How to allow BPF event collection on SELinux, as some Linux distributions with SELinux may have a default policy that blocks services making BPF calls. 

Detecting SELinux denials

Typically an entry in a /var/log/messages file (any file /var/log/messages-<numbers>) on Enterprise Linux distros like Oracle, CentOS and RedHat will contain a message about denying the BPF from working.

setroubleshoot: SELinux is preventing event_collector from map_create access

Detailed Denial Explanation

ausearch -c 'event_collector' --raw  | audit2allow --why

• Carbon Black Cloud for Linux sensor 2.10.x 
• Oracle 7 UEK with 5.4 kernel extensions

Mitigation Steps

Generate Policy

ausearch -c 'event_collector' --raw  | audit2allow -M cbagent

Modify Generated Policy
Program allow2audit is not smart enough to allow other bpf operations. Edit generated file cbagent.te to look more like the following:

module cbagent 1.0;
require {
        type unconfined_service_t;
        class bpf { map_create map_read map_write prog_load prog_run };
}
#============= unconfined_service_t ==============
allow unconfined_service_t self:bpf { map_create map_read map_write prog_load prog_run };

Note that lines referencing the bpf class are also allowing other bpf operations like map_read and map_write.

Check Loading of Policy and Generate Module
Ensure your edits work by running:

checkmodule -M -m -o cbagent.mod cbagent.te

Create Selinux Policy Module Package

semodule_package -o cbagent.pp -m cbagent.mod

Insert Policy

semodule -i cbagent.pp

Restarting cbagentd should now allow BPF based event collection:

systemctl restart cbagentd