We hit a couple more SELinux denials when running ceph on RHEL8. The
dac_read_search change is related to a kernel change where it checks
dac_read_search before dac_override, now.
Signed-off-by: Boris Ranto <branto@redhat.com>
This adds selinux support for the ceph iscsi daemons under the ceph
github:
ceph-iscsi-config - rbd-target-gw
ceph-iscsi-cli - rbd-target-api
We use tcmu-runner, but that will go into the core policy to avoid
conflicts with gluster and distro bases.
This requires the patches:
https://github.com/ceph/ceph-iscsi-config/pull/90https://github.com/ceph/ceph-iscsi-cli/pull/134
Signed-off-by: Mike Christie <mchristi@redhat.com>
The ceph-volume testing showed that the ceph daemons can run ldconfig in
a corner case when they are forbidden access to some files. This patch
allows ceph to execute ldconfig in Enforcing mode.
Fixes: https://tracker.ceph.com/issues/22302
Signed-off-by: Boris Ranto <branto@redhat.com>
This showed up during downstream testing for luminous. We are doing
getattr on the sysfs lnk files and the current policy does not allow
this.
Signed-off-by: Boris Ranto <branto@redhat.com>
This commit allows nvme devices which use a different label than
standard block devices.
Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.
Fixes: http://tracker.ceph.com/issues/17436
Signed-off-by: Boris Ranto <branto@redhat.com>
we read /proc/<pid>/cmdline to figure out who is terminating us.
Fixes: http://tracker.ceph.com/issues/16675
Signed-off-by: Kefu Chai <kchai@redhat.com>
We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).
Signed-off-by: Boris Ranto <branto@redhat.com>
We do suggest users to put their logs in /var/log/radosgw in the
documentation at times. We should also label that directory with
ceph_var_log_t so that ceph daemons can also write there.
The commit also updates the man page for this policy. This man page is
automatically generated by
* sepolicy manpage -p . -d ceph_t
and have not been reloaded in a while. Hence, it contains few more
changes than the new radosgw directory.
Signed-off-by: Boris Ranto <branto@redhat.com>
The current SELinux policy does not cover radosgw daemon. This patch
introduces the SELinux support for radosgw daemon (civetweb only).
Signed-off-by: Boris Ranto <branto@redhat.com>
This patch modifies the build system and spec file to provide a support
for SELinux enforcing in an opt-in matter via ceph-selinux package.
Signed-off-by: Boris Ranto <branto@redhat.com>
