selinux: Allow nvme devices

This commit allows nvme devices which use a different label than
standard block devices.

Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit a8af61c8da9028adc13f7aea611d5a5fee9dbfd1)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 272947d1e44d59538edde5a8cc26051a1c9ec561..552f73601cd9262e83c59bfc9c6876e6f5c8d085 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -5,11 +5,13 @@ require {
        type var_run_t;
        type random_device_t;
        type urandom_device_t;
-        type setfiles_t;
+       type setfiles_t;
+       type nvme_device_t;
        class sock_file unlink;
        class lnk_file read;
        class dir read;
        class file { getattr read open };
+       class blk_file { getattr ioctl open read write };
 }
 
 ########################################
@@ -86,6 +88,8 @@ logging_send_syslog_msg(ceph_t)
 
 sysnet_dns_name_resolve(ceph_t)
 
+allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };
+
 # basis for future security review
 allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
 allow ceph_t self:capability { sys_rawio chown };