selinux: Allow ceph to execute ldconfig

The ceph-volume testing showed that the ceph daemons can run ldconfig in
a corner case when they are forbidden access to some files. This patch
allows ceph to execute ldconfig in Enforcing mode.

Fixes: https://tracker.ceph.com/issues/22302
Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit fa5071b6d7182f54cd7b1ffe171a4b006f5255cb)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 17a9e04cdb76e532bbdd5f32cad3664b1358ced6..a56eb6a55abc9ace03e5ede6d97f3513a2e8f326 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -105,6 +105,7 @@ fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
 files_manage_generic_locks(ceph_t)
+libs_exec_ldconfig(ceph_t)
 
 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };