Environment
- Carbon Black Cloud for Linux sensor 2.10.x
- Oracle 7 UEK with 5.4 kernel extensions
Objective
How to allow BPF event collection on SELinux, as some Linux distributions with SELinux may have a default policy that blocks services making BPF calls.
Detecting SELinux denialsTypically an entry in a /var/log/messages file (any file /var/log/messages-<numbers>) on Enterprise Linux distros like Oracle, CentOS and RedHat will contain a message about denying the BPF from working.
setroubleshoot: SELinux is preventing event_collector from map_create access
Detailed Denial Explanation
ausearch -c 'event_collector' --raw | audit2allow --why
Resolution
Mitigation StepsGenerate Policy
ausearch -c 'event_collector' --raw | audit2allow -M cbagent
Modify Generated PolicyProgram allow2audit is not smart enough to allow other bpf operations. Edit generated file cbagent.te to look more like the following:
module cbagent 1.0;
require {
type unconfined_service_t;
class bpf { map_create map_read map_write prog_load prog_run };
}
#============= unconfined_service_t ==============
allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };
Note that lines referencing the bpf class are also allowing other bpf operations like map_read and map_write.
Check Loading of Policy and Generate ModuleEnsure your edits work by running:
checkmodule -M -m -o cbagent.mod cbagent.te
Create Selinux Policy Module Package
semodule_package -o cbagent.pp -m cbagent.mod
Insert Policy
semodule -i cbagent.pp
Restarting cbagentd should now allow BPF based event collection:
systemctl restart cbagentd
Related Content
