selinux: Allow to manage locks

We currently create the ceph lock by an unconfined process (ceph-disk). Unconfined processes inherit the context from the parrent directory. This allows ceph daemons to access the files with context inherrited from the parent directory (/var/lock | /run/lock). Signed-off-by: Boris Ranto <[email protected]>
att · Mar 8, 2016 · 5cd4ce5 · 5cd4ce5
1 parent 519b03f
commit 5cd4ce5
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/selinux/ceph.te b/selinux/ceph.te
@@ -94,6 +94,7 @@ files_list_tmp(ceph_t)
 fstools_exec(ceph_t)
 nis_use_ypbind_uncond(ceph_t)
 storage_raw_rw_fixed_disk(ceph_t)
+files_manage_generic_locks(ceph_t)
 
 allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };