initial code repo

[stor4nfv.git] / src / ceph / selinux / ceph.if

diff --git a/src/ceph/selinux/ceph.if b/src/ceph/selinux/ceph.if
new file mode 100644 (file)
index 0000000..ed747a8
--- /dev/null
+++ b/src/ceph/selinux/ceph.if
@@ -0,0 +1,265 @@
+
+## <summary>policy for ceph</summary>
+
+########################################
+## <summary>
+##     Execute ceph_exec_t in the ceph domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##     Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ceph_domtrans',`
+       gen_require(`
+               type ceph_t, ceph_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       domtrans_pattern($1, ceph_exec_t, ceph_t)
+')
+
+######################################
+## <summary>
+##     Execute ceph in the caller domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_exec',`
+       gen_require(`
+               type ceph_exec_t;
+       ')
+
+       corecmd_search_bin($1)
+       can_exec($1, ceph_exec_t)
+')
+
+########################################
+## <summary>
+##     Execute ceph server in the ceph domain.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_initrc_domtrans',`
+       gen_require(`
+               type ceph_initrc_exec_t;
+       ')
+
+       init_labeled_script_domtrans($1, ceph_initrc_exec_t)
+')
+########################################
+## <summary>
+##     Read ceph's log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ceph_read_log',`
+       gen_require(`
+               type ceph_log_t;
+       ')
+
+       logging_search_logs($1)
+       read_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##     Append to ceph log files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_append_log',`
+       gen_require(`
+               type ceph_log_t;
+       ')
+
+       logging_search_logs($1)
+       append_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##     Manage ceph log files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_manage_log',`
+       gen_require(`
+               type ceph_log_t;
+       ')
+
+       logging_search_logs($1)
+       manage_dirs_pattern($1, ceph_log_t, ceph_log_t)
+       manage_files_pattern($1, ceph_log_t, ceph_log_t)
+       manage_lnk_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##     Search ceph lib directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_search_lib',`
+       gen_require(`
+               type ceph_var_lib_t;
+       ')
+
+       allow $1 ceph_var_lib_t:dir search_dir_perms;
+       files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##     Read ceph lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_read_lib_files',`
+       gen_require(`
+               type ceph_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+       read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Manage ceph lib files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_manage_lib_files',`
+       gen_require(`
+               type ceph_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+       manage_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Manage ceph lib directories.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_manage_lib_dirs',`
+       gen_require(`
+               type ceph_var_lib_t;
+       ')
+
+       files_search_var_lib($1)
+       manage_dirs_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##     Read ceph PID files.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`ceph_read_pid_files',`
+       gen_require(`
+               type ceph_var_run_t;
+       ')
+
+       files_search_pids($1)
+       read_files_pattern($1, ceph_var_run_t, ceph_var_run_t)
+')
+
+
+########################################
+## <summary>
+##     All of the rules required to administrate
+##     an ceph environment
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Role allowed access.
+##     </summary>
+## </param>
+## <rolecap/>
+#
+interface(`ceph_admin',`
+       gen_require(`
+               type ceph_t;
+               type ceph_initrc_exec_t;
+               type ceph_log_t;
+               type ceph_var_lib_t;
+               type ceph_var_run_t;
+       ')
+
+       allow $1 ceph_t:process { signal_perms };
+       ps_process_pattern($1, ceph_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ceph_t:process ptrace;
+    ')
+
+       ceph_initrc_domtrans($1)
+       domain_system_change_exemption($1)
+       role_transition $2 ceph_initrc_exec_t system_r;
+       allow $2 system_r;
+
+       logging_search_logs($1)
+       admin_pattern($1, ceph_log_t)
+
+       files_search_var_lib($1)
+       admin_pattern($1, ceph_var_lib_t)
+
+       files_search_pids($1)
+       admin_pattern($1, ceph_var_run_t)
+       optional_policy(`
+               systemd_passwd_agent_exec($1)
+               systemd_read_fifo_file_passwd_run($1)
+       ')
+')