Merge pull request #1090 from sasikuma-qti/main

pebenito · web-flow · commit 438b1de988a2 · 2026-02-27T10:02:37.000-05:00
kmod: add net_admin capability to kmod_t
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
@@ -33,7 +33,7 @@ ifdef(`init_systemd',`
 # insmod local policy
 #
 
-allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
+allow kmod_t self:capability { dac_override dac_read_search net_raw net_admin sys_nice sys_tty_config };
 allow kmod_t self:process { execmem sigchld sigkill signal signull sigstop };
 # for the radeon/amdgpu modules
 dontaudit kmod_t self:capability sys_admin;
diff --git a/testing/sechecker.ini b/testing/sechecker.ini
@@ -273,6 +273,7 @@ exempt_source = arpwatch_t
                 iscsid_t
                 kernel_t
                 kismet_t
+                kmod_t         # See https://lore.kernel.org/selinux/c247a57d-b4a9-4c77-9334-c338e5457a48@oss.qualcomm.com/
                 krb5kdc_t
                 kubeadm_t
                 kubelet_t

Original file line number	Diff line number	Diff line change
@@ -33,7 +33,7 @@ ifdef(`init_systemd',`
`33`	`33`	`# insmod local policy`
`34`	`34`	`#`
`35`	`35`
`36`		`-allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };`
	`36`	`+allow kmod_t self:capability { dac_override dac_read_search net_raw net_admin sys_nice sys_tty_config };`
`37`	`37`	`allow kmod_t self:process { execmem sigchld sigkill signal signull sigstop };`
`38`	`38`	`# for the radeon/amdgpu modules`
`39`	`39`	`dontaudit kmod_t self:capability sys_admin;`