From: Boris Ranto <branto@redhat.com>
Date: Fri, 9 Jun 2017 12:38:28 +0000 (+0200)
Subject: selinux: Allow nvme devices
X-Git-Tag: v12.2.1~62^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a1a3c07ba41c2edea2499d1b31baba310e6417e2;p=ceph.git

selinux: Allow nvme devices

This commit allows nvme devices which use a different label than
standard block devices.

Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit a8af61c8da9028adc13f7aea611d5a5fee9dbfd1)
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 272947d1e44d..552f73601cd9 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -5,11 +5,13 @@ require {
 	type var_run_t;
 	type random_device_t;
 	type urandom_device_t;
-        type setfiles_t;
+	type setfiles_t;
+	type nvme_device_t;
 	class sock_file unlink;
 	class lnk_file read;
 	class dir read;
 	class file { getattr read open };
+	class blk_file { getattr ioctl open read write };
 }
 
 ########################################
@@ -86,6 +88,8 @@ logging_send_syslog_msg(ceph_t)
 
 sysnet_dns_name_resolve(ceph_t)
 
+allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };
+
 # basis for future security review
 allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
 allow ceph_t self:capability { sys_rawio chown };