selinux: prepare for anon inode controls enablement

We plan to start labeling anon inodes (userfaultfd and io_uring file descriptors) properly in selinux-policy, which means that domains using these will need new rules. See: fedora-selinux/selinux-policy#1351 Since ceph may optionally use io_uring, this patch adds the necessary interface call to its policy to avoid a regression. As the new interface call is put under a conditional, the policy package will be buildable against selinux-policy with or without the above PR merged, but it will need to be rebuilt against the updated selinux-policy to actually pick up the new rules. I tested this on a minimal ceph cluster with 'bdev_ioring = true' added to ceph.conf. I got io_uring denials without this patch + with selinux-policy with PR#1351 and no denials with ceph rebuilt with this patch. Signed-off-by: Ondrej Mosnacek <[email protected]>
nizamial09 · Aug 29, 2022 · 73218e2 · 73218e2
1 parent 07bfcac
commit 73218e2
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/selinux/ceph.te b/selinux/ceph.te
@@ -75,6 +75,9 @@ manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
 
 kernel_read_system_state(ceph_t)
 kernel_read_network_state(ceph_t)
+ifdef(`kernel_io_uring_use',`
+	kernel_io_uring_use(ceph_t)
+')
 allow ceph_t kernel_t:system module_request;
 
 corenet_all_recvfrom_unlabeled(ceph_t)