From 6caa443d18ade75ef15d4f629736efbde0a1f1f6 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Sun, 14 Aug 2016 14:52:07 -0400
Subject: [PATCH] Ifconfig should be able to read firmware files in /lib (i.e.
 some network cards need to load their firmware) and it should not audit
 attempts to load kernel modules directly.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/sysnetwork.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 962d2a51e..e6e3cf8f2 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -265,6 +265,7 @@ optional_policy(`
 #
 
 allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
+dontaudit ifconfig_t self:capability sys_module;
 allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
 allow ifconfig_t self:fd use;
 allow ifconfig_t self:fifo_file rw_fifo_file_perms;