From: Boris Ranto <branto@redhat.com>
Date: Thu, 25 Jan 2018 15:31:30 +0000 (+0100)
Subject: selinux: Allow ceph to execute ldconfig
X-Git-Tag: v13.1.1~24^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3528bdf7559c1736d6a72ad991d7a1a608d73bd3;p=ceph.git

selinux: Allow ceph to execute ldconfig

The ceph-volume testing showed that the ceph daemons can run ldconfig in
a corner case when they are forbidden access to some files. This patch
allows ceph to execute ldconfig in Enforcing mode.

Fixes: https://tracker.ceph.com/issues/22302

Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit fa5071b6d7182f54cd7b1ffe171a4b006f5255cb)
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 0a9349803b12..2dabd05c7f0e 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -103,6 +103,7 @@ fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
 files_manage_generic_locks(ceph_t)
+libs_exec_ldconfig(ceph_t)
 
 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };