From: Brad Hubbard <bhubbard@redhat.com>
Date: Mon, 6 Apr 2020 23:35:06 +0000 (+1000)
Subject: selinux: Allow ceph-mgr access to httpd dir
X-Git-Tag: v12.2.14~14^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=c9bc15aab18ec61da6205ff4cbf9919e234b2b57;p=ceph.git

selinux: Allow ceph-mgr access to httpd dir

ceph-mgr loads modules which require read access and this causes a
denial on el7.

Fixes: https://tracker.ceph.com/issues/44216

Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
(cherry picked from commit 35a7fc8249337c3c59f0c561632abf578f5d20fc)
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index a56eb6a55ab..34a5ae3d2a3 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -7,6 +7,7 @@ require {
 	type urandom_device_t;
 	type setfiles_t;
 	type nvme_device_t;
+	type httpd_config_t;
 	class sock_file unlink;
 	class lnk_file read;
 	class dir read;
@@ -117,6 +118,8 @@ allow ceph_t self:process setpgid;
 allow ceph_t var_run_t:dir { write create add_name };
 allow ceph_t var_run_t:file { read write create open getattr };
 
+allow ceph_t httpd_config_t:dir search;
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============