mirror of https://github.com/ceph/ceph
73218e291c
We plan to start labeling anon inodes (userfaultfd and io_uring file descriptors) properly in selinux-policy, which means that domains using these will need new rules. See: https://github.com/fedora-selinux/selinux-policy/pull/1351 Since ceph may optionally use io_uring, this patch adds the necessary interface call to its policy to avoid a regression. As the new interface call is put under a conditional, the policy package will be buildable against selinux-policy with or without the above PR merged, but it will need to be rebuilt against the updated selinux-policy to actually pick up the new rules. I tested this on a minimal ceph cluster with 'bdev_ioring = true' added to ceph.conf. I got io_uring denials without this patch + with selinux-policy with PR#1351 and no denials with ceph rebuilt with this patch. Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com> |
||
|---|---|---|
| .. | ||
| .gitignore | ||
| CMakeLists.txt | ||
| ceph.fc | ||
| ceph.if | ||
| ceph.te | ||