From: Boris Ranto <branto@redhat.com>
Date: Thu, 29 Sep 2016 10:08:39 +0000 (+0200)
Subject: selinux: Allow ceph to manage tmp files
X-Git-Tag: v10.2.6~14^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=67e7a904373ee0863ca21eaa7da6edd559bb463d;p=ceph.git

selinux: Allow ceph to manage tmp files

Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.

Fixes: http://tracker.ceph.com/issues/17436

Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit f8a0e201ee54759695ef44f7ed98b3b9705fafe3)
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 0e85c84bfa67..d9927aea246d 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -91,6 +91,7 @@ allow ceph_t self:tcp_socket { accept listen };
 corenet_tcp_connect_cyphesis_port(ceph_t)
 corenet_tcp_connect_generic_port(ceph_t)
 files_list_tmp(ceph_t)
+files_manage_generic_tmp_files(ceph_t)
 fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)