selinux: Allow ceph-mgr access to httpd dir

ceph-mgr loads modules which require read access and this causes a
denial on el7.

Fixes: https://tracker.ceph.com/issues/44216
Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
(cherry picked from commit 35a7fc8249337c3c59f0c561632abf578f5d20fc)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 06db59c911a1f8801fc809d6ca96b01a2daccbd6..d805a6c9909e5b7f1e4ab7b7cb87ac314ebe12a2 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -7,6 +7,7 @@ require {
        type urandom_device_t;
        type setfiles_t;
        type nvme_device_t;
+       type httpd_config_t;
        class sock_file unlink;
        class lnk_file read;
        class dir read;
@@ -119,6 +120,8 @@ allow ceph_t self:process setpgid;
 allow ceph_t var_run_t:dir { write create add_name };
 allow ceph_t var_run_t:file { read write create open getattr };
 
+allow ceph_t httpd_config_t:dir search;
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============