Added RHEL 10 specific SELinux policy

aleksandrychev · aleksandrychev · commit 8d52ad9cf845 · 2026-02-10T16:49:42.000+07:00
Ticket: ENT-13666 Signed-off-by: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am
@@ -18,5 +18,6 @@ endif
 # tarball even without running './configure --with-selinux-policy'
 DISTFILES  = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all
 DISTFILES += cfengine-enterprise.te.el9
+DISTFILES += cfengine-enterprise.te.el10
 
 CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te
diff --git a/misc/selinux/cfengine-enterprise.te.el10 b/misc/selinux/cfengine-enterprise.te.el10
@@ -0,0 +1,69 @@
+require {
+    type cfengine_reactor_t;
+    type cfengine_postgres_t;
+    type sysfs_t;
+    type proc_t;
+    type devpts_t;
+    type hugetlbfs_t;
+    type cfengine_hub_t;
+    type cfengine_execd_t;
+    type cfengine_apachectl_t;
+    type tty_device_t;
+    type user_devpts_t;
+    type cfengine_httpd_t;
+    type http_port_t;
+    type cfengine_httpd_exec_t;
+    type cfengine_serverd_t;
+    type systemd_userdbd_runtime_t;
+    type systemd_userdbd_t;
+    type kernel_t;
+    class tcp_socket name_connect;
+    class dir { getattr open read search };
+    class file { getattr open read write };
+    class capability { dac_override dac_read_search sys_ptrace };
+    class chr_file getattr;
+    class lnk_file read;
+    class sock_file write;
+    class unix_stream_socket connectto;
+}
+
+#============= cfengine_apachectl_t ==============
+allow cfengine_apachectl_t devpts_t:dir { getattr search };
+allow cfengine_apachectl_t proc_t:file getattr;
+allow cfengine_apachectl_t self:capability { dac_override dac_read_search sys_ptrace };
+allow cfengine_apachectl_t sysfs_t:dir read;
+allow cfengine_apachectl_t sysfs_t:file { open read };
+allow cfengine_apachectl_t tty_device_t:chr_file getattr;
+allow cfengine_apachectl_t user_devpts_t:chr_file getattr;
+
+#============= cfengine_execd_t ==============
+allow cfengine_execd_t http_port_t:tcp_socket name_connect;
+
+#============= cfengine_httpd_t ==============
+allow cfengine_httpd_t hugetlbfs_t:file { read write };
+allow cfengine_httpd_t systemd_userdbd_runtime_t:dir { open read getattr search };
+allow cfengine_httpd_t systemd_userdbd_runtime_t:lnk_file read;
+allow cfengine_httpd_t systemd_userdbd_runtime_t:sock_file write;
+allow cfengine_httpd_t systemd_userdbd_t:unix_stream_socket connectto;
+allow cfengine_httpd_t kernel_t:unix_stream_socket connectto;
+
+#============= cfengine_hub_t ==============
+allow cfengine_hub_t cfengine_httpd_exec_t:file getattr;
+allow cfengine_hub_t sysfs_t:lnk_file read;
+
+#============= cfengine_postgres_t ==============
+allow cfengine_postgres_t systemd_userdbd_runtime_t:dir { open read getattr search };
+allow cfengine_postgres_t systemd_userdbd_runtime_t:lnk_file read;
+allow cfengine_postgres_t systemd_userdbd_runtime_t:sock_file write;
+allow cfengine_postgres_t systemd_userdbd_t:unix_stream_socket connectto;
+allow cfengine_postgres_t kernel_t:unix_stream_socket connectto;
+
+#============= cfengine_reactor_t ==============
+allow cfengine_reactor_t systemd_userdbd_runtime_t:dir { open read getattr search };
+allow cfengine_reactor_t systemd_userdbd_runtime_t:lnk_file read;
+allow cfengine_reactor_t systemd_userdbd_runtime_t:sock_file write;
+allow cfengine_reactor_t systemd_userdbd_t:unix_stream_socket connectto;
+allow cfengine_reactor_t kernel_t:unix_stream_socket connectto;
+
+#============= cfengine_serverd_t ==============
+allow cfengine_serverd_t http_port_t:tcp_socket name_connect;
