From 1e6221cdad83095faff06774c600a308544d64b8 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 7 Feb 2025 18:40:44 +0100 Subject: [PATCH] Allow systemd-networkd the sys_admin capability The sys_admin capability on top of bpf is required since systemd commit 6d9ef22acdea ("emit a warning in networkd if managed sysctls are changed"): Monitor the sysctl set by networkd for writes, if a sysctl is overwritten with a different value than the one we set, emit a warning. Writes are detected with an eBPF program attached as BPF_CGROUP_SYSCTL which reports the sysctl writes only in net/. --- policy/modules/system/systemd.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 8d4f2b9afc..774826449c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -601,7 +601,7 @@ optional_policy(` # allow systemd_networkd_t self:bpf { map_create map_read map_write prog_load prog_run }; -allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap }; +allow systemd_networkd_t self:capability { dac_read_search dac_override net_admin net_raw setuid fowner chown setgid setpcap sys_admin }; allow systemd_networkd_t self:capability2 bpf; allow systemd_networkd_t self:process { getcap setcap };