From: Boris Ranto <branto@redhat.com>
Date: Mon, 13 Jun 2016 10:34:39 +0000 (+0200)
Subject: selinux: allow chown for self and setattr for /var/run/ceph
X-Git-Tag: v11.0.0~195^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=2a6c738abda35f540af6f9398406d4e49337c34d;p=ceph.git

selinux: allow chown for self and setattr for /var/run/ceph

Fixes: http://tracker.ceph.com/issues/16126

Signed-off-by: Boris Ranto <branto@redhat.com>
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 52bb504bc0ec..0e85c84bfa67 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -84,8 +84,8 @@ logging_send_syslog_msg(ceph_t)
 sysnet_dns_name_resolve(ceph_t)
 
 # basis for future security review
-allow ceph_t ceph_var_run_t:sock_file { create unlink write };
-allow ceph_t self:capability sys_rawio;
+allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
+allow ceph_t self:capability { sys_rawio chown };
 
 allow ceph_t self:tcp_socket { accept listen };
 corenet_tcp_connect_cyphesis_port(ceph_t)