This fixes the selinux errors like this for /etc/target
-----------------------------------
Additional Information:
Source Context system_u:system_r:ceph_t:s0
Target Context system_u:object_r:targetd_etc_rw_t:s0
Target Objects target [ dir ]
Source rbd-target-api
Source Path rbd-target-api
Port <Unknown>
Host ans8
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name ans8
Platform Linux ans8 4.18.0-147.el8.x86_64 #1 SMP
Thu Sep 26
15:52:44 UTC 2019 x86_64 x86_64
Alert Count 1
First Seen 2020-01-08 18:39:48 EST
Last Seen 2020-01-08 18:39:48 EST
Local ID
9a13ee18-eaf2-4f2a-872f-
2809ee4928f6
Raw Audit Messages
type=AVC msg=audit(
1578526788.148:69): avc: denied { search } for
pid=995 comm="rbd-target-api" name="target" dev="sda1" ino=52198
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=1
Hash: rbd-target-api,ceph_t,targetd_etc_rw_t,dir,search
which are a result of the rtslib library the ceph-iscsi daemons use
accessing /etc/target to read/write a file which stores meta data the
target uses.
Signed-off-by: Mike Christie <mchristi@redhat.com>
type urandom_device_t;
type setfiles_t;
type nvme_device_t;
+ type targetd_etc_rw_t;
class sock_file unlink;
class tcp_socket name_connect_t;
class lnk_file { create getattr read unlink };
allow ceph_t init_var_run_t:file getattr;
allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
+allow ceph_t targetd_etc_rw_t:dir { getattr search };
+
fsadm_manage_pid(ceph_t)
#============= setfiles_t ==============
projects / ceph.git / commitdiff