From: Boris Ranto <branto@redhat.com>
Date: Wed, 11 Apr 2018 13:25:59 +0000 (+0200)
Subject: selinux: Allow ceph to block suspend
X-Git-Tag: v13.1.1~24^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F21974%2Fhead;p=ceph.git

selinux: Allow ceph to block suspend

Ceph is now trying to block suspend in certain cases, we need to update
the policy accordingly.

Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit e3be372d854f9014ca711f14525ca9e510d34f1a)
---

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 2dabd05c7f0e..a56eb6a55abc 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -12,6 +12,7 @@ require {
 	class dir read;
 	class file { getattr read open };
 	class blk_file { getattr ioctl open read write };
+	class capability2 block_suspend;
 }
 
 ########################################
@@ -46,6 +47,7 @@ allow ceph_t self:process { signal_perms };
 allow ceph_t self:fifo_file rw_fifo_file_perms;
 allow ceph_t self:unix_stream_socket create_stream_socket_perms;
 allow ceph_t self:capability { setuid setgid dac_override };
+allow ceph_t self:capability2 block_suspend;
 
 manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
 manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)