]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
selinux: Allow ceph-mgr access to httpd dir 34458/head
authorBrad Hubbard <bhubbard@redhat.com>
Mon, 6 Apr 2020 23:35:06 +0000 (09:35 +1000)
committerBrad Hubbard <bhubbard@redhat.com>
Mon, 6 Apr 2020 23:58:30 +0000 (09:58 +1000)
ceph-mgr loads modules which require read access and this causes a
denial on el7.

Fixes: https://tracker.ceph.com/issues/44216
Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
(cherry picked from commit 35a7fc8249337c3c59f0c561632abf578f5d20fc)

selinux/ceph.te

index 06db59c911a1f8801fc809d6ca96b01a2daccbd6..d805a6c9909e5b7f1e4ab7b7cb87ac314ebe12a2 100644 (file)
@@ -7,6 +7,7 @@ require {
        type urandom_device_t;
        type setfiles_t;
        type nvme_device_t;
+       type httpd_config_t;
        class sock_file unlink;
        class lnk_file read;
        class dir read;
@@ -119,6 +120,8 @@ allow ceph_t self:process setpgid;
 allow ceph_t var_run_t:dir { write create add_name };
 allow ceph_t var_run_t:file { read write create open getattr };
 
+allow ceph_t httpd_config_t:dir search;
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============