Commit Graph

15 Commits

Author SHA1 Message Date
Boris Ranto
394c26adb9 selinux: Allow getattr on lnk sysfs files
This showed up during downstream testing for luminous. We are doing
getattr on the sysfs lnk files and the current policy does not allow
this.

Signed-off-by: Boris Ranto <branto@redhat.com>
2017-09-21 17:24:10 +02:00
Boris Ranto
a8af61c8da selinux: Allow nvme devices
This commit allows nvme devices which use a different label than
standard block devices.

Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
2017-08-14 13:24:48 +02:00
Boris Ranto
899adbf55c selinux: Allow read on var_run_t
Fixes: http://tracker.ceph.com/issues/16674
Signed-off-by: Boris Ranto <branto@redhat.com>
2017-06-06 21:27:58 +02:00
Boris Ranto
dfd6880071 selinux: Allow ceph daemons to read net stats
Fixes: http://tracker.ceph.com/issues/19254

Signed-off-by: Boris Ranto <branto@redhat.com>
2017-03-13 17:51:48 +01:00
Boris Ranto
f8a0e201ee selinux: Allow ceph to manage tmp files
Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.

Fixes: http://tracker.ceph.com/issues/17436

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-09-29 15:02:23 +02:00
Kefu Chai
b05b41e3ca selinux: allow read /proc/<pid>/cmdline
we read /proc/<pid>/cmdline to figure out who is terminating us.

Fixes: http://tracker.ceph.com/issues/16675
Signed-off-by: Kefu Chai <kchai@redhat.com>
2016-07-19 11:35:34 +08:00
Boris Ranto
2a6c738abd selinux: allow chown for self and setattr for /var/run/ceph
Fixes: http://tracker.ceph.com/issues/16126

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-06-13 12:35:19 +02:00
Boris Ranto
5cd4ce517c selinux: Allow to manage locks
We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-03-08 10:59:38 +01:00
Boris Ranto
519b03f4b0 selinux: allow dac_override capability
Fixes: #14870
Signed-off-by: Boris Ranto <branto@redhat.com>
2016-03-08 10:57:59 +01:00
Boris Ranto
bcf12049fb selinux: Allow log files to be located in /var/log/radosgw
We do suggest users to put their logs in /var/log/radosgw in the
documentation at times. We should also label that directory with
ceph_var_log_t so that ceph daemons can also write there.

The commit also updates the man page for this policy. This man page is
automatically generated by

* sepolicy manpage -p . -d ceph_t

and have not been reloaded in a while. Hence, it contains few more
changes than the new radosgw directory.

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-02-11 12:37:51 +01:00
Boris Ranto
338bd3d177 selinux: Update policy for radosgw
The current SELinux policy does not cover radosgw daemon. This patch
introduces the SELinux support for radosgw daemon (civetweb only).

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-09-11 11:08:08 +02:00
Boris Ranto
73bf34d90f selinux: Update the SELinux policy rules
Few new denials were found while testing the policy. Updating the policy
rules to refelct that.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
bed5703367 selinux: Allow setuid and setgid to ceph-mon and ceph-osd
Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Milan Broz
d0fd8ffa40 Update selinux policy (after local test).
Changes enerated with ceph-test package.

Signed-off-by: Milan Broz <mbroz@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
c52eb995e0 Add initial SELinux support
This patch modifies the build system and spec file to provide a support
for SELinux enforcing in an opt-in matter via ceph-selinux package.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:41 +02:00