From 245ab868b3c2ed9330196f728020c5bdb20b5dff Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Thu, 27 Oct 2022 14:59:49 +0200
Subject: [PATCH] Allow netutils and traceroute bpf capability to run bpf
 programs

Resolves: rhbz#2134827
---
 policy/modules/admin/netutils.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index c9526d2b92..312b047edc 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -35,6 +35,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
 # Perform network administration operations and have raw access to the network.
 allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot  setpcap };
 dontaudit netutils_t self:capability { sys_admin sys_tty_config };
+allow netutils_t self:capability2 bpf;
 allow netutils_t self:process { setcap signal_perms };
 allow netutils_t self:netlink_generic_socket create_socket_perms;
 allow netutils_t self:netlink_rdma_socket create_socket_perms;
@@ -214,6 +215,7 @@ optional_policy(`
 
 allow traceroute_t self:capability { net_admin net_raw setuid setgid };
 dontaudit traceroute_t self:capability { sys_admin };
+allow traceroute_t self:capability2 bpf;
 allow traceroute_t self:netlink_generic_socket create_socket_perms;
 allow traceroute_t self:netlink_rdma_socket create_socket_perms;
 allow traceroute_t self:rawip_socket create_socket_perms;