From d0fd8ffa402444fde0d9c4b30b08091512e1191d Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Wed, 17 Jun 2015 13:08:17 +0200 Subject: [PATCH] Update selinux policy (after local test). Changes enerated with ceph-test package. Signed-off-by: Milan Broz --- selinux/ceph.te | 13 +++++++++++++ selinux/ceph_selinux.8 | 20 ++------------------ 2 files changed, 15 insertions(+), 18 deletions(-) diff --git a/selinux/ceph.te b/selinux/ceph.te index 3e2caa669177a..fa1393e825e59 100644 --- a/selinux/ceph.te +++ b/selinux/ceph.te @@ -69,3 +69,16 @@ auth_use_nsswitch(ceph_t) logging_send_syslog_msg(ceph_t) sysnet_dns_name_resolve(ceph_t) + +# added 2015-06-17, need review + +allow ceph_t ceph_var_run_t:sock_file create; +allow ceph_t self:capability sys_rawio; + +allow ceph_t self:tcp_socket { accept listen }; +corenet_tcp_connect_cyphesis_port(ceph_t) +corenet_tcp_connect_generic_port(ceph_t) +files_list_tmp(ceph_t) +fstools_exec(ceph_t) +nis_use_ypbind_uncond(ceph_t) +storage_raw_rw_fixed_disk(ceph_t) diff --git a/selinux/ceph_selinux.8 b/selinux/ceph_selinux.8 index 5f6cc8e2b10ef..de74807c8ed87 100644 --- a/selinux/ceph_selinux.8 +++ b/selinux/ceph_selinux.8 @@ -1,4 +1,4 @@ -.TH "ceph_selinux" "8" "15-05-13" "ceph" "SELinux Policy ceph" +.TH "ceph_selinux" "8" "15-06-17" "ceph" "SELinux Policy ceph" .SH "NAME" ceph_selinux \- Security Enhanced Linux Policy for the ceph processes .SH "DESCRIPTION" @@ -145,22 +145,6 @@ If you want to allow confined applications to use nscd shared memory, you must t .EE -.SH NSSWITCH DOMAIN - -.PP -If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ceph_t, you must turn on the authlogin_nsswitch_use_ldap boolean. - -.EX -.B setsebool -P authlogin_nsswitch_use_ldap 1 -.EE - -.PP -If you want to allow confined applications to run with kerberos for the ceph_t, you must turn on the kerberos_enabled boolean. - -.EX -.B setsebool -P kerberos_enabled 1 -.EE - .SH "MANAGED FILES" The SELinux process type ceph_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -254,7 +238,7 @@ SELinux ceph policy is very flexible allowing users to setup their ceph processe SELinux defines the file context types for the ceph, if you wanted to store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. -.B semanage fcontext -a -t ceph_exec_t '/srv/ceph/content(/.*)?' +.B semanage fcontext -a -t ceph_var_run_t '/srv/myceph_content(/.*)?' .br .B restorecon -R -v /srv/myceph_content -- 2.39.5