Allow conntrackd_t to use bpf capability2

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline

GNU General Public License v2.0

161 stars 162 forks source link

Allow conntrackd_t to use bpf capability2 #2008

Closed JurajMarcin closed 7 months ago

JurajMarcin commented 7 months ago

When conntrackd filters packets using kernelspace filter, it needs the capability to do so efficiently.

Addresses following AVC denials: type=AVC msg=audit(01/22/2024 12:46:49.999:248) : avc: denied { bpf } for pid=1927 comm=conntrackd capability=bpf scontext=system_u:system_r:conntrackd_t:s0 tcontext=system_u:system_r:conntrackd_t:s0 tclass=capability2 permissive=0

Resolves: RHEL-22277

zpytela commented 7 months ago

LGTM