From 3578a24d63f5901469482950f40bcb757d695baf Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 2 Aug 2022 16:42:58 +0200
Subject: [PATCH] Allow sysadm_t to run bpftool on the userdomain attribute

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3578a24d63f5901469482950f40bcb757d695baf
Conflict: NA

Addresses the following AVC denial:
type=PROCTITLE msg=audit(08/02/2022 11:36:12.251:13079) : proctitle=perf record -o /dev/null echo test
type=SYSCALL msg=audit(08/02/2022 11:36:12.251:13079) : arch=x86_64 syscall=bpf success=no exit=EACCES(Permission denied) a0=BPF_PROG_GET_FD_BY_ID a1=0x7ffda3e17100 a2=0x90 a3=0x55bd94ea10a0 items=0 ppid=291258 pid=291259 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts2 ses=141 comm=perf exe=/usr/bin/perf subj=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(08/02/2022 11:36:12.251:13079) : avc: denied { prog_run } for pid=291259 comm=perf scontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=bpf permissive=0

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/roles/sysadm.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index d9e11b6..ed1b86f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -109,6 +109,8 @@ userdom_exec_admin_home_files(sysadm_t)
 userdom_manage_admin_files(sysadm_t)
 userdom_manage_admin_dirs(sysadm_t)
 
+userdom_prog_run_bpf_userdomain(sysadm_t)
+
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
 corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
 corenet_tcp_bind_all_rpc_ports(sysadm_t)
-- 
1.8.3.1