Add module_load permission to can_load_kernmodule

The "module_load" permission has been recently added to the "system"
class (kernel 4.7).

The following patch updates the Reference Policy so that the new
permission is allowed when a kernel module should be loaded.

To preserve the module encapsulation, a new interface is defined
in the kernel files module and that interface is then used in the
kernel module.

A short note is added about unneeded permissions that set the
kernel scheduling parameters (might lead to service disruption).

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>

policy/modules/kernel/files.if

@@ -4156,6 +4156,25 @@ interface(`files_kernel_modules_filetrans',`
 	filetrans_pattern($1, modules_object_t, $2, $3, $4)
 ')
 
+########################################
+## <summary>
+##	Load kernel module files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_load_kernel_modules',`
+	gen_require(`
+		type modules_object_t;
+	')
+
+	files_read_kernel_modules($1)
+	allow $1 modules_object_t:system module_load;
+')
+
 ########################################
 ## <summary>
 ##	List world-readable directories.

policy/modules/kernel/kernel.te

@@ -429,8 +429,12 @@ optional_policy(`
 if( ! secure_mode_insmod ) {
 	allow can_load_kernmodule self:capability sys_module;
 
+	files_load_kernel_modules(can_load_kernmodule)
+
 	# load_module() calls stop_machine() which
 	# calls sched_setscheduler()
+	# gt: there seems to be no trace of the above, at
+	# least in kernel versions greater than 2.6.37...
 	allow can_load_kernmodule self:capability sys_nice;
 	kernel_setsched(can_load_kernmodule)
 }