057-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
         file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \
-        "
+        file://0060-kmod-add-net_admin-capability-to-kmod_t.patch \
+       "
 
 S = "${UNPACKDIR}/refpolicy"