From 23dbb8c27c812f5f29f7caf194bda7677b997bc2 Mon Sep 17 00:00:00 2001
From: Craig Comstock <craig.comstock@northern.tech>
Date: Mon, 5 May 2025 15:59:02 -0500
Subject: [PATCH] Added http_port and getattr selinux permissions as needed for
 selinux policy on rhel-8 and rhel-9

http_port is needed in el9, selinux-policy version 38.1.45, for inventory policy common bundles.

getattr for fsadm_exec_t is needed in el9 and getattr for lvm_exec_t is needed in both el8 and el9.

Ticket: ENT-12954
Changelog: title
---
 misc/selinux/cfengine-enterprise.te.all | 6 ++++++
 misc/selinux/cfengine-enterprise.te.el9 | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all
index e2a81c6190..a00d669a1d 100644
--- a/misc/selinux/cfengine-enterprise.te.all
+++ b/misc/selinux/cfengine-enterprise.te.all
@@ -91,6 +91,8 @@ require {
 	type ssh_exec_t;
 	type ssh_home_t;
 	type rpm_script_t;
+	type fsadm_exec_t;
+	type lvm_exec_t;
 	class lockdown { confidentiality integrity };
 	class tcp_socket { create ioctl read getattr lock write setattr append bind connect getopt setopt shutdown name_connect accept listen name_bind node_bind };
 	class mctp_socket { ioctl read write create getattr setattr lock relabelfrom relabelto append map bind connect listen accept getopt setopt shutdown recvfrom sendto recv_msg send_msg name_bind };
@@ -401,6 +403,10 @@ allow init_t cfengine_hub_t:process siginh;
 allow cfengine_hub_t cfengine_hub_exec_t:file entrypoint;
 allow cfengine_hub_t cfengine_hub_exec_t:file { ioctl read getattr lock map execute open };
 
+# the following file permissions for cf-hub are not needed if masterfiles includes fixes from ENT-12954 making inventory and paths standard library bundles agent instead of common.
+allow cfengine_hub_t fsadm_exec_t:file getattr;
+allow cfengine_hub_t lvm_exec_t:file getattr;
+
 # allow cf-hub to use/execute libpromises.so
 allow cfengine_hub_t cfengine_var_lib_t:file map;
 allow cfengine_hub_t cfengine_var_lib_t:file execute;
diff --git a/misc/selinux/cfengine-enterprise.te.el9 b/misc/selinux/cfengine-enterprise.te.el9
index e5641ede37..14fe34b0ca 100644
--- a/misc/selinux/cfengine-enterprise.te.el9
+++ b/misc/selinux/cfengine-enterprise.te.el9
@@ -1,5 +1,6 @@
 require {
 	type systemd_userdbd_runtime_t;
+	type http_port_t;
 }
 
 # PAM module for dynamic users
@@ -8,3 +9,8 @@ allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
 allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;
 allow cfengine_reactor_t systemd_userdbd_runtime_t:dir { getattr open read search };
 allow cfengine_reactor_t systemd_userdbd_runtime_t:sock_file write;
+
+# selinux-policy 38.1.45 requires the following http_port permissions whereas 3.14.3 does not.
+# these permissions are not be needed if changes from ENT-12954 to masterfiles policy move inventory from common to an agent bundle are in place.
+allow cfengine_serverd_t http_port_t:tcp_socket name_connect;
+allow cfengine_execd_t http_port_t:tcp_socket name_connect;