[ceph.git] / ceph / selinux / ceph.te

policy_module(ceph, 1.1.1)

require {
	type sysfs_t;
	type configfs_t;
	type commplex_main_port_t;
	type http_cache_port_t;
	type rpm_exec_t;
	type rpm_var_lib_t;
	type kernel_t;
	type var_run_t;
	type random_device_t;
	type urandom_device_t;
	type setfiles_t;
	type nvme_device_t;
	type targetd_etc_rw_t;
	type amqp_port_t;
	type soundd_port_t;
	class sock_file unlink;
	class tcp_socket name_connect_t;
	class lnk_file { create getattr read unlink };
	class dir { add_name create getattr open read remove_name rmdir search write };
	class file { create getattr open read rename unlink write ioctl };
	class blk_file { getattr ioctl open read write };
	class capability2 block_suspend;
	class process2 { nnp_transition nosuid_transition };
}

########################################
#
# Declarations
#

type ceph_t;
type ceph_exec_t;
init_daemon_domain(ceph_t, ceph_exec_t)
ceph_exec(ceph_t)

permissive ceph_t;

type ceph_initrc_exec_t;
init_script_file(ceph_initrc_exec_t)

type ceph_log_t;
logging_log_file(ceph_log_t)

type ceph_var_lib_t;
files_type(ceph_var_lib_t)

type ceph_var_run_t;
files_pid_file(ceph_var_run_t)

########################################
#
# ceph local policy
#

allow ceph_t self:process { signal_perms };
allow ceph_t self:fifo_file rw_fifo_file_perms;
allow ceph_t self:unix_stream_socket create_stream_socket_perms;
allow ceph_t self:capability { setuid setgid dac_override dac_read_search };
allow ceph_t self:capability2 block_suspend;

manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
manage_lnk_files_pattern(ceph_t, ceph_log_t, ceph_log_t)

manage_dirs_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
manage_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
manage_lnk_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)

manage_dirs_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
manage_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)

kernel_read_system_state(ceph_t)
kernel_read_network_state(ceph_t)
ifdef(`kernel_io_uring_use',`
	kernel_io_uring_use(ceph_t)
')
allow ceph_t kernel_t:system module_request;

corenet_all_recvfrom_unlabeled(ceph_t)
corenet_all_recvfrom_netlabel(ceph_t)
corenet_udp_sendrecv_generic_if(ceph_t)
corenet_udp_sendrecv_generic_node(ceph_t)
corenet_udp_bind_generic_node(ceph_t)
corenet_tcp_bind_generic_node(ceph_t)

corenet_sendrecv_cyphesis_server_packets(ceph_t)
corenet_tcp_bind_cyphesis_port(ceph_t)
corenet_tcp_sendrecv_cyphesis_port(ceph_t)

allow ceph_t commplex_main_port_t:tcp_socket name_connect;
allow ceph_t http_cache_port_t:tcp_socket name_connect;
allow ceph_t amqp_port_t:tcp_socket name_connect;
allow ceph_t soundd_port_t:tcp_socket name_connect;

corecmd_exec_bin(ceph_t)
corecmd_exec_shell(ceph_t)

allow ceph_t rpm_exec_t:file getattr;
allow ceph_t rpm_var_lib_t:dir { add_name write };
allow ceph_t rpm_var_lib_t:file { create open };

dev_read_urand(ceph_t)

domain_read_all_domains_state(ceph_t)

fs_getattr_all_fs(ceph_t)

auth_use_nsswitch(ceph_t)

logging_send_syslog_msg(ceph_t)

sysnet_dns_name_resolve(ceph_t)

udev_read_db(ceph_t)

allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };

# basis for future security review
allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
allow ceph_t self:capability { sys_rawio chown };

allow ceph_t self:tcp_socket { accept listen };
corenet_tcp_connect_cyphesis_port(ceph_t)
corenet_tcp_connect_generic_port(ceph_t)
files_list_tmp(ceph_t)
files_manage_generic_tmp_files(ceph_t)
fstools_exec(ceph_t)
nis_use_ypbind_uncond(ceph_t)
storage_raw_rw_fixed_disk(ceph_t)
files_manage_generic_locks(ceph_t)
libs_exec_ldconfig(ceph_t)
fs_list_hugetlbfs(ceph_t)
fs_list_tmpfs(ceph_t)
fs_read_cgroup_files(ceph_t)
fs_read_tmpfs_symlinks(ceph_t)
fs_search_cgroup_dirs(ceph_t)
ceph_read_lib_files(init_t)

allow ceph_t sysfs_t:dir read;
allow ceph_t sysfs_t:file { read getattr open };
allow ceph_t sysfs_t:lnk_file { read getattr };

allow ceph_t configfs_t:dir { add_name create getattr open read remove_name rmdir search write };
allow ceph_t configfs_t:file { getattr open read write ioctl };
allow ceph_t configfs_t:lnk_file { create getattr read unlink };


allow ceph_t random_device_t:chr_file getattr;
allow ceph_t urandom_device_t:chr_file getattr;
allow ceph_t self:process setpgid;
allow ceph_t self:process setsched;
allow ceph_t var_run_t:dir { write create add_name };
allow ceph_t var_run_t:file { read write create open getattr };
allow ceph_t init_var_run_t:file getattr;
allow init_t ceph_t:process2 { nnp_transition nosuid_transition };

allow ceph_t targetd_etc_rw_t:dir { getattr search };

fsadm_manage_pid(ceph_t)

#============= setfiles_t ==============
allow setfiles_t ceph_var_lib_t:file write;
Commit	Line	Data
7c673cae FG	1	policy_module(ceph, 1.1.1)
	2
	3	require {
	4	type sysfs_t;
11fdf7f2 TL	5	type configfs_t;
11fdf7f2 TL	6	type commplex_main_port_t;
e306af50	7	type http_cache_port_t;
11fdf7f2 TL	8	type rpm_exec_t;
	9	type rpm_var_lib_t;
	10	type kernel_t;
7c673cae FG	11	type var_run_t;
	12	type random_device_t;
	13	type urandom_device_t;
181888fb FG	14	type setfiles_t;
181888fb FG	15	type nvme_device_t;
f6b5b4d7 TL	16	type targetd_etc_rw_t;
	17	type amqp_port_t;
	18	type soundd_port_t;
7c673cae	19	class sock_file unlink;
11fdf7f2 TL	20	class tcp_socket name_connect_t;
	21	class lnk_file { create getattr read unlink };
	22	class dir { add_name create getattr open read remove_name rmdir search write };
f6b5b4d7	23	class file { create getattr open read rename unlink write ioctl };
181888fb	24	class blk_file { getattr ioctl open read write };
28e407b8	25	class capability2 block_suspend;
81eedcae	26	class process2 { nnp_transition nosuid_transition };
7c673cae FG	27	}
	28
	29	########################################
	30	#
	31	# Declarations
	32	#
	33
	34	type ceph_t;
	35	type ceph_exec_t;
	36	init_daemon_domain(ceph_t, ceph_exec_t)
81eedcae	37	ceph_exec(ceph_t)
7c673cae FG	38
	39	permissive ceph_t;
	40
	41	type ceph_initrc_exec_t;
	42	init_script_file(ceph_initrc_exec_t)
	43
	44	type ceph_log_t;
	45	logging_log_file(ceph_log_t)
	46
	47	type ceph_var_lib_t;
	48	files_type(ceph_var_lib_t)
	49
	50	type ceph_var_run_t;
	51	files_pid_file(ceph_var_run_t)
	52
	53	########################################
	54	#
	55	# ceph local policy
	56	#
	57
	58	allow ceph_t self:process { signal_perms };
	59	allow ceph_t self:fifo_file rw_fifo_file_perms;
	60	allow ceph_t self:unix_stream_socket create_stream_socket_perms;
81eedcae	61	allow ceph_t self:capability { setuid setgid dac_override dac_read_search };
28e407b8	62	allow ceph_t self:capability2 block_suspend;
7c673cae FG	63
	64	manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
	65	manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
	66	manage_lnk_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
	67
	68	manage_dirs_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
	69	manage_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
	70	manage_lnk_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
	71
	72	manage_dirs_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
	73	manage_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
	74	manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
	75
	76	kernel_read_system_state(ceph_t)
	77	kernel_read_network_state(ceph_t)
1e59de90 TL	78	ifdef(`kernel_io_uring_use',`
	79	kernel_io_uring_use(ceph_t)
	80	')
11fdf7f2	81	allow ceph_t kernel_t:system module_request;
7c673cae FG	82
	83	corenet_all_recvfrom_unlabeled(ceph_t)
	84	corenet_all_recvfrom_netlabel(ceph_t)
	85	corenet_udp_sendrecv_generic_if(ceph_t)
	86	corenet_udp_sendrecv_generic_node(ceph_t)
	87	corenet_udp_bind_generic_node(ceph_t)
	88	corenet_tcp_bind_generic_node(ceph_t)
	89
	90	corenet_sendrecv_cyphesis_server_packets(ceph_t)
	91	corenet_tcp_bind_cyphesis_port(ceph_t)
	92	corenet_tcp_sendrecv_cyphesis_port(ceph_t)
	93
11fdf7f2	94	allow ceph_t commplex_main_port_t:tcp_socket name_connect;
e306af50	95	allow ceph_t http_cache_port_t:tcp_socket name_connect;
f6b5b4d7 TL	96	allow ceph_t amqp_port_t:tcp_socket name_connect;
f6b5b4d7 TL	97	allow ceph_t soundd_port_t:tcp_socket name_connect;
11fdf7f2	98
7c673cae FG	99	corecmd_exec_bin(ceph_t)
	100	corecmd_exec_shell(ceph_t)
	101
11fdf7f2 TL	102	allow ceph_t rpm_exec_t:file getattr;
	103	allow ceph_t rpm_var_lib_t:dir { add_name write };
	104	allow ceph_t rpm_var_lib_t:file { create open };
	105
7c673cae FG	106	dev_read_urand(ceph_t)
	107
	108	domain_read_all_domains_state(ceph_t)
	109
	110	fs_getattr_all_fs(ceph_t)
	111
	112	auth_use_nsswitch(ceph_t)
	113
	114	logging_send_syslog_msg(ceph_t)
	115
	116	sysnet_dns_name_resolve(ceph_t)
	117
92f5a8d4 TL	118	udev_read_db(ceph_t)
92f5a8d4 TL	119
181888fb FG	120	allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };
181888fb FG	121
7c673cae FG	122	# basis for future security review
	123	allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
	124	allow ceph_t self:capability { sys_rawio chown };
	125
	126	allow ceph_t self:tcp_socket { accept listen };
	127	corenet_tcp_connect_cyphesis_port(ceph_t)
	128	corenet_tcp_connect_generic_port(ceph_t)
	129	files_list_tmp(ceph_t)
	130	files_manage_generic_tmp_files(ceph_t)
	131	fstools_exec(ceph_t)
	132	nis_use_ypbind_uncond(ceph_t)
	133	storage_raw_rw_fixed_disk(ceph_t)
	134	files_manage_generic_locks(ceph_t)
28e407b8	135	libs_exec_ldconfig(ceph_t)
81eedcae TL	136	fs_list_hugetlbfs(ceph_t)
	137	fs_list_tmpfs(ceph_t)
	138	fs_read_cgroup_files(ceph_t)
	139	fs_read_tmpfs_symlinks(ceph_t)
	140	fs_search_cgroup_dirs(ceph_t)
	141	ceph_read_lib_files(init_t)
7c673cae FG	142
	143	allow ceph_t sysfs_t:dir read;
	144	allow ceph_t sysfs_t:file { read getattr open };
3efd9988	145	allow ceph_t sysfs_t:lnk_file { read getattr };
7c673cae	146
11fdf7f2	147	allow ceph_t configfs_t:dir { add_name create getattr open read remove_name rmdir search write };
f6b5b4d7	148	allow ceph_t configfs_t:file { getattr open read write ioctl };
11fdf7f2 TL	149	allow ceph_t configfs_t:lnk_file { create getattr read unlink };
	150
	151
7c673cae FG	152	allow ceph_t random_device_t:chr_file getattr;
	153	allow ceph_t urandom_device_t:chr_file getattr;
	154	allow ceph_t self:process setpgid;
9f95a23c	155	allow ceph_t self:process setsched;
7c673cae	156	allow ceph_t var_run_t:dir { write create add_name };
31f18b77	157	allow ceph_t var_run_t:file { read write create open getattr };
81eedcae TL	158	allow ceph_t init_var_run_t:file getattr;
81eedcae TL	159	allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
7c673cae	160
f6b5b4d7 TL	161	allow ceph_t targetd_etc_rw_t:dir { getattr search };
f6b5b4d7 TL	162
7c673cae FG	163	fsadm_manage_pid(ceph_t)
	164
	165	#============= setfiles_t ==============
	166	allow setfiles_t ceph_var_lib_t:file write;