Since I've upgraded to linux-4.8, kmod requires 'allow kmod_t self:capability sys_admin;' to load graphics drivers. I've reproduced this issue with the i915 and radeon modules; it occurs with hardened-sources-4.8.10 as well as with vanilla-sources-4.8.11 (so it's _not_ grsec-related, contrary to earlier assumptions). Without this permission, the module is loaded, but the screen stays in VGA mode and dmesg reports [drm:ffffffff81497d70] *ERROR* Cannot mount pseudo fs: -1 [drm:ffffffff81497d92] *ERROR* Cannot allocate anonymous inode: -1 and some additional driver-specific errors. Apparently, these errors are caused by the drm_fs_inode_new() call in drm_dev_init() (in drivers/gpu/drm/drm_drv.c) returning -EPERM. I've followed the call chain a few levels down, but so far, I haven't found the source of the -EPERM. By the way, I don't get why this module initialisation code seems to be running in the kmod_t domain. Might this perhaps be the real source of the bug? Interestingly, both Guido Trentalancia and Nicolas Iooss have been unable to reproduce this problem.
As I've explained on the refpolicy mailing list, this is a kernel bug. A patch can be found at [1]; it will be included in one of the next kernel releases. Since I seem to be the only affected gentoo user, I'll just close this bug. [1] http://www.spinics.net/lists/linux-fsdevel/msg105940.html
