[ceph.git] / ceph / selinux / ceph.te

policy_module(ceph, 1.1.1)

require {
	type sysfs_t;
	type var_run_t;
	type random_device_t;
	type urandom_device_t;
	type setfiles_t;
	type nvme_device_t;
	class sock_file unlink;
	class lnk_file read;
	class dir read;
	class file { getattr read open };
	class blk_file { getattr ioctl open read write };
	class capability2 block_suspend;
}

########################################
#
# Declarations
#

type ceph_t;
type ceph_exec_t;
init_daemon_domain(ceph_t, ceph_exec_t)

permissive ceph_t;

type ceph_initrc_exec_t;
init_script_file(ceph_initrc_exec_t)

type ceph_log_t;
logging_log_file(ceph_log_t)

type ceph_var_lib_t;
files_type(ceph_var_lib_t)

type ceph_var_run_t;
files_pid_file(ceph_var_run_t)

########################################
#
# ceph local policy
#

allow ceph_t self:process { signal_perms };
allow ceph_t self:fifo_file rw_fifo_file_perms;
allow ceph_t self:unix_stream_socket create_stream_socket_perms;
allow ceph_t self:capability { setuid setgid dac_override };
allow ceph_t self:capability2 block_suspend;

manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
manage_lnk_files_pattern(ceph_t, ceph_log_t, ceph_log_t)

manage_dirs_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
manage_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
manage_lnk_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)

manage_dirs_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
manage_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)

kernel_read_system_state(ceph_t)
kernel_read_network_state(ceph_t)

corenet_all_recvfrom_unlabeled(ceph_t)
corenet_all_recvfrom_netlabel(ceph_t)
corenet_udp_sendrecv_generic_if(ceph_t)
corenet_udp_sendrecv_generic_node(ceph_t)
corenet_udp_bind_generic_node(ceph_t)
corenet_tcp_bind_generic_node(ceph_t)

corenet_sendrecv_cyphesis_server_packets(ceph_t)
corenet_tcp_bind_cyphesis_port(ceph_t)
corenet_tcp_sendrecv_cyphesis_port(ceph_t)

corecmd_exec_bin(ceph_t)
corecmd_exec_shell(ceph_t)

dev_read_urand(ceph_t)

domain_read_all_domains_state(ceph_t)

fs_getattr_all_fs(ceph_t)

auth_use_nsswitch(ceph_t)

logging_send_syslog_msg(ceph_t)

sysnet_dns_name_resolve(ceph_t)

allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };

# basis for future security review
allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
allow ceph_t self:capability { sys_rawio chown };

allow ceph_t self:tcp_socket { accept listen };
corenet_tcp_connect_cyphesis_port(ceph_t)
corenet_tcp_connect_generic_port(ceph_t)
files_list_tmp(ceph_t)
files_manage_generic_tmp_files(ceph_t)
fstools_exec(ceph_t)
nis_use_ypbind_uncond(ceph_t)
storage_raw_rw_fixed_disk(ceph_t)
files_manage_generic_locks(ceph_t)
libs_exec_ldconfig(ceph_t)

allow ceph_t sysfs_t:dir read;
allow ceph_t sysfs_t:file { read getattr open };
allow ceph_t sysfs_t:lnk_file { read getattr };

allow ceph_t random_device_t:chr_file getattr;
allow ceph_t urandom_device_t:chr_file getattr;
allow ceph_t self:process setpgid;
allow ceph_t var_run_t:dir { write create add_name };
allow ceph_t var_run_t:file { read write create open getattr };

fsadm_manage_pid(ceph_t)

#============= setfiles_t ==============
allow setfiles_t ceph_var_lib_t:file write;
Commit	Line	Data
7c673cae FG	1	policy_module(ceph, 1.1.1)
	2
	3	require {
	4	type sysfs_t;
	5	type var_run_t;
	6	type random_device_t;
	7	type urandom_device_t;
181888fb FG	8	type setfiles_t;
181888fb FG	9	type nvme_device_t;
7c673cae FG	10	class sock_file unlink;
	11	class lnk_file read;
	12	class dir read;
	13	class file { getattr read open };
181888fb	14	class blk_file { getattr ioctl open read write };
28e407b8	15	class capability2 block_suspend;
7c673cae FG	16	}
	17
	18	########################################
	19	#
	20	# Declarations
	21	#
	22
	23	type ceph_t;
	24	type ceph_exec_t;
	25	init_daemon_domain(ceph_t, ceph_exec_t)
	26
	27	permissive ceph_t;
	28
	29	type ceph_initrc_exec_t;
	30	init_script_file(ceph_initrc_exec_t)
	31
	32	type ceph_log_t;
	33	logging_log_file(ceph_log_t)
	34
	35	type ceph_var_lib_t;
	36	files_type(ceph_var_lib_t)
	37
	38	type ceph_var_run_t;
	39	files_pid_file(ceph_var_run_t)
	40
	41	########################################
	42	#
	43	# ceph local policy
	44	#
	45
	46	allow ceph_t self:process { signal_perms };
	47	allow ceph_t self:fifo_file rw_fifo_file_perms;
	48	allow ceph_t self:unix_stream_socket create_stream_socket_perms;
	49	allow ceph_t self:capability { setuid setgid dac_override };
28e407b8	50	allow ceph_t self:capability2 block_suspend;
7c673cae FG	51
	52	manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
	53	manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
	54	manage_lnk_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
	55
	56	manage_dirs_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
	57	manage_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
	58	manage_lnk_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
	59
	60	manage_dirs_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
	61	manage_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
	62	manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
	63
	64	kernel_read_system_state(ceph_t)
	65	kernel_read_network_state(ceph_t)
	66
	67	corenet_all_recvfrom_unlabeled(ceph_t)
	68	corenet_all_recvfrom_netlabel(ceph_t)
	69	corenet_udp_sendrecv_generic_if(ceph_t)
	70	corenet_udp_sendrecv_generic_node(ceph_t)
	71	corenet_udp_bind_generic_node(ceph_t)
	72	corenet_tcp_bind_generic_node(ceph_t)
	73
	74	corenet_sendrecv_cyphesis_server_packets(ceph_t)
	75	corenet_tcp_bind_cyphesis_port(ceph_t)
	76	corenet_tcp_sendrecv_cyphesis_port(ceph_t)
	77
	78	corecmd_exec_bin(ceph_t)
	79	corecmd_exec_shell(ceph_t)
	80
	81	dev_read_urand(ceph_t)
	82
	83	domain_read_all_domains_state(ceph_t)
	84
	85	fs_getattr_all_fs(ceph_t)
	86
	87	auth_use_nsswitch(ceph_t)
	88
	89	logging_send_syslog_msg(ceph_t)
	90
	91	sysnet_dns_name_resolve(ceph_t)
	92
181888fb FG	93	allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };
181888fb FG	94
7c673cae FG	95	# basis for future security review
	96	allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
	97	allow ceph_t self:capability { sys_rawio chown };
	98
	99	allow ceph_t self:tcp_socket { accept listen };
	100	corenet_tcp_connect_cyphesis_port(ceph_t)
	101	corenet_tcp_connect_generic_port(ceph_t)
	102	files_list_tmp(ceph_t)
	103	files_manage_generic_tmp_files(ceph_t)
	104	fstools_exec(ceph_t)
	105	nis_use_ypbind_uncond(ceph_t)
	106	storage_raw_rw_fixed_disk(ceph_t)
	107	files_manage_generic_locks(ceph_t)
28e407b8	108	libs_exec_ldconfig(ceph_t)
7c673cae FG	109
	110	allow ceph_t sysfs_t:dir read;
	111	allow ceph_t sysfs_t:file { read getattr open };
3efd9988	112	allow ceph_t sysfs_t:lnk_file { read getattr };
7c673cae FG	113
	114	allow ceph_t random_device_t:chr_file getattr;
	115	allow ceph_t urandom_device_t:chr_file getattr;
	116	allow ceph_t self:process setpgid;
	117	allow ceph_t var_run_t:dir { write create add_name };
31f18b77	118	allow ceph_t var_run_t:file { read write create open getattr };
7c673cae FG	119
	120	fsadm_manage_pid(ceph_t)
	121
	122	#============= setfiles_t ==============
	123	allow setfiles_t ceph_var_lib_t:file write;