Added fallback selinux script to label binaries as unconfined in case the cfengine-enterprise module fails to install

craigcomstock · craigcomstock · commit d1682f329b94 · 2025-11-10T15:16:46.000-06:00
In case the normal cfengine-enterprise policy module fails to install the scripts will run this new scripts to ensure that CFEngine can function even if SELinux is enforcing by labeling them as bin_t aka unconfined. Ticket: ENT-12980 Changelog: title
diff --git a/misc/selinux/Makefile.am b/misc/selinux/Makefile.am
@@ -9,6 +9,7 @@ selinuxdir = $(prefix)/selinux
 selinux_DATA = cfengine-enterprise.pp
 selinux_DATA += cfengine-enterprise.te
 selinux_DATA += cfengine-enterprise.fc
+selinux_DATA += label-binaries-unconfined.sh
 
 clean-local:
 	rm -rf tmp
@@ -18,5 +19,6 @@ endif
 # tarball even without running './configure --with-selinux-policy'
 DISTFILES  = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all
 DISTFILES += cfengine-enterprise.te.el9
+DISTFILES += label-binaries-unconfined.sh
 
 CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te
diff --git a/misc/selinux/label-binaries-unconfined.sh b/misc/selinux/label-binaries-unconfined.sh
@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+# This script is intended to be used by the package scriptlets in case the selinux module fails to install
+_prefix=${1:-/var/cfengine}
+find "$_prefix" -type f -executable | while IFS='' read -r binary
+do
+  semanage -a -t bin_t "$binary"
+done
