selinux: Allow to manage locks

We currently create the ceph lock by an unconfined process (ceph-disk). Unconfined processes inherit the context from the parrent directory. This allows ceph daemons to access the files with context inherrited from the parent directory (/var/lock | /run/lock). Signed-off-by: Boris Ranto <branto@redhat.com>
2025-02-22 02:27:29 +00:00 · 2016-03-08 10:59:33 +01:00 · 2016-03-08 10:59:33 +01:00 · 5cd4ce517c
commit 5cd4ce517c
parent 519b03f4b0
1 changed files with 1 additions and 0 deletions
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@ -94,6 +94,7 @@ files_list_tmp(ceph_t)
 fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
+files_manage_generic_locks(ceph_t)

 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };