selinux: Allow ceph to execute ldconfig

The ceph-volume testing showed that the ceph daemons can run ldconfig in
a corner case when they are forbidden access to some files. This patch
allows ceph to execute ldconfig in Enforcing mode.

Fixes: https://tracker.ceph.com/issues/22302
Signed-off-by: Boris Ranto <branto@redhat.com>
(cherry picked from commit fa5071b6d7182f54cd7b1ffe171a4b006f5255cb)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 0a9349803b12831eb72b266d4e74d5ac38c3e98a..2dabd05c7f0ed1cb821a170de41ca45121844595 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -103,6 +103,7 @@ fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
 files_manage_generic_locks(ceph_t)
+libs_exec_ldconfig(ceph_t)
 
 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };