From: Brad Hubbard <bhubbard@redhat.com>
Date: Wed, 8 Apr 2020 04:49:04 +0000 (+1000)
Subject: selinux: Allow getattr access to /proc/kcore
X-Git-Tag: v14.2.10~85^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1c99acbb4e920e169a7eea1f8b55bbdfcf9725ca;p=ceph.git

selinux: Allow getattr access to /proc/kcore

Required for an fstat call in BlkDev::get_devid

Fixes: https://tracker.ceph.com/issues/40743

Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 15f3e1c12e0f..bcdafec7f1ea 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -13,6 +13,7 @@ require {
 	type setfiles_t;
 	type nvme_device_t;
 	type httpd_config_t;
+	type proc_kcore_t;
 	class sock_file unlink;
 	class tcp_socket name_connect_t;
 	class lnk_file { create getattr read unlink };
@@ -151,6 +152,8 @@ allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
 
 allow ceph_t httpd_config_t:dir search;
 
+allow ceph_t proc_kcore_t:file getattr;
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============