From: Boris Ranto <branto@redhat.com>
Date: Mon, 26 Jun 2017 20:12:20 +0000 (+0200)
Subject: selinux: Additional policy changes
X-Git-Tag: v1.0~56^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a07c7cf6aa06a368dc75df40ed7dac3d7037d4c8;p=cephmetrics.git

selinux: Additional policy changes

This was required to access whoami files inside /var/lib/ceph/osd/
directory.

Signed-off-by: Boris Ranto <branto@redhat.com>
---

diff --git a/selinux/cephmetrics.te b/selinux/cephmetrics.te
index f7d39cb..f0e7add 100644
--- a/selinux/cephmetrics.te
+++ b/selinux/cephmetrics.te
@@ -4,18 +4,19 @@ require {
 	type collectd_t;
 	type ceph_t;
 	type ceph_var_run_t;
+	type ceph_var_lib_t;
 	class unix_stream_socket connectto;
 	class dir read;
+	class file getattr;
 	class capability2 block_suspend;
 }
 
 #============= collectd_t ==============
 
-#!!!! The file '/run/ceph/ceph-mon.node1.asok' is mislabeled on your system.  
-#!!!! Fix with $ restorecon -R -v /run/ceph/ceph-mon.node1.asok
 #!!!! This avc can be allowed using the boolean 'daemons_enable_cluster_mode'
 allow collectd_t ceph_t:unix_stream_socket connectto;
 allow collectd_t ceph_var_run_t:dir read;
+allow collectd_t ceph_var_lib_t:file getattr;
 allow collectd_t self:capability2 block_suspend;
 allow collectd_t var_log_t:dir { add_name write };
 allow collectd_t var_log_t:file create;