selinux: Update the SELinux policy rules

Few new denials were found while testing the policy. Updating the policy
rules to refelct that.

Signed-off-by: Boris Ranto <branto@redhat.com>

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 5d3ad5a38512bdde59b010e54aa4b093fff73d94..e25ec846ee32333d603446df7c7b3d77241ab4c7 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -1,5 +1,16 @@
 policy_module(ceph, 1.0.0)
 
+require {
+       type sysfs_t;
+       type var_run_t;
+       type random_device_t;
+        type setfiles_t;
+       class sock_file unlink;
+       class lnk_file read;
+       class dir read;
+       class file { getattr read open };
+}
+
 ########################################
 #
 # Declarations
@@ -31,6 +42,7 @@ files_pid_file(ceph_var_run_t)
 allow ceph_t self:process { signal_perms };
 allow ceph_t self:fifo_file rw_fifo_file_perms;
 allow ceph_t self:unix_stream_socket create_stream_socket_perms;
+# not needed at the moment, for future releases, not needed at all if we switch to systemd init scripts
 allow ceph_t self:capability { setuid setgid };
 
 manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
@@ -83,3 +95,20 @@ files_list_tmp(ceph_t)
 fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
+
+# added 2015-07-28, needs review just as well
+allow ceph_t ceph_var_run_t:sock_file unlink;
+allow ceph_t sysfs_t:dir read;
+allow ceph_t sysfs_t:file { read getattr open };
+allow ceph_t sysfs_t:lnk_file read;
+
+
+allow ceph_t random_device_t:chr_file getattr;
+allow ceph_t self:process setpgid;
+allow ceph_t var_run_t:dir { write create add_name };
+allow ceph_t var_run_t:file { write create open getattr };
+
+fsadm_manage_pid(ceph_t)
+
+#============= setfiles_t ==============
+allow setfiles_t ceph_var_lib_t:file write;