selinux: Fix ceph-iscsi etc access

This fixes the selinux errors like this for /etc/target

-----------------------------------
Additional Information:
Source Context                system_u:system_r:ceph_t:s0
Target Context                system_u:object_r:targetd_etc_rw_t:s0
Target Objects                target [ dir ]
Source                        rbd-target-api
Source Path                   rbd-target-api
Port                          <Unknown>
Host                          ans8
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ans8
Platform                      Linux ans8 4.18.0-147.el8.x86_64 #1 SMP
Thu Sep 26
                              15:52:44 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2020-01-08 18:39:48 EST
Last Seen                     2020-01-08 18:39:48 EST
Local ID                      9a13ee18-eaf2-4f2a-872f-2809ee4928f6

Raw Audit Messages
type=AVC msg=audit(1578526788.148:69): avc:  denied  { search } for
pid=995 comm="rbd-target-api" name="target" dev="sda1" ino=52198
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=1

Hash: rbd-target-api,ceph_t,targetd_etc_rw_t,dir,search

which are a result of the rtslib library the ceph-iscsi daemons use
accessing /etc/target to read/write a file which stores meta data the
target uses.

Signed-off-by: Mike Christie <mchristi@redhat.com>
(cherry picked from commit 53be18165323a80895a34185df4ad9e8d37db618)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 8c5d7366cbdf5d0bba6e6c6a8ee4b5286b4e955f..77d35d9714b60cca17b18cc8fe868bbea397716d 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -13,6 +13,7 @@ require {
        type urandom_device_t;
        type setfiles_t;
        type nvme_device_t;
+       type targetd_etc_rw_t;
        type amqp_port_t;
        type soundd_port_t;
        class sock_file unlink;
@@ -154,6 +155,8 @@ allow ceph_t var_run_t:file { read write create open getattr };
 allow ceph_t init_var_run_t:file getattr;
 allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
 
+allow ceph_t targetd_etc_rw_t:dir { getattr search };
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============