From 73bf34d90f3275813fa1da1629ddbe8c21738a52 Mon Sep 17 00:00:00 2001 From: Boris Ranto Date: Tue, 28 Jul 2015 11:11:42 +0200 Subject: [PATCH] selinux: Update the SELinux policy rules Few new denials were found while testing the policy. Updating the policy rules to refelct that. Signed-off-by: Boris Ranto --- selinux/ceph.te | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/selinux/ceph.te b/selinux/ceph.te index 5d3ad5a38512b..e25ec846ee323 100644 --- a/selinux/ceph.te +++ b/selinux/ceph.te @@ -1,5 +1,16 @@ policy_module(ceph, 1.0.0) +require { + type sysfs_t; + type var_run_t; + type random_device_t; + type setfiles_t; + class sock_file unlink; + class lnk_file read; + class dir read; + class file { getattr read open }; +} + ######################################## # # Declarations @@ -31,6 +42,7 @@ files_pid_file(ceph_var_run_t) allow ceph_t self:process { signal_perms }; allow ceph_t self:fifo_file rw_fifo_file_perms; allow ceph_t self:unix_stream_socket create_stream_socket_perms; +# not needed at the moment, for future releases, not needed at all if we switch to systemd init scripts allow ceph_t self:capability { setuid setgid }; manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t) @@ -83,3 +95,20 @@ files_list_tmp(ceph_t) fstools_exec(ceph_t) nis_use_ypbind_uncond(ceph_t) storage_raw_rw_fixed_disk(ceph_t) + +# added 2015-07-28, needs review just as well +allow ceph_t ceph_var_run_t:sock_file unlink; +allow ceph_t sysfs_t:dir read; +allow ceph_t sysfs_t:file { read getattr open }; +allow ceph_t sysfs_t:lnk_file read; + + +allow ceph_t random_device_t:chr_file getattr; +allow ceph_t self:process setpgid; +allow ceph_t var_run_t:dir { write create add_name }; +allow ceph_t var_run_t:file { write create open getattr }; + +fsadm_manage_pid(ceph_t) + +#============= setfiles_t ============== +allow setfiles_t ceph_var_lib_t:file write; -- 2.39.5