selinux: Allow getattr access to /proc/kcore

Required for an fstat call in BlkDev::get_devid

Fixes: https://tracker.ceph.com/issues/40743
Signed-off-by: Brad Hubbard <bhubbard@redhat.com>

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 15f3e1c12e0fc8ee5053ab26262e2a0389a9ffd4..bcdafec7f1eacc08388d2dabffc214276a7c875e 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -13,6 +13,7 @@ require {
        type setfiles_t;
        type nvme_device_t;
        type httpd_config_t;
+       type proc_kcore_t;
        class sock_file unlink;
        class tcp_socket name_connect_t;
        class lnk_file { create getattr read unlink };
@@ -151,6 +152,8 @@ allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
 
 allow ceph_t httpd_config_t:dir search;
 
+allow ceph_t proc_kcore_t:file getattr;
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============