Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow NetworkManager and wpa_supplicant the bpf capability
Linux Socket Filtering (LSF) is derived from the Berkeley Packet Filter and uses the same mechanism to allow a user-space program to attach a filter onto any socket and allow or disallow certain types of data to come through the socket. Both NetworkManager and wpa_supplicant, running in the same domain, want to listen only to related network events, so they need to set a filter for which the bpf capability is required. Addresses the following AVC denial: type=PROCTITLE msg=audit(10/23/2022 19:29:47.030:1673) : proctitle=/usr/sbin/wpa_supplicant -c /etc/wpa_supplicant/wpa_supplicant.conf -u -s type=AVC msg=audit(10/23/2022 19:29:47.030:1673) : avc: denied { bpf } for pid=1637 comm=wpa_supplicant capability=bpf scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=capability2 permissive=0 type=SYSCALL msg=audit(10/23/2022 19:29:47.030:1673) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0xc a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x55f15ed093a0 items=0 ppid=1 pid=1637 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wpa_supplicant exe=/usr/sbin/wpa_supplicant subj=system_u:system_r:NetworkManager_t:s0 key=(null) Resolves: rhbz#2137085
- Loading branch information