This showed up during downstream testing for luminous. We are doing
getattr on the sysfs lnk files and the current policy does not allow
this.
Signed-off-by: Boris Ranto <branto@redhat.com>
This commit allows nvme devices which use a different label than
standard block devices.
Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.
Fixes: http://tracker.ceph.com/issues/17436
Signed-off-by: Boris Ranto <branto@redhat.com>
we read /proc/<pid>/cmdline to figure out who is terminating us.
Fixes: http://tracker.ceph.com/issues/16675
Signed-off-by: Kefu Chai <kchai@redhat.com>
We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).
Signed-off-by: Boris Ranto <branto@redhat.com>
We do suggest users to put their logs in /var/log/radosgw in the
documentation at times. We should also label that directory with
ceph_var_log_t so that ceph daemons can also write there.
The commit also updates the man page for this policy. This man page is
automatically generated by
* sepolicy manpage -p . -d ceph_t
and have not been reloaded in a while. Hence, it contains few more
changes than the new radosgw directory.
Signed-off-by: Boris Ranto <branto@redhat.com>
The current SELinux policy does not cover radosgw daemon. This patch
introduces the SELinux support for radosgw daemon (civetweb only).
Signed-off-by: Boris Ranto <branto@redhat.com>
This patch modifies the build system and spec file to provide a support
for SELinux enforcing in an opt-in matter via ceph-selinux package.
Signed-off-by: Boris Ranto <branto@redhat.com>