Merge pull request #5568 from vpodzime/master-selinux_cfbs_shell

Allow cfbs to execute commands in a shell
cfengine · Jul 9, 2024 · 3297066 · 3297066
2 parents 98374bb + 818708a
commit 3297066
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all
@@ -853,6 +853,10 @@ allow cfengine_cfbs_t cfengine_reactor_t:fifo_file { getattr ioctl read write };
 
 allow cfengine_cfbs_t bin_t:file { map execute };
 
+# cfbs runs some commands in a shell
+allow cfengine_cfbs_t shell_exec_t:file map;
+allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans };
+
 allow cfengine_cfbs_t cert_t:dir search;
 allow cfengine_cfbs_t cert_t:file { getattr open read };
 allow cfengine_cfbs_t cert_t:lnk_file read;