selinux: Allow getattr on lnk sysfs files

This showed up during downstream testing for luminous. We are doing
getattr on the sysfs lnk files and the current policy does not allow
this.

Fixes: http://tracker.ceph.com/issues/21523
Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit 394c26adb97cd150233fe8760355f486d03624a4)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 552f73601cd9262e83c59bfc9c6876e6f5c8d085..0a9349803b12831eb72b266d4e74d5ac38c3e98a 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -106,7 +106,7 @@ files_manage_generic_locks(ceph_t)
 
 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };
-allow ceph_t sysfs_t:lnk_file read;
+allow ceph_t sysfs_t:lnk_file { read getattr };
 
 allow ceph_t random_device_t:chr_file getattr;
 allow ceph_t urandom_device_t:chr_file getattr;