From: Boris Ranto <branto@redhat.com>
Date: Tue, 8 Mar 2016 09:59:33 +0000 (+0100)
Subject: selinux: Allow to manage locks
X-Git-Tag: v10.1.0~95^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=5cd4ce517c2b1c930785f614cbeff661d7ca2624;p=ceph.git

selinux: Allow to manage locks

We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).

Signed-off-by: Boris Ranto <branto@redhat.com>
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index e31f68118ec1..52bb504bc0ec 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -94,6 +94,7 @@ files_list_tmp(ceph_t)
 fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
+files_manage_generic_locks(ceph_t)
 
 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };