Skip to content

Commit

Permalink
Allow systemd-networkd the sys_admin capability
Browse files Browse the repository at this point in the history 
The sys_admin capability on top of bpf is required since systemd commit
6d9ef22acdea ("emit a warning in networkd if managed sysctls are changed"):

    Monitor the sysctl set by networkd for writes, if a sysctl is
    overwritten with a different value than the one we set, emit a warning.
    Writes are detected with an eBPF program attached as BPF_CGROUP_SYSCTL
    which reports the sysctl writes only in net/.
  • Loading branch information
@zpytela
zpytela committed Feb 7, 2025
1 parent 15c02dd commit 1e6221c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion policy/modules/system/systemd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -601,7 +601,7 @@ optional_policy(`
#

allow systemd_networkd_t self:bpf { map_create map_read map_write prog_load prog_run };
allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap };
allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap sys_admin };
allow systemd_networkd_t self:capability2 bpf;
allow systemd_networkd_t self:process { getcap setcap };

Expand Down

0 comments on commit 1e6221c

Please sign in to comment.