selinux: allow chown for self and setattr for /var/run/ceph

Fixes: http://tracker.ceph.com/issues/16126 Signed-off-by: Boris Ranto <branto@redhat.com>
author: Boris Ranto <branto@redhat.com> 2016-06-13 12:34:39 +0200
committer: Boris Ranto <branto@redhat.com> 2016-06-13 12:35:19 +0200
commit: 2a6c738abda35f540af6f9398406d4e49337c34d (patch)
tree: 9a214269569eb37a0d32d55753ad15588074bcb9 /selinux
parent: Merge pull request #9642 from yuyuyu101/wip-16237 (diff)
download: ceph-2a6c738abda35f540af6f9398406d4e49337c34d.tar.xz
ceph-2a6c738abda35f540af6f9398406d4e49337c34d.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/selinux/ceph.te b/selinux/ceph.te
index 52bb504bc0e..0e85c84bfa6 100644
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -84,8 +84,8 @@ logging_send_syslog_msg(ceph_t)
 sysnet_dns_name_resolve(ceph_t)
 
 # basis for future security review
-allow ceph_t ceph_var_run_t:sock_file { create unlink write };
-allow ceph_t self:capability sys_rawio;
+allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
+allow ceph_t self:capability { sys_rawio chown };
 
 allow ceph_t self:tcp_socket { accept listen };
 corenet_tcp_connect_cyphesis_port(ceph_t)
author	Boris Ranto <branto@redhat.com>	2016-06-13 12:34:39 +0200
committer	Boris Ranto <branto@redhat.com>	2016-06-13 12:35:19 +0200
commit	2a6c738abda35f540af6f9398406d4e49337c34d (patch)
tree	9a214269569eb37a0d32d55753ad15588074bcb9 /selinux
parent	Merge pull request #9642 from yuyuyu101/wip-16237 (diff)
download	ceph-2a6c738abda35f540af6f9398406d4e49337c34d.tar.xz ceph-2a6c738abda35f540af6f9398406d4e49337c34d.zip