From 637a06228b30bff3655e0d9559b3e16fd8a1fed4 Mon Sep 17 00:00:00 2001
From: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
Date: Tue, 6 Jan 2026 13:46:08 +0200
Subject: [PATCH] Fixed SELinux context on apachectl after template repair

Tiket: ENT-13638
Signed-off-by: Ihor Aleksandrychiev <ihor.aleksandrychiev@northern.tech>
---
 cfe_internal/enterprise/mission_portal.cf | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/cfe_internal/enterprise/mission_portal.cf b/cfe_internal/enterprise/mission_portal.cf
index 1647b74a6b..4b75aab016 100644
--- a/cfe_internal/enterprise/mission_portal.cf
+++ b/cfe_internal/enterprise/mission_portal.cf
@@ -175,7 +175,8 @@ bundle agent apachectl_patched_for_upgrade
         edit_template => "$(this.promise_dirname)/templates/apachectl.mustache",
         handle => "apachectl_content_pre_create_default_templated_files",
         template_method => "mustache",
-        template_data => parsejson( '{ "cfengine_enterprise_mission_portal_httpd_dir": "$(sys.workdir)/httpd" }');
+        template_data => parsejson( '{ "cfengine_enterprise_mission_portal_httpd_dir": "$(sys.workdir)/httpd" }'),
+        classes => results("bundle", "apachectl_file");
 
     _running_cfengine_version_where_templated_files_NOT_automatically_created::
       "$(sys.workdir)/httpd/bin/apachectl"
@@ -183,12 +184,19 @@ bundle agent apachectl_patched_for_upgrade
         edit_template => "$(this.promise_dirname)/templates/apachectl.mustache",
         handle => "apachectl_content_post_create_default_templated_files",
         template_method => "mustache",
-        template_data => parsejson( '{ "cfengine_enterprise_mission_portal_httpd_dir": "$(sys.workdir)/httpd" }');
+        template_data => parsejson( '{ "cfengine_enterprise_mission_portal_httpd_dir": "$(sys.workdir)/httpd" }'),
+        classes => results("bundle", "apachectl_file");
 
     cfengine::
       "$(sys.workdir)/httpd/bin/apachectl"
         handle => "apachectl_perms",
         perms => mog( "0755", "root", "root" );
+
+  commands:
+      # This only runs if apachectl touched (repaired) and restorecon path exists
+      apachectl_file_repaired.default:_stdlib_path_exists_restorecon::
+        "$(default:paths.restorecon) $(sys.workdir)/httpd/bin/apachectl"
+          comment => "Ensure the templated apachectl has the correct SELinux context.";
 }
 
 bundle agent cfe_internal_enterprise_mission_portal_apache