32 lines
1.5 KiB
Diff
32 lines
1.5 KiB
Diff
From 245ab868b3c2ed9330196f728020c5bdb20b5dff Mon Sep 17 00:00:00 2001
|
|
From: Nikola Knazekova <nknazeko@redhat.com>
|
|
Date: Thu, 27 Oct 2022 14:59:49 +0200
|
|
Subject: [PATCH] Allow netutils and traceroute bpf capability to run bpf
|
|
programs
|
|
|
|
Resolves: rhbz#2134827
|
|
---
|
|
policy/modules/admin/netutils.te | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
|
|
index c9526d2b92..312b047edc 100644
|
|
--- a/policy/modules/admin/netutils.te
|
|
+++ b/policy/modules/admin/netutils.te
|
|
@@ -35,6 +35,7 @@ init_system_domain(traceroute_t, traceroute_exec_t)
|
|
# Perform network administration operations and have raw access to the network.
|
|
allow netutils_t self:capability { chown dac_read_search net_admin net_raw setuid setgid sys_chroot setpcap };
|
|
dontaudit netutils_t self:capability { sys_admin sys_tty_config };
|
|
+allow netutils_t self:capability2 bpf;
|
|
allow netutils_t self:process { setcap signal_perms };
|
|
allow netutils_t self:netlink_generic_socket create_socket_perms;
|
|
allow netutils_t self:netlink_rdma_socket create_socket_perms;
|
|
@@ -214,6 +215,7 @@ optional_policy(`
|
|
|
|
allow traceroute_t self:capability { net_admin net_raw setuid setgid };
|
|
dontaudit traceroute_t self:capability { sys_admin };
|
|
+allow traceroute_t self:capability2 bpf;
|
|
allow traceroute_t self:netlink_generic_socket create_socket_perms;
|
|
allow traceroute_t self:netlink_rdma_socket create_socket_perms;
|
|
allow traceroute_t self:rawip_socket create_socket_perms;
|