Skip to content

Commit

Permalink
Adjusted CFEngine SELinux policy to allow cf-execd to run ps command …
Browse files Browse the repository at this point in the history 
…with policy version 33

Apparently, ps command running with SELinux kernel policy version 33 requires self:cap_userns sys_ptrace.

Ticket: ENT-12446
Changelog: title
  • Loading branch information
@craigcomstock
craigcomstock committed Nov 26, 2024
1 parent e8e1c84 commit 45ea0fe
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions misc/selinux/cfengine-enterprise.te.all
View file
Original file line number Diff line number Diff line change
Expand Up @@ -229,6 +229,7 @@ allow cfengine_execd_t cfengine_reactor_exec_t:file getattr;
allow cfengine_execd_t cfengine_var_lib_t:sock_file { create unlink getattr setattr };

allow cfengine_execd_t self:capability sys_ptrace;
allow cfengine_execd_t self:cap_userns sys_ptrace;

allow cfengine_execd_t crontab_exec_t:file getattr;
allow cfengine_execd_t dmidecode_exec_t:file getattr;
Expand Down

0 comments on commit 45ea0fe

Please sign in to comment.