2 ## <summary>policy for ceph</summary>
4 ########################################
6 ## Execute ceph_exec_t in the ceph domain.
8 ## <param name="domain">
10 ## Domain allowed to transition.
14 interface(`ceph_domtrans',`
16 type ceph_t, ceph_exec_t;
19 corecmd_search_bin($1)
20 domtrans_pattern($1, ceph_exec_t, ceph_t)
23 ######################################
25 ## Execute ceph in the caller domain.
27 ## <param name="domain">
29 ## Domain allowed access.
33 interface(`ceph_exec',`
38 corecmd_search_bin($1)
39 can_exec($1, ceph_exec_t)
42 ########################################
44 ## Execute ceph server in the ceph domain.
46 ## <param name="domain">
48 ## Domain allowed access.
52 interface(`ceph_initrc_domtrans',`
54 type ceph_initrc_exec_t;
57 init_labeled_script_domtrans($1, ceph_initrc_exec_t)
59 ########################################
61 ## Read ceph's log files.
63 ## <param name="domain">
65 ## Domain allowed access.
70 interface(`ceph_read_log',`
75 logging_search_logs($1)
76 read_files_pattern($1, ceph_log_t, ceph_log_t)
79 ########################################
81 ## Append to ceph log files.
83 ## <param name="domain">
85 ## Domain allowed access.
89 interface(`ceph_append_log',`
94 logging_search_logs($1)
95 append_files_pattern($1, ceph_log_t, ceph_log_t)
98 ########################################
100 ## Manage ceph log files
102 ## <param name="domain">
104 ## Domain allowed access.
108 interface(`ceph_manage_log',`
113 logging_search_logs($1)
114 manage_dirs_pattern($1, ceph_log_t, ceph_log_t)
115 manage_files_pattern($1, ceph_log_t, ceph_log_t)
116 manage_lnk_files_pattern($1, ceph_log_t, ceph_log_t)
119 ########################################
121 ## Search ceph lib directories.
123 ## <param name="domain">
125 ## Domain allowed access.
129 interface(`ceph_search_lib',`
134 allow $1 ceph_var_lib_t:dir search_dir_perms;
135 files_search_var_lib($1)
138 ########################################
140 ## Read ceph lib files.
142 ## <param name="domain">
144 ## Domain allowed access.
148 interface(`ceph_read_lib_files',`
153 files_search_var_lib($1)
154 read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
157 ########################################
159 ## Manage ceph lib files.
161 ## <param name="domain">
163 ## Domain allowed access.
167 interface(`ceph_manage_lib_files',`
172 files_search_var_lib($1)
173 manage_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
176 ########################################
178 ## Manage ceph lib directories.
180 ## <param name="domain">
182 ## Domain allowed access.
186 interface(`ceph_manage_lib_dirs',`
191 files_search_var_lib($1)
192 manage_dirs_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
195 ########################################
197 ## Read ceph PID files.
199 ## <param name="domain">
201 ## Domain allowed access.
205 interface(`ceph_read_pid_files',`
210 files_search_pids($1)
211 read_files_pattern($1, ceph_var_run_t, ceph_var_run_t)
215 ########################################
217 ## All of the rules required to administrate
218 ## an ceph environment
220 ## <param name="domain">
222 ## Domain allowed access.
225 ## <param name="role">
227 ## Role allowed access.
232 interface(`ceph_admin',`
235 type ceph_initrc_exec_t;
241 allow $1 ceph_t:process { signal_perms };
242 ps_process_pattern($1, ceph_t)
244 tunable_policy(`deny_ptrace',`',`
245 allow $1 ceph_t:process ptrace;
248 ceph_initrc_domtrans($1)
249 domain_system_change_exemption($1)
250 role_transition $2 ceph_initrc_exec_t system_r;
253 logging_search_logs($1)
254 admin_pattern($1, ceph_log_t)
256 files_search_var_lib($1)
257 admin_pattern($1, ceph_var_lib_t)
259 files_search_pids($1)
260 admin_pattern($1, ceph_var_run_t)
262 systemd_passwd_agent_exec($1)
263 systemd_read_fifo_file_passwd_run($1)