selinux: Allow ceph-mgr access to httpd dir

ceph-mgr loads modules which require read access and this causes a
denial on el7.

Fixes: https://tracker.ceph.com/issues/44216
Signed-off-by: Brad Hubbard <bhubbard@redhat.com>

diff --git a/selinux/ceph.te b/selinux/ceph.te
index c3be384c56bae027dd762a70eedf354f21dd6326..12d4a2b05e03a96a616162a5d5f0dc4b3a22338c 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -12,6 +12,7 @@ require {
        type urandom_device_t;
        type setfiles_t;
        type nvme_device_t;
+       type httpd_config_t;
        class sock_file unlink;
        class tcp_socket name_connect_t;
        class lnk_file { create getattr read unlink };
@@ -147,6 +148,8 @@ allow ceph_t var_run_t:file { read write create open getattr };
 allow ceph_t init_var_run_t:file getattr;
 allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
 
+allow ceph_t httpd_config_t:dir search;
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============