From 818708a54ae886d5446cac9405bb65dc50eb5cea Mon Sep 17 00:00:00 2001
From: Vratislav Podzimek <vratislav.podzimek@northern.tech>
Date: Mon, 8 Jul 2024 16:41:11 +0200
Subject: [PATCH] Allow cfbs to execute commands in a shell

It executes `git` (and maybe other commands) in a shell.

Ticket: ENT-11910
Changelog: None
---
 misc/selinux/cfengine-enterprise.te.all | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all
index 268c0be225..228c4537f7 100644
--- a/misc/selinux/cfengine-enterprise.te.all
+++ b/misc/selinux/cfengine-enterprise.te.all
@@ -853,6 +853,10 @@ allow cfengine_cfbs_t cfengine_reactor_t:fifo_file { getattr ioctl read write };
 
 allow cfengine_cfbs_t bin_t:file { map execute };
 
+# cfbs runs some commands in a shell
+allow cfengine_cfbs_t shell_exec_t:file map;
+allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans };
+
 allow cfengine_cfbs_t cert_t:dir search;
 allow cfengine_cfbs_t cert_t:file { getattr open read };
 allow cfengine_cfbs_t cert_t:lnk_file read;