diff --git a/contrib/masterfiles-stage/common.sh b/contrib/masterfiles-stage/common.sh
index 3704ea8e68..27e9306f2c 100755
--- a/contrib/masterfiles-stage/common.sh
+++ b/contrib/masterfiles-stage/common.sh
@@ -227,7 +227,7 @@ git_cfbs_deploy_refspec() {
   _start_wrkdir=$(pwd)
   # Switch to the staging directory and build with cfbs
   cd "${temp_stage}"
-  cfbs build || error_exit "cfbs build failed"
+  CFBS_GLOBAL_DIR="/opt/cfengine/build/cfbs_global" cfbs build || error_exit "cfbs build failed"
   # Switch back to the original working dir
   cd "${_start_wrkdir}"
   # Grab HEAD so it can be used to populate cf_promises_release_id
diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all
index 35ebdc9587..625056443b 100644
--- a/misc/selinux/cfengine-enterprise.te.all
+++ b/misc/selinux/cfengine-enterprise.te.all
@@ -849,6 +849,10 @@ allow cfengine_cfbs_t cfengine_reactor_t:fifo_file { getattr ioctl read write };
 
 allow cfengine_cfbs_t bin_t:file { map execute };
 
+# cfbs runs some commands in a shell
+allow cfengine_cfbs_t shell_exec_t:file map;
+allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans };
+
 allow cfengine_cfbs_t cert_t:dir search;
 allow cfengine_cfbs_t cert_t:file { getattr open read };
 allow cfengine_cfbs_t cert_t:lnk_file read;