Access official resources from Carbon Black experts
setroubleshoot: SELinux is preventing event_collector from map_create access
ausearch -c 'event_collector' --raw | audit2allow --why
ausearch -c 'event_collector' --raw | audit2allow -M cbagent
module cbagent 1.0; require { type unconfined_service_t; class bpf { map_create map_read map_write prog_load prog_run }; } #============= unconfined_service_t ============== allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };Note that lines referencing the bpf class are also allowing other bpf operations like map_read and map_write.
checkmodule -M -m -o cbagent.mod cbagent.te
semodule_package -o cbagent.pp -m cbagent.mod
semodule -i cbagent.ppRestarting cbagentd should now allow BPF based event collection:
systemctl restart cbagentd
Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.