How to allow BPF event collection on SELinux, as some Linux distributions with SELinux may have a default policy that blocks services making BPF calls.

1. Detecting SELinux denials in the /var/log/messages file
   1. Enterprise Linux distros like Oracle, CentOS and RedHat will contain a message about denying the BPF from working:

      setroubleshoot: SELinux is preventing event_collector from map_create access

      1. Detailed Denial Explanation:

         ausearch -c 'event_collector' --raw  | audit2allow --why

2. Errors in the Linux sensor bpf_event_collector.log:

   [DATE] [5522:5522] [W] libbpf: Error in bpf_object__probe_loading():Permission denied(13). Couldn't load trivial BPF program. Make sure your kernel supports BPF (CONFIG_BPF_SYSCALL=y) and/or that RLIMIT_MEMLOCK is set to big enough value.

• Carbon Black Cloud Linux sensor: 2.10.x and higher
• Linux OS: Oracle 7.x
• Kernel Version: UEK with 5.4 kernel extensions

1. Generate SELinux Policy

   ausearch -c 'event_collector' --raw  | audit2allow -M cbagent

2. Modify Generated Policy
   1. The program `allow2audit` is not smart enough to allow other bpf operations, so create or edit the generated file name `cbagent.te` to look more like the following:

      module cbagent 1.0;
      require {
              type unconfined_service_t;
              class bpf { map_create map_read map_write prog_load prog_run };
      }
      #============= unconfined_service_t ==============
      allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };

   2. Note that lines referencing the bpf class are also allowing other bpf operations like map_read and map_write.
3. Check Loading of Policy and Generate Module:
   

   checkmodule -M -m -o cbagent.mod cbagent.te

4. Create Selinux Policy Module Package:

   semodule_package -o cbagent.pp -m cbagent.mod

5. Insert Policy:

   semodule -i cbagent.pp

6. Restarting cbagentd should now allow BPF based event collection:

   systemctl restart cbagentd