33 lines
1.5 KiB
Diff
33 lines
1.5 KiB
Diff
From 978245dc94680ac0cf55d11f37e2d788bc68bc1a Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Mon, 19 Dec 2022 14:31:15 +0100
|
|
Subject: [PATCH] Allow systemd-rfkill the bpf capability
|
|
|
|
Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter
|
|
and uses the same mechanism to allow a user-space program to attach a
|
|
filter onto any socket and allow or disallow certain types of data to
|
|
come through the socket.
|
|
The systemd-rfkill service wants to listen only to related udev events,
|
|
so it needs to set a filter for which the bpf capability is required.
|
|
|
|
Addresses the following USER_AVC denial:
|
|
type=AVC msg=audit(1669160827.102:10): avc: denied { bpf } for pid=954 comm="systemd-rfkill" capability=39 scontext=system_u:system_r:systemd_rfkill_t:s0 tcontext=system_u:system_r:systemd_rfkill_t:s0 tclass=capability2 permissive=0
|
|
|
|
Resolves: rhbz#2149390
|
|
---
|
|
policy/modules/system/systemd.te | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
|
|
index 77187a80e4..10b1b2d9b2 100644
|
|
--- a/policy/modules/system/systemd.te
|
|
+++ b/policy/modules/system/systemd.te
|
|
@@ -947,6 +947,7 @@ tunable_policy(`systemd_socket_proxyd_connect_any',`
|
|
#
|
|
|
|
allow systemd_rfkill_t self:capability { net_admin sys_admin};
|
|
+allow systemd_rfkill_t self:capability2 bpf;
|
|
allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t)
|