| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This showed up during downstream testing for luminous. We are doing
getattr on the sysfs lnk files and the current policy does not allow
this.
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
|
|
| |
This commit allows nvme devices which use a different label than
standard block devices.
Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
| |
Fixes: http://tracker.ceph.com/issues/16674
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
| |
Signed-off-by: Kefu Chai <kchai@redhat.com>
|
| |
|
|
|
|
| |
Fixes: http://tracker.ceph.com/issues/19254
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.
Fixes: http://tracker.ceph.com/issues/17436
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
| |
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
|
| |
we read /proc/<pid>/cmdline to figure out who is terminating us.
Fixes: http://tracker.ceph.com/issues/16675
Signed-off-by: Kefu Chai <kchai@redhat.com>
|
| |
|
|
|
|
| |
Fixes: http://tracker.ceph.com/issues/16126
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
| |
Signed-off-by: Kefu Chai <kchai@redhat.com>
|
| |
|
|
| |
Signed-off-by: Kefu Chai <kchai@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
| |
Fixes: #14870
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We do suggest users to put their logs in /var/log/radosgw in the
documentation at times. We should also label that directory with
ceph_var_log_t so that ceph daemons can also write there.
The commit also updates the man page for this policy. This man page is
automatically generated by
* sepolicy manpage -p . -d ceph_t
and have not been reloaded in a while. Hence, it contains few more
changes than the new radosgw directory.
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
|
|
|
|
| |
The SELinux man page was previously located in two places and the man
page that was supposed to be updated when rgw selinux changes were
proposed did not get updated properly. Fixing this by moving
selinux/ceph_selinux.8 to man/ceph_selinux.8. Also, populate EXTRA_DIST
with ceph_selinux.8.
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
| |
This is simpler.
Signed-off-by: Sage Weil <sage@redhat.com>
|
| |
|
|
|
|
|
| |
The current SELinux policy does not cover radosgw daemon. This patch
introduces the SELinux support for radosgw daemon (civetweb only).
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
|
| |
The gitbuilders release script needs this. Otherwise, the ceph-release
build will fail because there were some untracked files.
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
|
| |
Few new denials were found while testing the policy. Updating the policy
rules to refelct that.
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
|
|
| |
We need to force single-core compilation of SELinux policy files in the
sub-make target as SELinux Makefile does not work properly when run in
parallel mode.
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
| |
Signed-off-by: Boris Ranto <branto@redhat.com>
|
| |
|
|
|
|
| |
Changes enerated with ceph-test package.
Signed-off-by: Milan Broz <mbroz@redhat.com>
|
|
|
This patch modifies the build system and spec file to provide a support
for SELinux enforcing in an opt-in matter via ceph-selinux package.
Signed-off-by: Boris Ranto <branto@redhat.com>
|
