selinux: Allow ceph to block suspend

author Boris Ranto <branto@redhat.com>

Wed, 11 Apr 2018 13:25:59 +0000 (15:25 +0200)

committer Kefu Chai <kchai@redhat.com>

Mon, 14 May 2018 10:49:46 +0000 (18:49 +0800)
author Boris Ranto <branto@redhat.com>
Wed, 11 Apr 2018 13:25:59 +0000 (15:25 +0200)
committer Kefu Chai <kchai@redhat.com>
Mon, 14 May 2018 10:49:46 +0000 (18:49 +0800)
diff --git a/selinux/ceph.te b/selinux/ceph.te

index 2dabd05c7f0ed1cb821a170de41ca45121844595..a56eb6a55abc9ace03e5ede6d97f3513a2e8f326 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -12,6 +12,7 @@ require {
         class dir read;
         class file { getattr read open };
         class blk_file { getattr ioctl open read write };
+       class capability2 block_suspend;
  }
  
  ########################################
@@ -46,6 +47,7 @@ allow ceph_t self:process { signal_perms };
  allow ceph_t self:fifo_file rw_fifo_file_perms;
  allow ceph_t self:unix_stream_socket create_stream_socket_perms;
  allow ceph_t self:capability { setuid setgid dac_override };
+allow ceph_t self:capability2 block_suspend;
  
  manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
  manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
author	Boris Ranto <branto@redhat.com>
	Wed, 11 Apr 2018 13:25:59 +0000 (15:25 +0200)
committer	Kefu Chai <kchai@redhat.com>
	Mon, 14 May 2018 10:49:46 +0000 (18:49 +0800)