From 35a7fc8249337c3c59f0c561632abf578f5d20fc Mon Sep 17 00:00:00 2001
From: Brad Hubbard <bhubbard@redhat.com>
Date: Tue, 7 Apr 2020 09:35:06 +1000
Subject: [PATCH] selinux: Allow ceph-mgr access to httpd dir

ceph-mgr loads modules which require read access and this causes a
denial on el7.

Fixes: https://tracker.ceph.com/issues/44216

Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
---
 selinux/ceph.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index c3be384c56bae..12d4a2b05e03a 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -12,6 +12,7 @@ require {
 	type urandom_device_t;
 	type setfiles_t;
 	type nvme_device_t;
+	type httpd_config_t;
 	class sock_file unlink;
 	class tcp_socket name_connect_t;
 	class lnk_file { create getattr read unlink };
@@ -147,6 +148,8 @@ allow ceph_t var_run_t:file { read write create open getattr };
 allow ceph_t init_var_run_t:file getattr;
 allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
 
+allow ceph_t httpd_config_t:dir search;
+
 fsadm_manage_pid(ceph_t)
 
 #============= setfiles_t ==============
-- 
2.39.5