selinux: Additional policy changes

author Boris Ranto <branto@redhat.com>

Mon, 26 Jun 2017 20:12:20 +0000 (22:12 +0200)

committer Boris Ranto <branto@redhat.com>

Tue, 27 Jun 2017 09:10:04 +0000 (11:10 +0200)
author Boris Ranto <branto@redhat.com>
Mon, 26 Jun 2017 20:12:20 +0000 (22:12 +0200)
committer Boris Ranto <branto@redhat.com>
Tue, 27 Jun 2017 09:10:04 +0000 (11:10 +0200)
diff --git a/selinux/cephmetrics.te b/selinux/cephmetrics.te

index f7d39cb3bfda42f8c00db785de7b44d9293743e7..f0e7add663d0c7a78dee04e008989b11be596529 100644 (file)
--- a/selinux/cephmetrics.te
+++ b/selinux/cephmetrics.te
@@ -4,18 +4,19 @@ require {
         type collectd_t;
         type ceph_t;
         type ceph_var_run_t;
+       type ceph_var_lib_t;
         class unix_stream_socket connectto;
         class dir read;
+       class file getattr;
         class capability2 block_suspend;
  }
  
  #============= collectd_t ==============
  
-#!!!! The file '/run/ceph/ceph-mon.node1.asok' is mislabeled on your system.  
-#!!!! Fix with $ restorecon -R -v /run/ceph/ceph-mon.node1.asok
  #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
  allow collectd_t ceph_t:unix_stream_socket connectto;
  allow collectd_t ceph_var_run_t:dir read;
+allow collectd_t ceph_var_lib_t:file getattr;
  allow collectd_t self:capability2 block_suspend;
  allow collectd_t var_log_t:dir { add_name write };
  allow collectd_t var_log_t:file create;
author	Boris Ranto <branto@redhat.com>
	Mon, 26 Jun 2017 20:12:20 +0000 (22:12 +0200)
committer	Boris Ranto <branto@redhat.com>
	Tue, 27 Jun 2017 09:10:04 +0000 (11:10 +0200)