selinux: allow chown for self and setattr for /var/run/ceph

author Boris Ranto <branto@redhat.com>

Mon, 13 Jun 2016 10:34:39 +0000 (12:34 +0200)

committer Boris Ranto <branto@redhat.com>

Mon, 13 Jun 2016 10:35:19 +0000 (12:35 +0200)
author Boris Ranto <branto@redhat.com>
Mon, 13 Jun 2016 10:34:39 +0000 (12:34 +0200)
committer Boris Ranto <branto@redhat.com>
Mon, 13 Jun 2016 10:35:19 +0000 (12:35 +0200)
diff --git a/selinux/ceph.te b/selinux/ceph.te

index 52bb504bc0ec5c4ba6ee406778309c3372fcdb78..0e85c84bfa6781b901c2fec9e901b5c5ff80e4c9 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -84,8 +84,8 @@ logging_send_syslog_msg(ceph_t)
  sysnet_dns_name_resolve(ceph_t)
  
  # basis for future security review
-allow ceph_t ceph_var_run_t:sock_file { create unlink write };
-allow ceph_t self:capability sys_rawio;
+allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
+allow ceph_t self:capability { sys_rawio chown };
  
  allow ceph_t self:tcp_socket { accept listen };
  corenet_tcp_connect_cyphesis_port(ceph_t)
author	Boris Ranto <branto@redhat.com>
	Mon, 13 Jun 2016 10:34:39 +0000 (12:34 +0200)
committer	Boris Ranto <branto@redhat.com>
	Mon, 13 Jun 2016 10:35:19 +0000 (12:35 +0200)