From 5cd4ce517c2b1c930785f614cbeff661d7ca2624 Mon Sep 17 00:00:00 2001
From: Boris Ranto <branto@redhat.com>
Date: Tue, 8 Mar 2016 10:59:33 +0100
Subject: [PATCH] selinux: Allow to manage locks

We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).

Signed-off-by: Boris Ranto <branto@redhat.com>
---
 selinux/ceph.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index e31f68118ec1..52bb504bc0ec 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -94,6 +94,7 @@ files_list_tmp(ceph_t)
 fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
+files_manage_generic_locks(ceph_t)
 
 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };
-- 
2.47.3