selinux: Allow ceph to manage tmp files

Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.

Fixes: http://tracker.ceph.com/issues/17436
Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit f8a0e201ee54759695ef44f7ed98b3b9705fafe3)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 0e85c84bfa6781b901c2fec9e901b5c5ff80e4c9..d9927aea246dc5fc728f711dd5cf03d9a338d4a7 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -91,6 +91,7 @@ allow ceph_t self:tcp_socket { accept listen };
 corenet_tcp_connect_cyphesis_port(ceph_t)
 corenet_tcp_connect_generic_port(ceph_t)
 files_list_tmp(ceph_t)
+files_manage_generic_tmp_files(ceph_t)
 fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)