Carbon Black Cloud: How to allow BPF event collection on SELinux

Carbon Black Cloud: How to allow BPF event collection on SELinux

Environment

  • Carbon Black Cloud for Linux sensor 2.10.x 
  • Oracle 7 UEK with 5.4 kernel extensions

Objective

How to allow BPF event collection on SELinux, as some Linux distributions with SELinux may have a default policy that blocks services making BPF calls. 

Detecting SELinux denials

Typically an entry in a /var/log/messages file (any file /var/log/messages-<numbers>) on Enterprise Linux distros like Oracle, CentOS and RedHat will contain a message about denying the BPF from working.
setroubleshoot: SELinux is preventing event_collector from map_create access

Detailed Denial Explanation
ausearch -c 'event_collector' --raw  | audit2allow --why

Resolution

Mitigation Steps

Generate Policy
ausearch -c 'event_collector' --raw  | audit2allow -M cbagent

Modify Generated Policy
Program allow2audit is not smart enough to allow other bpf operations. Edit generated file cbagent.te to look more like the following:
module cbagent 1.0;
require {
        type unconfined_service_t;
        class bpf { map_create map_read map_write prog_load prog_run };
}
#============= unconfined_service_t ==============
allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };
Note that lines referencing the bpf class are also allowing other bpf operations like map_read and map_write.

Check Loading of Policy and Generate Module
Ensure your edits work by running:
checkmodule -M -m -o cbagent.mod cbagent.te

Create Selinux Policy Module Package
semodule_package -o cbagent.pp -m cbagent.mod

Insert Policy
semodule -i cbagent.pp
Restarting cbagentd should now allow BPF based event collection:
systemctl restart cbagentd




 

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎12-21-2020
Views:
835
Contributors