From 519b03f4b055fd247197d7383810764de31bebc1 Mon Sep 17 00:00:00 2001
From: Boris Ranto <branto@redhat.com>
Date: Tue, 1 Mar 2016 09:03:05 +0100
Subject: [PATCH] selinux: allow dac_override capability

Fixes: #14870
Signed-off-by: Boris Ranto <branto@redhat.com>
---
 selinux/ceph.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index 613fe4e25e530..e31f68118ec10 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -43,7 +43,7 @@ files_pid_file(ceph_var_run_t)
 allow ceph_t self:process { signal_perms };
 allow ceph_t self:fifo_file rw_fifo_file_perms;
 allow ceph_t self:unix_stream_socket create_stream_socket_perms;
-allow ceph_t self:capability { setuid setgid };
+allow ceph_t self:capability { setuid setgid dac_override };
 
 manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
 manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)