selinux: prepare for anon inode controls enablement

We plan to start labeling anon inodes (userfaultfd and io_uring file descriptors) properly in selinux-policy, which means that domains using these will need new rules. See: https://github.com/fedora-selinux/selinux-policy/pull/1351 Since ceph may optionally use io_uring, this patch adds the necessary interface call to its policy to avoid a regression. As the new interface call is put under a conditional, the policy package will be buildable against selinux-policy with or without the above PR merged, but it will need to be rebuilt against the updated selinux-policy to actually pick up the new rules. I tested this on a minimal ceph cluster with 'bdev_ioring = true' added to ceph.conf. I got io_uring denials without this patch + with selinux-policy with PR#1351 and no denials with ceph rebuilt with this patch. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2022-07-27 17:14:25 +02:00 · 2022-07-27 17:14:25 +02:00 · 73218e291c
parent 07bfcac5ea
commit 73218e291c
1 changed files with 3 additions and 0 deletions
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@ -75,6 +75,9 @@ manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)

 kernel_read_system_state(ceph_t)
 kernel_read_network_state(ceph_t)
+ifdef(`kernel_io_uring_use',`
+	kernel_io_uring_use(ceph_t)
+')
 allow ceph_t kernel_t:system module_request;

 corenet_all_recvfrom_unlabeled(ceph_t)