[ceph.git] / ceph / selinux / ceph.if


## <summary>policy for ceph</summary>

########################################
## <summary>
##	Execute ceph_exec_t in the ceph domain.
## </summary>
## <param name="domain">
## <summary>
##	Domain allowed to transition.
## </summary>
## </param>
#
interface(`ceph_domtrans',`
	gen_require(`
		type ceph_t, ceph_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, ceph_exec_t, ceph_t)
')

######################################
## <summary>
##	Execute ceph in the caller domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_exec',`
	gen_require(`
		type ceph_exec_t;
	')

	corecmd_search_bin($1)
	can_exec($1, ceph_exec_t)
')

########################################
## <summary>
##	Execute ceph server in the ceph domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_initrc_domtrans',`
	gen_require(`
		type ceph_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, ceph_initrc_exec_t)
')
########################################
## <summary>
##	Read ceph's log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`ceph_read_log',`
	gen_require(`
		type ceph_log_t;
	')

	logging_search_logs($1)
	read_files_pattern($1, ceph_log_t, ceph_log_t)
')

########################################
## <summary>
##	Append to ceph log files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_append_log',`
	gen_require(`
		type ceph_log_t;
	')

	logging_search_logs($1)
	append_files_pattern($1, ceph_log_t, ceph_log_t)
')

########################################
## <summary>
##	Manage ceph log files
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_manage_log',`
	gen_require(`
		type ceph_log_t;
	')

	logging_search_logs($1)
	manage_dirs_pattern($1, ceph_log_t, ceph_log_t)
	manage_files_pattern($1, ceph_log_t, ceph_log_t)
	manage_lnk_files_pattern($1, ceph_log_t, ceph_log_t)
')

########################################
## <summary>
##	Search ceph lib directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_search_lib',`
	gen_require(`
		type ceph_var_lib_t;
	')

	allow $1 ceph_var_lib_t:dir search_dir_perms;
	files_search_var_lib($1)
')

########################################
## <summary>
##	Read ceph lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_read_lib_files',`
	gen_require(`
		type ceph_var_lib_t;
	')

	files_search_var_lib($1)
	read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
')

########################################
## <summary>
##	Manage ceph lib files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_manage_lib_files',`
	gen_require(`
		type ceph_var_lib_t;
	')

	files_search_var_lib($1)
	manage_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
')

########################################
## <summary>
##	Manage ceph lib directories.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_manage_lib_dirs',`
	gen_require(`
		type ceph_var_lib_t;
	')

	files_search_var_lib($1)
	manage_dirs_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
')

########################################
## <summary>
##	Read ceph PID files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`ceph_read_pid_files',`
	gen_require(`
		type ceph_var_run_t;
	')

	files_search_pids($1)
	read_files_pattern($1, ceph_var_run_t, ceph_var_run_t)
')


########################################
## <summary>
##	All of the rules required to administrate
##	an ceph environment
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`ceph_admin',`
	gen_require(`
		type ceph_t;
		type ceph_initrc_exec_t;
		type ceph_log_t;
		type ceph_var_lib_t;
		type ceph_var_run_t;
	')

	allow $1 ceph_t:process { signal_perms };
	ps_process_pattern($1, ceph_t)

    tunable_policy(`deny_ptrace',`',`
        allow $1 ceph_t:process ptrace;
    ')

	ceph_initrc_domtrans($1)
	domain_system_change_exemption($1)
	role_transition $2 ceph_initrc_exec_t system_r;
	allow $2 system_r;

	logging_search_logs($1)
	admin_pattern($1, ceph_log_t)

	files_search_var_lib($1)
	admin_pattern($1, ceph_var_lib_t)

	files_search_pids($1)
	admin_pattern($1, ceph_var_run_t)
	optional_policy(`
		systemd_passwd_agent_exec($1)
		systemd_read_fifo_file_passwd_run($1)
	')
')
Commit	Line	Data
7c673cae FG	1
	2	## <summary>policy for ceph</summary>
	3
	4	########################################
	5	## <summary>
	6	## Execute ceph_exec_t in the ceph domain.
	7	## </summary>
	8	## <param name="domain">
	9	## <summary>
	10	## Domain allowed to transition.
	11	## </summary>
	12	## </param>
	13	#
	14	interface(`ceph_domtrans',`
	15	gen_require(`
	16	type ceph_t, ceph_exec_t;
	17	')
	18
	19	corecmd_search_bin($1)
	20	domtrans_pattern($1, ceph_exec_t, ceph_t)
	21	')
	22
	23	######################################
	24	## <summary>
	25	## Execute ceph in the caller domain.
	26	## </summary>
	27	## <param name="domain">
	28	## <summary>
	29	## Domain allowed access.
	30	## </summary>
	31	## </param>
	32	#
	33	interface(`ceph_exec',`
	34	gen_require(`
	35	type ceph_exec_t;
	36	')
	37
	38	corecmd_search_bin($1)
	39	can_exec($1, ceph_exec_t)
	40	')
	41
	42	########################################
	43	## <summary>
	44	## Execute ceph server in the ceph domain.
	45	## </summary>
	46	## <param name="domain">
	47	## <summary>
	48	## Domain allowed access.
	49	## </summary>
	50	## </param>
	51	#
	52	interface(`ceph_initrc_domtrans',`
	53	gen_require(`
	54	type ceph_initrc_exec_t;
	55	')
	56
	57	init_labeled_script_domtrans($1, ceph_initrc_exec_t)
	58	')
	59	########################################
	60	## <summary>
	61	## Read ceph's log files.
	62	## </summary>
	63	## <param name="domain">
	64	## <summary>
65	## Domain allowed access.
66	## </summary>
67	## </param>
68	## <rolecap/>
69	#
70	interface(`ceph_read_log',`
71	gen_require(`
72	type ceph_log_t;
73	')
74
75	logging_search_logs($1)
76	read_files_pattern($1, ceph_log_t, ceph_log_t)
77	')
78
79	########################################
80	## <summary>
81	## Append to ceph log files.
82	## </summary>
83	## <param name="domain">
84	## <summary>
85	## Domain allowed access.
86	## </summary>
87	## </param>
88	#
89	interface(`ceph_append_log',`
90	gen_require(`
91	type ceph_log_t;
92	')
93
94	logging_search_logs($1)
95	append_files_pattern($1, ceph_log_t, ceph_log_t)
96	')
97
98	########################################
99	## <summary>
100	## Manage ceph log files
101	## </summary>
102	## <param name="domain">
103	## <summary>
104	## Domain allowed access.
105	## </summary>
106	## </param>
107	#
108	interface(`ceph_manage_log',`
109	gen_require(`
110	type ceph_log_t;
111	')
112
113	logging_search_logs($1)
114	manage_dirs_pattern($1, ceph_log_t, ceph_log_t)
115	manage_files_pattern($1, ceph_log_t, ceph_log_t)
116	manage_lnk_files_pattern($1, ceph_log_t, ceph_log_t)
117	')
118
119	########################################
120	## <summary>
121	## Search ceph lib directories.
122	## </summary>
123	## <param name="domain">
124	## <summary>
125	## Domain allowed access.
126	## </summary>
127	## </param>
128	#
129	interface(`ceph_search_lib',`
130	gen_require(`
131	type ceph_var_lib_t;
132	')
133
134	allow $1 ceph_var_lib_t:dir search_dir_perms;
135	files_search_var_lib($1)
136	')
137
138	########################################
139	## <summary>
140	## Read ceph lib files.
141	## </summary>
142	## <param name="domain">
143	## <summary>
144	## Domain allowed access.
145	## </summary>
146	## </param>
147	#
148	interface(`ceph_read_lib_files',`
149	gen_require(`
150	type ceph_var_lib_t;
151	')
152
153	files_search_var_lib($1)
154	read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
155	')
156
157	########################################
158	## <summary>
159	## Manage ceph lib files.
160	## </summary>
161	## <param name="domain">
162	## <summary>
163	## Domain allowed access.
164	## </summary>
165	## </param>
166	#
167	interface(`ceph_manage_lib_files',`
168	gen_require(`
169	type ceph_var_lib_t;
170	')
171
172	files_search_var_lib($1)
173	manage_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
174	')
175
176	########################################
177	## <summary>
178	## Manage ceph lib directories.
179	## </summary>
180	## <param name="domain">
181	## <summary>
182	## Domain allowed access.
183	## </summary>
184	## </param>
185	#
186	interface(`ceph_manage_lib_dirs',`
187	gen_require(`
188	type ceph_var_lib_t;
189	')
190
191	files_search_var_lib($1)
192	manage_dirs_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
193	')
194
195	########################################
196	## <summary>
197	## Read ceph PID files.
198	## </summary>
199	## <param name="domain">
200	## <summary>
201	## Domain allowed access.
202	## </summary>
203	## </param>
204	#
205	interface(`ceph_read_pid_files',`
206	gen_require(`
207	type ceph_var_run_t;
208	')
209
210	files_search_pids($1)
211	read_files_pattern($1, ceph_var_run_t, ceph_var_run_t)
212	')
213
214
215	########################################
216	## <summary>
217	## All of the rules required to administrate
218	## an ceph environment
219	## </summary>
220	## <param name="domain">
221	## <summary>
222	## Domain allowed access.
223	## </summary>
224	## </param>
225	## <param name="role">
226	## <summary>
227	## Role allowed access.
228	## </summary>
229	## </param>
230	## <rolecap/>
231	#
232	interface(`ceph_admin',`
233	gen_require(`
234	type ceph_t;
235	type ceph_initrc_exec_t;
236	type ceph_log_t;
237	type ceph_var_lib_t;
238	type ceph_var_run_t;
239	')
240
241	allow $1 ceph_t:process { signal_perms };
242	ps_process_pattern($1, ceph_t)
243
244	tunable_policy(`deny_ptrace',`',`
245	allow $1 ceph_t:process ptrace;
246	')
247
248	ceph_initrc_domtrans($1)
249	domain_system_change_exemption($1)
250	role_transition $2 ceph_initrc_exec_t system_r;
251	allow $2 system_r;
252
253	logging_search_logs($1)
254	admin_pattern($1, ceph_log_t)
255
256	files_search_var_lib($1)
257	admin_pattern($1, ceph_var_lib_t)
258
259	files_search_pids($1)
260	admin_pattern($1, ceph_var_run_t)
261	optional_policy(`
262	systemd_passwd_agent_exec($1)
263	systemd_read_fifo_file_passwd_run($1)
264	')
265	')