ceph/selinux
Ondrej Mosnacek 73218e291c
selinux: prepare for anon inode controls enablement
We plan to start labeling anon inodes (userfaultfd and io_uring file
descriptors) properly in selinux-policy, which means that domains using
these will need new rules.

See: https://github.com/fedora-selinux/selinux-policy/pull/1351

Since ceph may optionally use io_uring, this patch adds the necessary
interface call to its policy to avoid a regression. As the new interface
call is put under a conditional, the policy package will be buildable
against selinux-policy with or without the above PR merged, but it will
need to be rebuilt against the updated selinux-policy to actually pick
up the new rules.

I tested this on a minimal ceph cluster with 'bdev_ioring = true' added
to ceph.conf. I got io_uring denials without this patch + with
selinux-policy with PR#1351 and no denials with ceph rebuilt with this
patch.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2022-08-29 14:42:44 +02:00
..
.gitignore
ceph.fc
ceph.if
ceph.te
CMakeLists.txt