From 8fbcf2a29ffe3385276769a43d310ce522ef1f80 Mon Sep 17 00:00:00 2001 From: Vratislav Podzimek Date: Mon, 8 Jul 2024 16:41:11 +0200 Subject: [PATCH 1/2] Allow cfbs to execute commands in a shell It executes `git` (and maybe other commands) in a shell. Ticket: ENT-11910 Changelog: None (cherry picked from commit 818708a54ae886d5446cac9405bb65dc50eb5cea) --- misc/selinux/cfengine-enterprise.te.all | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all index 35ebdc9587..625056443b 100644 --- a/misc/selinux/cfengine-enterprise.te.all +++ b/misc/selinux/cfengine-enterprise.te.all @@ -849,6 +849,10 @@ allow cfengine_cfbs_t cfengine_reactor_t:fifo_file { getattr ioctl read write }; allow cfengine_cfbs_t bin_t:file { map execute }; +# cfbs runs some commands in a shell +allow cfengine_cfbs_t shell_exec_t:file map; +allow cfengine_cfbs_t shell_exec_t:file { execute execute_no_trans }; + allow cfengine_cfbs_t cert_t:dir search; allow cfengine_cfbs_t cert_t:file { getattr open read }; allow cfengine_cfbs_t cert_t:lnk_file read; From 7d3aa6087c461f3870614b38a828785859a4bcd1 Mon Sep 17 00:00:00 2001 From: Ole Herman Schumacher Elgesem <4048546+olehermanse@users.noreply.github.com> Date: Tue, 9 Jul 2024 13:37:17 +0200 Subject: [PATCH 2/2] masterfiles-stage: Added alternate global directory for cfbs build (cherry picked from commit b6339e0a44bcac1cda240c17bae0a3dcd5e856fe) --- contrib/masterfiles-stage/common.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/contrib/masterfiles-stage/common.sh b/contrib/masterfiles-stage/common.sh index 3704ea8e68..27e9306f2c 100755 --- a/contrib/masterfiles-stage/common.sh +++ b/contrib/masterfiles-stage/common.sh @@ -227,7 +227,7 @@ git_cfbs_deploy_refspec() { _start_wrkdir=$(pwd) # Switch to the staging directory and build with cfbs cd "${temp_stage}" - cfbs build || error_exit "cfbs build failed" + CFBS_GLOBAL_DIR="/opt/cfengine/build/cfbs_global" cfbs build || error_exit "cfbs build failed" # Switch back to the original working dir cd "${_start_wrkdir}" # Grab HEAD so it can be used to populate cf_promises_release_id