From d617f6ea845f1acc014d0f39e234da048c6871d4 Mon Sep 17 00:00:00 2001
From: Craig Comstock <craig.comstock@northern.tech>
Date: Mon, 25 Nov 2024 16:40:46 -0600
Subject: [PATCH] Adjusted CFEngine SELinux policy to allow cf-execd to run ps
 command with policy version 33

Apparently, ps command running with SELinux kernel policy version 33 requires self:cap_userns sys_ptrace.

Ticket: ENT-12446
Changelog: title
(cherry picked from commit 45ea0fe542f73e8c4358d7c0e23049dee34056d3)
---
 misc/selinux/cfengine-enterprise.te.all | 1 +
 1 file changed, 1 insertion(+)

diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all
index 625056443b..f128a761d7 100644
--- a/misc/selinux/cfengine-enterprise.te.all
+++ b/misc/selinux/cfengine-enterprise.te.all
@@ -229,6 +229,7 @@ allow cfengine_execd_t cfengine_reactor_exec_t:file getattr;
 allow cfengine_execd_t cfengine_var_lib_t:sock_file { create unlink getattr setattr };
 
 allow cfengine_execd_t self:capability sys_ptrace;
+allow cfengine_execd_t self:cap_userns sys_ptrace;
 
 allow cfengine_execd_t crontab_exec_t:file getattr;
 allow cfengine_execd_t dmidecode_exec_t:file getattr;