From 3578a24d63f5901469482950f40bcb757d695baf Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 2 Aug 2022 16:42:58 +0200 Subject: [PATCH] Allow sysadm_t to run bpftool on the userdomain attribute Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3578a24d63f5901469482950f40bcb757d695baf Conflict: NA Addresses the following AVC denial: type=PROCTITLE msg=audit(08/02/2022 11:36:12.251:13079) : proctitle=perf record -o /dev/null echo test type=SYSCALL msg=audit(08/02/2022 11:36:12.251:13079) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_GET_FD_BY_ID a1=0x7ffda3e17100 a2=0x90 a3=0x55bd94ea10a0 items=0 ppid=291258 pid=291259 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=141 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(08/02/2022 11:36:12.251:13079) : avc: denied { prog_run } for pid=291259 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=bpf permissive=0 Signed-off-by: lujie54 --- policy/modules/roles/sysadm.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index d9e11b6..ed1b86f 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -109,6 +109,8 @@ userdom_exec_admin_home_files(sysadm_t) userdom_manage_admin_files(sysadm_t) userdom_manage_admin_dirs(sysadm_t) +userdom_prog_run_bpf_userdomain(sysadm_t) + corenet_ib_access_unlabeled_pkeys(sysadm_t) corenet_ib_manage_subnet_unlabeled_endports(sysadm_t) corenet_tcp_bind_all_rpc_ports(sysadm_t) -- 1.8.3.1