]>
Commit | Line | Data |
---|---|---|
7c673cae FG |
1 | |
2 | ## <summary>policy for ceph</summary> | |
3 | ||
4 | ######################################## | |
5 | ## <summary> | |
6 | ## Execute ceph_exec_t in the ceph domain. | |
7 | ## </summary> | |
8 | ## <param name="domain"> | |
9 | ## <summary> | |
10 | ## Domain allowed to transition. | |
11 | ## </summary> | |
12 | ## </param> | |
13 | # | |
14 | interface(`ceph_domtrans',` | |
15 | gen_require(` | |
16 | type ceph_t, ceph_exec_t; | |
17 | ') | |
18 | ||
19 | corecmd_search_bin($1) | |
20 | domtrans_pattern($1, ceph_exec_t, ceph_t) | |
21 | ') | |
22 | ||
23 | ###################################### | |
24 | ## <summary> | |
25 | ## Execute ceph in the caller domain. | |
26 | ## </summary> | |
27 | ## <param name="domain"> | |
28 | ## <summary> | |
29 | ## Domain allowed access. | |
30 | ## </summary> | |
31 | ## </param> | |
32 | # | |
33 | interface(`ceph_exec',` | |
34 | gen_require(` | |
35 | type ceph_exec_t; | |
36 | ') | |
37 | ||
38 | corecmd_search_bin($1) | |
39 | can_exec($1, ceph_exec_t) | |
40 | ') | |
41 | ||
42 | ######################################## | |
43 | ## <summary> | |
44 | ## Execute ceph server in the ceph domain. | |
45 | ## </summary> | |
46 | ## <param name="domain"> | |
47 | ## <summary> | |
48 | ## Domain allowed access. | |
49 | ## </summary> | |
50 | ## </param> | |
51 | # | |
52 | interface(`ceph_initrc_domtrans',` | |
53 | gen_require(` | |
54 | type ceph_initrc_exec_t; | |
55 | ') | |
56 | ||
57 | init_labeled_script_domtrans($1, ceph_initrc_exec_t) | |
58 | ') | |
59 | ######################################## | |
60 | ## <summary> | |
61 | ## Read ceph's log files. | |
62 | ## </summary> | |
63 | ## <param name="domain"> | |
64 | ## <summary> | |
65 | ## Domain allowed access. | |
66 | ## </summary> | |
67 | ## </param> | |
68 | ## <rolecap/> | |
69 | # | |
70 | interface(`ceph_read_log',` | |
71 | gen_require(` | |
72 | type ceph_log_t; | |
73 | ') | |
74 | ||
75 | logging_search_logs($1) | |
76 | read_files_pattern($1, ceph_log_t, ceph_log_t) | |
77 | ') | |
78 | ||
79 | ######################################## | |
80 | ## <summary> | |
81 | ## Append to ceph log files. | |
82 | ## </summary> | |
83 | ## <param name="domain"> | |
84 | ## <summary> | |
85 | ## Domain allowed access. | |
86 | ## </summary> | |
87 | ## </param> | |
88 | # | |
89 | interface(`ceph_append_log',` | |
90 | gen_require(` | |
91 | type ceph_log_t; | |
92 | ') | |
93 | ||
94 | logging_search_logs($1) | |
95 | append_files_pattern($1, ceph_log_t, ceph_log_t) | |
96 | ') | |
97 | ||
98 | ######################################## | |
99 | ## <summary> | |
100 | ## Manage ceph log files | |
101 | ## </summary> | |
102 | ## <param name="domain"> | |
103 | ## <summary> | |
104 | ## Domain allowed access. | |
105 | ## </summary> | |
106 | ## </param> | |
107 | # | |
108 | interface(`ceph_manage_log',` | |
109 | gen_require(` | |
110 | type ceph_log_t; | |
111 | ') | |
112 | ||
113 | logging_search_logs($1) | |
114 | manage_dirs_pattern($1, ceph_log_t, ceph_log_t) | |
115 | manage_files_pattern($1, ceph_log_t, ceph_log_t) | |
116 | manage_lnk_files_pattern($1, ceph_log_t, ceph_log_t) | |
117 | ') | |
118 | ||
119 | ######################################## | |
120 | ## <summary> | |
121 | ## Search ceph lib directories. | |
122 | ## </summary> | |
123 | ## <param name="domain"> | |
124 | ## <summary> | |
125 | ## Domain allowed access. | |
126 | ## </summary> | |
127 | ## </param> | |
128 | # | |
129 | interface(`ceph_search_lib',` | |
130 | gen_require(` | |
131 | type ceph_var_lib_t; | |
132 | ') | |
133 | ||
134 | allow $1 ceph_var_lib_t:dir search_dir_perms; | |
135 | files_search_var_lib($1) | |
136 | ') | |
137 | ||
138 | ######################################## | |
139 | ## <summary> | |
140 | ## Read ceph lib files. | |
141 | ## </summary> | |
142 | ## <param name="domain"> | |
143 | ## <summary> | |
144 | ## Domain allowed access. | |
145 | ## </summary> | |
146 | ## </param> | |
147 | # | |
148 | interface(`ceph_read_lib_files',` | |
149 | gen_require(` | |
150 | type ceph_var_lib_t; | |
151 | ') | |
152 | ||
153 | files_search_var_lib($1) | |
154 | read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t) | |
155 | ') | |
156 | ||
157 | ######################################## | |
158 | ## <summary> | |
159 | ## Manage ceph lib files. | |
160 | ## </summary> | |
161 | ## <param name="domain"> | |
162 | ## <summary> | |
163 | ## Domain allowed access. | |
164 | ## </summary> | |
165 | ## </param> | |
166 | # | |
167 | interface(`ceph_manage_lib_files',` | |
168 | gen_require(` | |
169 | type ceph_var_lib_t; | |
170 | ') | |
171 | ||
172 | files_search_var_lib($1) | |
173 | manage_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t) | |
174 | ') | |
175 | ||
176 | ######################################## | |
177 | ## <summary> | |
178 | ## Manage ceph lib directories. | |
179 | ## </summary> | |
180 | ## <param name="domain"> | |
181 | ## <summary> | |
182 | ## Domain allowed access. | |
183 | ## </summary> | |
184 | ## </param> | |
185 | # | |
186 | interface(`ceph_manage_lib_dirs',` | |
187 | gen_require(` | |
188 | type ceph_var_lib_t; | |
189 | ') | |
190 | ||
191 | files_search_var_lib($1) | |
192 | manage_dirs_pattern($1, ceph_var_lib_t, ceph_var_lib_t) | |
193 | ') | |
194 | ||
195 | ######################################## | |
196 | ## <summary> | |
197 | ## Read ceph PID files. | |
198 | ## </summary> | |
199 | ## <param name="domain"> | |
200 | ## <summary> | |
201 | ## Domain allowed access. | |
202 | ## </summary> | |
203 | ## </param> | |
204 | # | |
205 | interface(`ceph_read_pid_files',` | |
206 | gen_require(` | |
207 | type ceph_var_run_t; | |
208 | ') | |
209 | ||
210 | files_search_pids($1) | |
211 | read_files_pattern($1, ceph_var_run_t, ceph_var_run_t) | |
212 | ') | |
213 | ||
214 | ||
215 | ######################################## | |
216 | ## <summary> | |
217 | ## All of the rules required to administrate | |
218 | ## an ceph environment | |
219 | ## </summary> | |
220 | ## <param name="domain"> | |
221 | ## <summary> | |
222 | ## Domain allowed access. | |
223 | ## </summary> | |
224 | ## </param> | |
225 | ## <param name="role"> | |
226 | ## <summary> | |
227 | ## Role allowed access. | |
228 | ## </summary> | |
229 | ## </param> | |
230 | ## <rolecap/> | |
231 | # | |
232 | interface(`ceph_admin',` | |
233 | gen_require(` | |
234 | type ceph_t; | |
235 | type ceph_initrc_exec_t; | |
236 | type ceph_log_t; | |
237 | type ceph_var_lib_t; | |
238 | type ceph_var_run_t; | |
239 | ') | |
240 | ||
241 | allow $1 ceph_t:process { signal_perms }; | |
242 | ps_process_pattern($1, ceph_t) | |
243 | ||
244 | tunable_policy(`deny_ptrace',`',` | |
245 | allow $1 ceph_t:process ptrace; | |
246 | ') | |
247 | ||
248 | ceph_initrc_domtrans($1) | |
249 | domain_system_change_exemption($1) | |
250 | role_transition $2 ceph_initrc_exec_t system_r; | |
251 | allow $2 system_r; | |
252 | ||
253 | logging_search_logs($1) | |
254 | admin_pattern($1, ceph_log_t) | |
255 | ||
256 | files_search_var_lib($1) | |
257 | admin_pattern($1, ceph_var_lib_t) | |
258 | ||
259 | files_search_pids($1) | |
260 | admin_pattern($1, ceph_var_run_t) | |
261 | optional_policy(` | |
262 | systemd_passwd_agent_exec($1) | |
263 | systemd_read_fifo_file_passwd_run($1) | |
264 | ') | |
265 | ') |