diff options
| author | Milan Broz <mbroz@redhat.com> | 2015-06-17 13:08:17 +0200 |
|---|---|---|
| committer | Boris Ranto <branto@redhat.com> | 2015-08-05 15:21:47 +0200 |
| commit | d0fd8ffa402444fde0d9c4b30b08091512e1191d (patch) | |
| tree | 1167be295c38f0ae462866058f8d53be00170d8a /selinux | |
| parent | Fix selinux context after intitial OSD mount. (diff) | |
| download | ceph-d0fd8ffa402444fde0d9c4b30b08091512e1191d.tar.xz ceph-d0fd8ffa402444fde0d9c4b30b08091512e1191d.zip | |
Update selinux policy (after local test).
Changes enerated with ceph-test package.
Signed-off-by: Milan Broz <mbroz@redhat.com>
Diffstat (limited to 'selinux')
| -rw-r--r-- | selinux/ceph.te | 13 | ||||
| -rw-r--r-- | selinux/ceph_selinux.8 | 20 |
2 files changed, 15 insertions, 18 deletions
diff --git a/selinux/ceph.te b/selinux/ceph.te index 3e2caa66917..fa1393e825e 100644 --- a/selinux/ceph.te +++ b/selinux/ceph.te @@ -69,3 +69,16 @@ auth_use_nsswitch(ceph_t) logging_send_syslog_msg(ceph_t) sysnet_dns_name_resolve(ceph_t) + +# added 2015-06-17, need review + +allow ceph_t ceph_var_run_t:sock_file create; +allow ceph_t self:capability sys_rawio; + +allow ceph_t self:tcp_socket { accept listen }; +corenet_tcp_connect_cyphesis_port(ceph_t) +corenet_tcp_connect_generic_port(ceph_t) +files_list_tmp(ceph_t) +fstools_exec(ceph_t) +nis_use_ypbind_uncond(ceph_t) +storage_raw_rw_fixed_disk(ceph_t) diff --git a/selinux/ceph_selinux.8 b/selinux/ceph_selinux.8 index 5f6cc8e2b10..de74807c8ed 100644 --- a/selinux/ceph_selinux.8 +++ b/selinux/ceph_selinux.8 @@ -1,4 +1,4 @@ -.TH "ceph_selinux" "8" "15-05-13" "ceph" "SELinux Policy ceph" +.TH "ceph_selinux" "8" "15-06-17" "ceph" "SELinux Policy ceph" .SH "NAME" ceph_selinux \- Security Enhanced Linux Policy for the ceph processes .SH "DESCRIPTION" @@ -145,22 +145,6 @@ If you want to allow confined applications to use nscd shared memory, you must t .EE -.SH NSSWITCH DOMAIN - -.PP -If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd server for the ceph_t, you must turn on the authlogin_nsswitch_use_ldap boolean. - -.EX -.B setsebool -P authlogin_nsswitch_use_ldap 1 -.EE - -.PP -If you want to allow confined applications to run with kerberos for the ceph_t, you must turn on the kerberos_enabled boolean. - -.EX -.B setsebool -P kerberos_enabled 1 -.EE - .SH "MANAGED FILES" The SELinux process type ceph_t can manage files labeled with the following file types. The paths listed are the default paths for these file types. Note the processes UID still need to have DAC permissions. @@ -254,7 +238,7 @@ SELinux ceph policy is very flexible allowing users to setup their ceph processe SELinux defines the file context types for the ceph, if you wanted to store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. -.B semanage fcontext -a -t ceph_exec_t '/srv/ceph/content(/.*)?' +.B semanage fcontext -a -t ceph_var_run_t '/srv/myceph_content(/.*)?' .br .B restorecon -R -v /srv/myceph_content |