From e3be372d854f9014ca711f14525ca9e510d34f1a Mon Sep 17 00:00:00 2001
From: Boris Ranto <branto@redhat.com>
Date: Wed, 11 Apr 2018 15:25:59 +0200
Subject: [PATCH] selinux: Allow ceph to block suspend

Ceph is now trying to block suspend in certain cases, we need to update
the policy accordingly.

Signed-off-by: Boris Ranto <branto@redhat.com>
---
 selinux/ceph.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 2dabd05c7f0ed..a56eb6a55abc9 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -12,6 +12,7 @@ require {
 	class dir read;
 	class file { getattr read open };
 	class blk_file { getattr ioctl open read write };
+	class capability2 block_suspend;
 }
 
 ########################################
@@ -46,6 +47,7 @@ allow ceph_t self:process { signal_perms };
 allow ceph_t self:fifo_file rw_fifo_file_perms;
 allow ceph_t self:unix_stream_socket create_stream_socket_perms;
 allow ceph_t self:capability { setuid setgid dac_override };
+allow ceph_t self:capability2 block_suspend;
 
 manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
 manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
-- 
2.39.5