Merge pull request #7604 from ceph/wip-selinux-update-radosgw-log

selinux: allow log files to be located in /var/log/radosgw Reviewed-by: Sage Weil <sage@redhat.com>
2025-02-06 10:23:52 +00:00 · 2016-02-11 08:37:50 -05:00 · 2016-02-11 08:37:50 -05:00 · 62ecb28ff2
commit 62ecb28ff2
parent 4056ee298a bcf12049fb
4 changed files with 56 additions and 4 deletions
--- a/ceph.spec.in
+++ b/ceph.spec.in
@ -46,7 +46,8 @@ restorecon -R /etc/rc\.d/init\.d/ceph > /dev/null 2>&1; \
 restorecon -R /etc/rc\.d/init\.d/radosgw > /dev/null 2>&1; \
 restorecon -R /var/run/ceph > /dev/null 2>&1; \
 restorecon -R /var/lib/ceph > /dev/null 2>&1; \
-restorecon -R /var/log/ceph > /dev/null 2>&1;
+restorecon -R /var/log/ceph > /dev/null 2>&1; \
+restorecon -R /var/log/radosgw > /dev/null 2>&1;
 %endif

 %{!?_udevrulesdir: %global _udevrulesdir /lib/udev/rules.d}
--- a/man/ceph_selinux.8
+++ b/man/ceph_selinux.8
@ -1,4 +1,4 @@
-.TH  "ceph_selinux"  "8"  "15-08-10" "ceph" "SELinux Policy ceph"
+.TH  "ceph_selinux"  "8"  "16-02-11" "ceph" "SELinux Policy ceph"
 .SH "NAME"
 ceph_selinux \- Security Enhanced Linux Policy for the ceph processes
 .SH "DESCRIPTION"
@ -170,6 +170,8 @@ The SELinux process type ceph_t can manage files labeled with the following file

 	/var/log/ceph(/.*)?
 .br
+	/var/log/radosgw(/.*)?
+.br

 .br
 .B ceph_var_lib_t
@ -237,6 +239,36 @@ The SELinux process type ceph_t can manage files labeled with the following file
 	/var/run/blkid(/.*)?
 .br

+.br
+.B initrc_tmp_t
+
+
+.br
+.B mnt_t
+
+	/mnt(/[^/]*)?
+.br
+	/mnt(/[^/]*)?
+.br
+	/rhev(/[^/]*)?
+.br
+	/media(/[^/]*)?
+.br
+	/media(/[^/]*)?
+.br
+	/media/\.hal-.*
+.br
+	/var/run/media(/[^/]*)?
+.br
+	/net
+.br
+	/afs
+.br
+	/rhev
+.br
+	/misc
+.br
+
 .br
 .B root_t

@ -245,6 +277,24 @@ The SELinux process type ceph_t can manage files labeled with the following file
 	/initrd
 .br

+.br
+.B tmp_t
+
+	/sandbox(/.*)?
+.br
+	/tmp
+.br
+	/usr/tmp
+.br
+	/var/tmp
+.br
+	/tmp-inst
+.br
+	/var/tmp-inst
+.br
+	/var/tmp/vi\.recover
+.br
+
 .br
 .B var_run_t

@ -319,7 +369,7 @@ Paths:
 .br
 .TP 5
 Paths:
-/var/log/ceph(/.*)?
+/var/log/ceph(/.*)?, /var/log/radosgw(/.*)?

 .EX
 .PP
--- a/selinux/ceph.fc
+++ b/selinux/ceph.fc
@ -9,5 +9,6 @@
 /var/lib/ceph(/.*)?		gen_context(system_u:object_r:ceph_var_lib_t,s0)

 /var/log/ceph(/.*)?		gen_context(system_u:object_r:ceph_log_t,s0)
+/var/log/radosgw(/.*)?		gen_context(system_u:object_r:ceph_log_t,s0)

 /var/run/ceph(/.*)?		gen_context(system_u:object_r:ceph_var_run_t,s0)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@ -1,4 +1,4 @@
-policy_module(ceph, 1.1.0)
+policy_module(ceph, 1.1.1)

 require {
 	type sysfs_t;