Added http_port and getattr selinux permissions as needed for selinux policy on rhel-8 and rhel-9

http_port is needed in el9, selinux-policy version 38.1.45, for inventory policy common bundles.

getattr for fsadm_exec_t is needed in el9 and getattr for lvm_exec_t is needed in both el8 and el9.

Ticket: ENT-12954
Changelog: title

Author: craigcomstock

misc/selinux/cfengine-enterprise.te.all

@@ -401,6 +401,9 @@ allow init_t cfengine_hub_t:process siginh;
 allow cfengine_hub_t cfengine_hub_exec_t:file entrypoint;
 allow cfengine_hub_t cfengine_hub_exec_t:file { ioctl read getattr lock map execute open };
 
+# the following file permissions for cf-hub are not needed if masterfiles includes fixes from ENT-12954 making inventory and paths stadnard library bundles agent instead of common.
+allow cfengine_hub_t lvm_exec_t:file getattr;
+
 # allow cf-hub to use/execute libpromises.so
 allow cfengine_hub_t cfengine_var_lib_t:file map;
 allow cfengine_hub_t cfengine_var_lib_t:file execute;

misc/selinux/cfengine-enterprise.te.el9

@@ -8,3 +8,11 @@ allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
 allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;
 allow cfengine_reactor_t systemd_userdbd_runtime_t:dir { getattr open read search };
 allow cfengine_reactor_t systemd_userdbd_runtime_t:sock_file write;
+
+# selinux-policy 38.1.45 requires the following http_port permissions whereas 3.14.3 does not.
+# these permissions are not be needed if changes from ENT-12954 to masterfiles policy move inventory from common to an agent bundle are in place.
+allow cfengine_serverd_t http_port_t:tcp_socket name_connect;
+allow cfengine_execd_t http_port_t:tcp_socket name_connect;
+
+# the following file permissions for cf-hub are not needed if masterfiles includes fixes from ENT-12954 making inventory and paths stadnard library bundles agent instead of common.
+allow cfengine_hub_t fsadm_exec_t:file getattr;