Commit Graph

14 Commits

Author SHA1 Message Date
Kefu Chai
af902ec962 cmake: enable selinux support
Signed-off-by: Kefu Chai <kchai@redhat.com>
2016-05-16 23:09:06 +08:00
Kefu Chai
788bbb55ed automake: use :: rule for adding target
Signed-off-by: Kefu Chai <kchai@redhat.com>
2016-05-03 10:35:28 +08:00
Boris Ranto
5cd4ce517c selinux: Allow to manage locks
We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-03-08 10:59:38 +01:00
Boris Ranto
519b03f4b0 selinux: allow dac_override capability
Fixes: #14870
Signed-off-by: Boris Ranto <branto@redhat.com>
2016-03-08 10:57:59 +01:00
Boris Ranto
bcf12049fb selinux: Allow log files to be located in /var/log/radosgw
We do suggest users to put their logs in /var/log/radosgw in the
documentation at times. We should also label that directory with
ceph_var_log_t so that ceph daemons can also write there.

The commit also updates the man page for this policy. This man page is
automatically generated by

* sepolicy manpage -p . -d ceph_t

and have not been reloaded in a while. Hence, it contains few more
changes than the new radosgw directory.

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-02-11 12:37:51 +01:00
Boris Ranto
bc48ef0fef selinux: Fix man page location
The SELinux man page was previously located in two places and the man
page that was supposed to be updated when rgw selinux changes were
proposed did not get updated properly. Fixing this by moving
selinux/ceph_selinux.8 to man/ceph_selinux.8. Also, populate EXTRA_DIST
with ceph_selinux.8.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-10-06 18:08:15 +02:00
Sage Weil
c1b28591a2 radosgw: log to /var/log/ceph instead of /var/log/radosgw
This is simpler.

Signed-off-by: Sage Weil <sage@redhat.com>
2015-09-15 18:05:59 -04:00
Boris Ranto
338bd3d177 selinux: Update policy for radosgw
The current SELinux policy does not cover radosgw daemon. This patch
introduces the SELinux support for radosgw daemon (civetweb only).

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-09-11 11:08:08 +02:00
Boris Ranto
736fe06235 selinux: Add .gitignore file
The gitbuilders release script needs this. Otherwise, the ceph-release
build will fail because there were some untracked files.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
73bf34d90f selinux: Update the SELinux policy rules
Few new denials were found while testing the policy. Updating the policy
rules to refelct that.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
03d7a65b94 SELinux Makefile can't work in parallel
We need to force single-core compilation of SELinux policy files in the
sub-make target as SELinux Makefile does not work properly when run in
parallel mode.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
bed5703367 selinux: Allow setuid and setgid to ceph-mon and ceph-osd
Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Milan Broz
d0fd8ffa40 Update selinux policy (after local test).
Changes enerated with ceph-test package.

Signed-off-by: Milan Broz <mbroz@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
c52eb995e0 Add initial SELinux support
This patch modifies the build system and spec file to provide a support
for SELinux enforcing in an opt-in matter via ceph-selinux package.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:41 +02:00