From 8ae46611ba926ffa4635cea4a14ceb54c7809109 Mon Sep 17 00:00:00 2001
From: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
Date: Mon, 5 Jan 2026 13:08:58 +0200
Subject: [PATCH] Added missing SELinux permissions for PHP opcache operations

Ticket: ENT-13634
Signed-off-by: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
---
 misc/selinux/cfengine-enterprise.te.all | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/misc/selinux/cfengine-enterprise.te.all b/misc/selinux/cfengine-enterprise.te.all
index 63f42a98a7..67339fc12d 100644
--- a/misc/selinux/cfengine-enterprise.te.all
+++ b/misc/selinux/cfengine-enterprise.te.all
@@ -574,6 +574,12 @@ allow cfengine_httpd_t smtp_port_t:tcp_socket name_connect;
 # httpd/PHP needs to be able to contact LDAP servers
 allow cfengine_httpd_t ldap_port_t:tcp_socket name_connect;
 
+# allow PHP-FPM to use hugepages for opcache
+allow cfengine_httpd_t hugetlbfs_t:file map;
+
+# allow PHP-FPM to lock opcache files in tmpfs
+allow cfengine_httpd_t tmpfs_t:file lock;
+
 # Bidirectional DBus communication between httpd and systemd
 allow cfengine_httpd_t system_dbusd_t:dbus send_msg;
 allow cfengine_httpd_t system_dbusd_t:unix_stream_socket connectto;