Carbon Black Cloud: How to allow BPF event collection on SELinux
Carbon Black Cloud for Linux sensor 2.10.x
Oracle 7 UEK with 5.4 kernel extensions
How to allow BPF event collection on SELinux, as some Linux distributions with SELinux may have a default policy that blocks services making BPF calls.
Detecting SELinux denials
Typically an entry in a /var/log/messages file (any file /var/log/messages-<numbers>) on Enterprise Linux distros like Oracle, CentOS and RedHat will contain a message about denying the BPF from working.
setroubleshoot: SELinux is preventing event_collector from map_create access