From 31c1f0dae604c7d2506bdbccf5b6921744c00959 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 12 Dec 2023 14:35:29 +0100
Subject: [PATCH] Allow sysadm execute tcpdump in sysadm_t domain using sudo

When an unprivileged user in the sysadm_r role executes tcpdump
through sudo, it transitions into sysadm_sudo_t domain by default.
With this commit, the process transitions back to sysadm_t.

Resolves: RHEL-15398
---
 policy/modules/admin/sudo.if | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 9cba3d4502..418e944a0b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -100,6 +100,10 @@ template(`sudo_role_template',`
 		kerberos_read_config($1_sudo_t)
 	')
 
+	optional_policy(`
+		netutils_domtrans($1_sudo_t)
+	')
+
 	optional_policy(`
 		systemd_domtrans_systemctl($1_sudo_t, $3)
 		systemd_systemctl_entrypoint($3)