From 3e22aa30224df9650b4916e142a77f08db5fbb7f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Sat, 4 May 2024 21:45:42 +0200
Subject: [PATCH 01/14] Allow svirt_t read vm sysctls

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/10/2024 04:54:54.905:788) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra
type=PATH msg=audit(04/10/2024 04:54:54.905:788) : item=0 name=/proc/sys/vm/max_map_count inode=68303 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(04/10/2024 04:54:54.905:788) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x557ed6d62074 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=23797 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c475,c934 key=(null)
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { open } for  pid=23797 comm=qemu-kvm path=/proc/sys/vm/max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { read } for  pid=23797 comm=qemu-kvm name=max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1

Resolves: RHEL-32296
---
 policy/modules/contrib/virt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/virt.te b/policy/modules/contrib/virt.te
index 488804c40f..bcf8cbcb3e 100644
--- a/policy/modules/contrib/virt.te
+++ b/policy/modules/contrib/virt.te
@@ -371,6 +371,7 @@ allow svirt_t self:netlink_route_socket r_netlink_socket_perms;
 allow svirt_t virtlogd_t:unix_stream_socket connectto;
 
 kernel_request_load_module(svirt_t)
+kernel_read_vm_sysctls(svirt_t)
 
 corenet_udp_sendrecv_generic_if(svirt_t)
 corenet_udp_sendrecv_generic_node(svirt_t)

From 769e4b48ebb4241eac8aaeddac524d57fc1fe124 Mon Sep 17 00:00:00 2001
From: Juraj Marcin <jmarcin@redhat.com>
Date: Fri, 9 Feb 2024 15:33:39 +0100
Subject: [PATCH 02/14] Add crontab_domtrans interface

This interface allows a domain to execute crontab and transition to
crontab_t domain.

Resolves: RHEL-31888
---
 policy/modules/contrib/cron.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index 80419572cc..d5987694df 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -1079,3 +1079,21 @@ interface(`cron_system_spool_entrypoint',`
 	')
 	allow $1 system_cron_spool_t:file entrypoint;
 ')
+
+########################################
+## <summary>
+##	Execute crontab in the crontab domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`crontab_domtrans',`
+	gen_require(`
+		type crontab_exec_t, crontab_t;
+	')
+
+	domtrans_pattern($1, crontab_exec_t, crontab_t)
+')

From 4bd8f6e2f82633f88e9eedbf336b57db11046337 Mon Sep 17 00:00:00 2001
From: Juraj Marcin <jmarcin@redhat.com>
Date: Thu, 22 Feb 2024 14:24:12 +0100
Subject: [PATCH 03/14] Add crontab_admin_domtrans interface

This interface allows a admin domain to execute crontab and transition
to admin_crontab_t domain.

Resolves: RHEL-31888
---
 policy/modules/contrib/cron.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/contrib/cron.if b/policy/modules/contrib/cron.if
index d5987694df..821121b9ad 100644
--- a/policy/modules/contrib/cron.if
+++ b/policy/modules/contrib/cron.if
@@ -1097,3 +1097,21 @@ interface(`crontab_domtrans',`
 
 	domtrans_pattern($1, crontab_exec_t, crontab_t)
 ')
+
+########################################
+## <summary>
+##	Execute crontab in the admin crontab domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`crontab_admin_domtrans',`
+	gen_require(`
+		type crontab_exec_t, admin_crontab_t;
+	')
+
+	domtrans_pattern($1, crontab_exec_t, admin_crontab_t)
+')

From f9586704d0ded795dcf77e501dff95c0987d8bc4 Mon Sep 17 00:00:00 2001
From: Juraj Marcin <jmarcin@redhat.com>
Date: Thu, 22 Feb 2024 14:25:14 +0100
Subject: [PATCH 04/14] Differentiate between staff and sysadm when executing
 crontab with sudo

Addresses the following error:
type=PROCTITLE msg=audit(02/16/2024 05:30:44.450:614) : proctitle=sudo -u user30731 crontab -r
type=PATH msg=audit(02/16/2024 05:30:44.450:614) : item=0 name=/bin/crontab inode=589204 dev=fd:00 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:crontab_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/16/2024 05:30:44.450:614) : cwd=/home/user30731
type=SYSCALL msg=audit(02/16/2024 05:30:44.450:614) : arch=ppc64le syscall=execve success=no exit=EACCES(Permission denied) a0=0x10034c28b18 a1=0x10034c19408 a2=0x10034c119a0 a3=0x10034c119a0 items=1 ppid=31112 pid=31113 auid=user30731 uid=user30731 gid=user30731 euid=user30731 suid=user30731 fsuid=user30731 egid=user30731 sgid=user30731 fsgid=user30731 tty=pts2 ses=12 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(02/16/2024 05:30:44.450:614) : op=security_compute_sid invalid_context=sysadm_u:sysadm_r:crontab_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process

Resolves: RHEL-31888
---
 policy/modules/roles/staff.te  | 3 +++
 policy/modules/roles/sysadm.te | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 2303b2b7da..9f67c92c1c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -322,6 +322,9 @@ optional_policy(`
 
 optional_policy(`
 	sudo_role_template(staff, staff_r, staff_t)
+	optional_policy(`
+		crontab_domtrans(staff_sudo_t)
+	')
 ')
 
 optional_policy(`
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 04b4bdcf72..f288c7500a 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -602,6 +602,9 @@ optional_policy(`
 
 optional_policy(`
 	sudo_role_template(sysadm, sysadm_r, sysadm_t)
+	optional_policy(`
+		crontab_admin_domtrans(sysadm_sudo_t)
+	')
 ')
 
 optional_policy(`

From 93ecc54fd65293d2090a0694e40b73708ec42fd1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 15 Apr 2024 18:02:19 +0200
Subject: [PATCH 05/14] Label /dev/mmcblk0rpmb character device with
 removable_device_t

So far, only /dev/mmcblk.* block devices were assigned that label.
This commit adds the label for character device for the RPMB
(Replay Protected Memory Block) standard.

Resolves: RHEL-28080
---
 policy/modules/kernel/storage.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/storage.fc b/policy/modules/kernel/storage.fc
index f50225ee23..78b723f4c2 100644
--- a/policy/modules/kernel/storage.fc
+++ b/policy/modules/kernel/storage.fc
@@ -32,6 +32,7 @@
 /dev/megaraid_sas_ioctl_node -c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/megadev.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mmcblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
+/dev/mmcblk[0-9]+rpmb	-c	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mspblk.*		-b	gen_context(system_u:object_r:removable_device_t,s0)
 /dev/mtd.*		-b	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)
 /dev/mtd.*		-c	gen_context(system_u:object_r:fixed_disk_device_t,mls_systemhigh)

From 1f2d9974c6a0880c5e06cd094c565dbd1c637761 Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Fri, 10 Feb 2023 18:15:54 +0100
Subject: [PATCH 06/14] Add policy for bootupd

Bootupd is a small socket activated program that takes care of updating the bootloader.

Resolves: RHEL-22172
---
 policy/modules/contrib/bootupd.fc |  7 ++++++
 policy/modules/contrib/bootupd.if | 39 ++++++++++++++++++++++++++++++
 policy/modules/contrib/bootupd.te | 40 +++++++++++++++++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100644 policy/modules/contrib/bootupd.fc
 create mode 100644 policy/modules/contrib/bootupd.if
 create mode 100644 policy/modules/contrib/bootupd.te

diff --git a/policy/modules/contrib/bootupd.fc b/policy/modules/contrib/bootupd.fc
new file mode 100644
index 0000000000..00cdf3c091
--- /dev/null
+++ b/policy/modules/contrib/bootupd.fc
@@ -0,0 +1,7 @@
+/usr/bin/bootupctl			--	gen_context(system_u:object_r:bootupd_exec_t,s0)
+/usr/libexec/bootupd			--	gen_context(system_u:object_r:bootupd_exec_t,s0)
+
+/usr/lib/systemd/system/bootupd\.service	--	gen_context(system_u:object_r:bootupd_unit_file_t,s0)
+/usr/lib/systemd/system/bootupd\.socket		--	gen_context(system_u:object_r:bootupd_unit_file_t,s0)
+
+/var/run/bootupd\.sock			-s	gen_context(system_u:object_r:bootupd_var_run_t,s0)
diff --git a/policy/modules/contrib/bootupd.if b/policy/modules/contrib/bootupd.if
new file mode 100644
index 0000000000..d778b157a6
--- /dev/null
+++ b/policy/modules/contrib/bootupd.if
@@ -0,0 +1,39 @@
+## <summary>policy for bootupd</summary>
+
+########################################
+## <summary>
+##	Execute bootupd_exec_t in the bootupd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`bootupd_domtrans',`
+	gen_require(`
+		type bootupd_t, bootupd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, bootupd_exec_t, bootupd_t)
+')
+
+######################################
+## <summary>
+##	Execute bootupd in the caller domain.
+## </summary>
+## <param name="domain">
+##    <summary>
+##	Domain allowed access.
+##    </summary>
+## </param>
+#
+interface(`bootupd_exec',`
+	gen_require(`
+		type bootupd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, bootupd_exec_t)
+')
diff --git a/policy/modules/contrib/bootupd.te b/policy/modules/contrib/bootupd.te
new file mode 100644
index 0000000000..b9b1f56568
--- /dev/null
+++ b/policy/modules/contrib/bootupd.te
@@ -0,0 +1,40 @@
+policy_module(bootupd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type bootupd_t;
+type bootupd_exec_t;
+init_daemon_domain(bootupd_t, bootupd_exec_t)
+
+type bootupd_unit_file_t;
+systemd_unit_file(bootupd_unit_file_t)
+
+type bootupd_var_run_t;
+files_pid_file(bootupd_var_run_t)
+
+permissive bootupd_t;
+
+########################################
+#
+# bootupd local policy
+#
+allow bootupd_t self:capability { setgid setuid };
+allow bootupd_t self:process { fork setpgid };
+allow bootupd_t self:fifo_file rw_fifo_file_perms;
+allow bootupd_t self:unix_dgram_socket create_socket_perms;
+allow bootupd_t self:unix_stream_socket create_stream_socket_perms;
+
+kernel_dgram_send(bootupd_t)
+
+domain_use_interactive_fds(bootupd_t)
+
+files_read_etc_files(bootupd_t)
+
+fs_getattr_all_fs(bootupd_t)
+
+optional_policy(`
+	miscfiles_read_localization(bootupd_t)
+')

From 2e4a33640aa98f4ba123779a50374f22dfe406ea Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 May 2024 19:01:11 +0200
Subject: [PATCH 07/14] Add the bootupd module

Resolves: RHEL-22172
---
 policy/modules.conf | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/policy/modules.conf b/policy/modules.conf
index c46c539c39..2ca1fa51ac 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -3113,3 +3113,10 @@ nvme_stas = module
 # coreos_installer
 #
 coreos_installer = module
+
+# Layer: contrib
+# Module: bootupd
+#
+#  bootupd - bootloader update daemon
+#
+bootupd = module

From 5f9f7b6bda7fcfe1be6368951710effb0f75995c Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 28 Jun 2023 11:16:19 +0200
Subject: [PATCH 08/14] Allow bootupd search EFI directory

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(06/27/2023 19:22:31.060:6277) : proctitle=/usr/libexec/bootupd daemon -v
type=PATH msg=audit(06/27/2023 19:22:31.060:6277) : item=0 name=/boot/efi/EFI inode=1048592 dev=103:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dosfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(06/27/2023 19:22:31.060:6277) : arch=x86_64 syscall=openat success=yes exit=7 a0=0x6 a1=0x5602cecb1310 a2=O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH a3=0x0 items=1 ppid=1 pid=134959 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(06/27/2023 19:22:31.060:6277) : avc:  denied  { search } for  pid=134959 comm=bootupd name=/ dev="nvme0n1p3" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1

Resolves: RHEL-22172
---
 policy/modules/contrib/bootupd.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/bootupd.te b/policy/modules/contrib/bootupd.te
index b9b1f56568..bbe8a99dc3 100644
--- a/policy/modules/contrib/bootupd.te
+++ b/policy/modules/contrib/bootupd.te
@@ -34,6 +34,7 @@ domain_use_interactive_fds(bootupd_t)
 files_read_etc_files(bootupd_t)
 
 fs_getattr_all_fs(bootupd_t)
+fs_search_dos(bootupd_t)
 
 optional_policy(`
 	miscfiles_read_localization(bootupd_t)

From ab2e32a9c08b3e52c04ea76129861c449f463428 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 19 Jan 2024 18:44:05 +0100
Subject: [PATCH 09/14] Update afterburn policy

Resolves: rhbz#2254975

Resolves: RHEL-22173
---
 policy/modules/contrib/afterburn.te | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/policy/modules/contrib/afterburn.te b/policy/modules/contrib/afterburn.te
index 14abb2968b..aff609cf8c 100644
--- a/policy/modules/contrib/afterburn.te
+++ b/policy/modules/contrib/afterburn.te
@@ -21,7 +21,9 @@ permissive afterburn_t;
 allow afterburn_t self:capability { setgid setuid sys_admin };
 allow afterburn_t self:process { fork setpgid };
 allow afterburn_t self:fifo_file rw_fifo_file_perms;
+allow afterburn_t self:unix_dgram_socket create_socket_perms;
 
+kernel_dgram_send(afterburn_t)
 kernel_read_all_proc(afterburn_t)
 
 corenet_tcp_connect_http_port(afterburn_t)
@@ -34,10 +36,22 @@ optional_policy(`
 	auth_use_nsswitch(afterburn_t)
 ')
 
+optional_policy(`
+	logging_write_syslog_pid_socket(afterburn_t)
+')
+
 optional_policy(`
 	miscfiles_read_localization(afterburn_t)
 ')
 
+optional_policy(`
+	networkmanager_dbus_chat(afterburn_t)
+')
+
+optional_policy(`
+	ssh_filetrans_home_content(afterburn_t)
+')
+
 optional_policy(`
 	sysnet_dns_name_resolve(afterburn_t)
 ')

From 01cbd2eac1fa3c281c107f314f07d1fdf772a2d5 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 May 2024 21:25:10 +0200
Subject: [PATCH 10/14] Remove permissive domain for afterburn_t

Resolves: RHEL-22173
---
 policy/modules/contrib/afterburn.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/contrib/afterburn.te b/policy/modules/contrib/afterburn.te
index aff609cf8c..9e7734639b 100644
--- a/policy/modules/contrib/afterburn.te
+++ b/policy/modules/contrib/afterburn.te
@@ -12,8 +12,6 @@ init_daemon_domain(afterburn_t, afterburn_exec_t)
 type afterburn_unit_file_t;
 systemd_unit_file(afterburn_unit_file_t)
 
-permissive afterburn_t;
-
 ########################################
 #
 # afterburn local policy

From 31baf05a4c7a70f09a9b4ed471d1083ac24cd042 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 May 2024 21:26:44 +0200
Subject: [PATCH 11/14] Remove permissive domain for coreos_installer_t

Resolves: RHEL-22173
---
 policy/modules/contrib/coreos_installer.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/contrib/coreos_installer.te b/policy/modules/contrib/coreos_installer.te
index d6c3a808e8..ab720fa885 100644
--- a/policy/modules/contrib/coreos_installer.te
+++ b/policy/modules/contrib/coreos_installer.te
@@ -12,8 +12,6 @@ init_daemon_domain(coreos_installer_t, coreos_installer_exec_t)
 type coreos_installer_unit_file_t;
 systemd_unit_file(coreos_installer_unit_file_t)
 
-permissive coreos_installer_t;
-
 ########################################
 #
 # coreos_installer local policy

From ef7df27172daa4868376470c5bf02205ba4bca77 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 May 2024 21:29:17 +0200
Subject: [PATCH 12/14] Remove permissive domain for mptcpd_t

Resolves: RHEL-22173
---
 policy/modules/contrib/mptcpd.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/contrib/mptcpd.te b/policy/modules/contrib/mptcpd.te
index cabf749a69..e7ed82f331 100644
--- a/policy/modules/contrib/mptcpd.te
+++ b/policy/modules/contrib/mptcpd.te
@@ -13,8 +13,6 @@ init_nnp_daemon_domain(mptcpd_t)
 type mptcpd_etc_t;
 files_config_file(mptcpd_etc_t)
 
-permissive mptcpd_t;
-
 ########################################
 #
 # mptcpd local policy

From 5c85b0f9666373a01117b4faaa08760145957559 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 7 May 2024 21:30:43 +0200
Subject: [PATCH 13/14] Remove permissive domain for rshim_t

Resolves: RHEL-22173
---
 policy/modules/contrib/rshim.te | 2 --
 1 file changed, 2 deletions(-)

diff --git a/policy/modules/contrib/rshim.te b/policy/modules/contrib/rshim.te
index 7225deead9..c40af4e66d 100644
--- a/policy/modules/contrib/rshim.te
+++ b/policy/modules/contrib/rshim.te
@@ -12,8 +12,6 @@ init_daemon_domain(rshim_t, rshim_exec_t)
 type rshim_unit_file_t;
 systemd_unit_file(rshim_unit_file_t)
 
-permissive rshim_t;
-
 ########################################
 #
 # rshim local policy

From b7f331693ae4c5d4ba8109729e0b60e13ae55f40 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 Apr 2024 20:02:50 +0200
Subject: [PATCH 14/14] Allow numad to trace processes in user namespace

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/23/2024 18:03:36.617:3479) : proctitle=/usr/bin/numad -i 15
type=SYSCALL msg=audit(04/23/2024 18:03:36.617:3479) : arch=x86_64 syscall=read success=yes exit=169 a0=0x1 a1=0x55cf0c6d4240 a2=0x400 a3=0x0 items=0 ppid=1 pid=3200 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=numad exe=/usr/bin/numad subj=system_u:system_r:numad_t:s0 key=(null)
type=AVC msg=audit(04/23/2024 18:03:36.617:3479) : avc:  denied  { sys_ptrace } for  pid=3200 comm=numad capability=sys_ptrace  scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0

Resolves: RHEL-33994
---
 policy/modules/contrib/numad.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/numad.te b/policy/modules/contrib/numad.te
index 97f923b252..b0f92f8162 100644
--- a/policy/modules/contrib/numad.te
+++ b/policy/modules/contrib/numad.te
@@ -24,6 +24,7 @@ files_pid_file(numad_var_run_t)
 #
 
 allow numad_t self:capability { ipc_owner kill sys_nice sys_ptrace } ;
+allow numad_t self:cap_userns sys_ptrace;
 allow numad_t self:fifo_file rw_fifo_file_perms;
 allow numad_t self:msgq create_msgq_perms;
 allow numad_t self:msg { send receive };