From f9fb07517a968c47b65cb24904b1b1b870b42acb Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 12 Dec 2023 14:37:08 +0100
Subject: [PATCH] Allow sysadm execute traceroute in sysadm_t domain using sudo

When an unprivileged user in the sysadm_r role executes traceroute
through sudo, it transitions into sysadm_sudo_t domain by default.
With this commit, the process transitions back to sysadm_t.

Resolves: RHEL-9947
---
 policy/modules/admin/sudo.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 418e944a0b..43fb688df1 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -102,6 +102,7 @@ template(`sudo_role_template',`
 
 	optional_policy(`
 		netutils_domtrans($1_sudo_t)
+		netutils_run_traceroute($1_sudo_t, $2)
 	')
 
 	optional_policy(`