[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Sven Vermeulen Mon, 13 Jul 2015 10:42:55 -0700

commit:     e030706d32967b72aca1937437c3d81636f97f08
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jul 13 17:40:59 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 17:40:59 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e030706d


Introduce Ceph policy

 policy/modules/contrib/ceph.fc |  30 ++++++++++++
 policy/modules/contrib/ceph.if | 104 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/ceph.te |  92 ++++++++++++++++++++++++++++++++++++
 3 files changed, 226 insertions(+)

diff --git a/policy/modules/contrib/ceph.fc b/policy/modules/contrib/ceph.fc
new file mode 100644
index 0000000..1548b1e
--- /dev/null
+++ b/policy/modules/contrib/ceph.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/ceph(/.*)?                gen_context(system_u:object_r:ceph_conf_t,s0)
+/etc/ceph/.*\.secret   --      gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/ceph/.*\.keyring  --      gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/rc\.d/init\.d/ceph.*      
gen_context(system_u:object_r:ceph_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ceph-mds      --      
gen_context(system_u:object_r:ceph_mds_exec_t,s0)
+/usr/bin/ceph-mon      --      
gen_context(system_u:object_r:ceph_mon_exec_t,s0)
+/usr/bin/ceph-osd      --      
gen_context(system_u:object_r:ceph_osd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/ceph(/.*)?            gen_context(system_u:object_r:ceph_var_lib_t,s0)
+/var/lib/ceph/mds(/.*)?                
gen_context(system_u:object_r:ceph_mds_data_t,s0)
+/var/lib/ceph/mon(/.*)?                
gen_context(system_u:object_r:ceph_mon_data_t,s0)
+/var/lib/ceph/osd(/.*)?                
gen_context(system_u:object_r:ceph_osd_data_t,s0)
+
+/var/log/ceph(/.*)?            gen_context(system_u:object_r:ceph_log_t,s0)
+
+/var/run/ceph  -d      gen_context(system_u:object_r:ceph_var_run_t,s0)
+/var/run/ceph/ceph-osd.*               
gen_context(system_u:object_r:ceph_osd_var_run_t,s0)
+/var/run/ceph/ceph-mon.*               
gen_context(system_u:object_r:ceph_mon_var_run_t,s0)
+/var/run/ceph/ceph-mds.*               
gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
+/var/run/ceph/mds.*    --      
gen_context(system_u:object_r:ceph_mds_var_run_t,s0)

diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
new file mode 100644
index 0000000..26db16f
--- /dev/null
+++ b/policy/modules/contrib/ceph.if
@@ -0,0 +1,104 @@
+## <summary>Ceph distributed object storage</summary>
+
+#########################################
+## <summary>
+##     Create the individual Ceph domains
+## </summary>
+## <param name="cephdaemon">
+##     <summary>
+##     The daemon (osd, mds or mon) for which the rules are created
+##     </summary>
+## </param>
+#
+template(`ceph_domain_template',`
+       gen_require(`
+               attribute cephdomain;
+               attribute cephdata;
+               attribute cephpidfile;
+               attribute_role ceph_roles;
+               
+               type ceph_var_run_t;
+       ')
+
+       type ceph_$1_t, cephdomain;
+       type ceph_$1_exec_t;
+       init_system_domain(ceph_$1_t, ceph_$1_exec_t)
+       role ceph_roles types ceph_$1_t;
+
+       type ceph_$1_data_t, cephdata;
+       files_type(ceph_$1_data_t)
+
+       type ceph_$1_var_run_t, cephpidfile;
+       files_pid_file(ceph_$1_var_run_t)
+
+       ########################################
+       #
+       # Local policy 
+       #
+       # Rules which cannot be made part of the domain
+
+       allow ceph_$1_t ceph_$1_var_run_t:file manage_file_perms;
+       allow ceph_$1_t ceph_$1_var_run_t:sock_file manage_file_perms;
+       allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms;
+       allow ceph_$1_t ceph_$1_data_t:file manage_file_perms;
+
+       filetrans_pattern(ceph_$1_t, ceph_var_run_t, ceph_$1_var_run_t, { file 
sock_file })
+
+       files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir })
+')
+
+#########################################
+## <summary>
+##     Administrative access for Ceph
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+## <param name="role">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`ceph_admin',`
+       gen_require(`
+               attribute cephdomain;
+               attribute cephdata;
+               type ceph_initrc_exec_t;
+       ')
+
+       allow $1 cephdomain:process { ptrace signal_perms };
+       ps_process_pattern($1, cephdomain)
+
+       init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t)
+       allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms;
+       allow $1 ceph_initrc_exec_t:file read_file_perms;
+
+       files_list_etc($1)
+       admin_pattern($1, ceph_conf_t)
+       admin_pattern($1, ceph_key_t)
+
+       admin_pattern($1, cephdata)
+
+       admin_pattern($1, ceph_log_t)
+')
+
+#########################################
+## <summary>
+##     Read Ceph key files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access
+##     </summary>
+## </param>
+#
+interface(`ceph_read_key',`
+       gen_require(`
+               type ceph_key_t;
+       ')
+
+       allow $1 ceph_key_t:file read_file_perms;
+')

diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te
new file mode 100644
index 0000000..9704dd4
--- /dev/null
+++ b/policy/modules/contrib/ceph.te
@@ -0,0 +1,92 @@
+policy_module(ceph, 1.0)
+
+attribute_role ceph_roles;
+
+# Attribute for all ceph runtime domains (not clients)
+attribute cephdomain;
+
+# Attribute for the ceph runtime daemon data
+attribute cephdata;
+
+# Attribute for the ceph pidfile data
+attribute cephpidfile;
+
+# Init support
+type ceph_initrc_exec_t;
+init_script_file(ceph_initrc_exec_t)
+
+type ceph_conf_t;
+files_config_file(ceph_conf_t)
+
+# Private / shared keys for cephx support
+type ceph_key_t;
+files_type(ceph_key_t)
+
+type ceph_log_t;
+logging_log_file(ceph_log_t)
+
+type ceph_var_lib_t;
+files_type(ceph_var_lib_t)
+
+type ceph_var_run_t;
+files_pid_file(ceph_var_run_t)
+
+#########################################
+#
+# General Ceph domain rules
+#
+
+ceph_domain_template(osd)
+ceph_domain_template(mds)
+ceph_domain_template(mon)
+
+allow cephdomain self:fifo_file rw_file_perms;
+
+read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t })
+allow cephdomain ceph_log_t:dir manage_dir_perms;
+allow cephdomain ceph_log_t:file { create_file_perms rw_file_perms };
+allow cephdomain ceph_var_lib_t:dir search_dir_perms;
+allow cephdomain self:netlink_route_socket { rw_netlink_socket_perms };
+allow cephdomain self:tcp_socket { create_socket_perms listen accept }; 
+allow cephdomain ceph_var_run_t:file manage_file_perms;
+allow cephdomain ceph_var_run_t:dir manage_dir_perms;
+
+kernel_read_system_state(cephdomain)
+
+corenet_tcp_bind_generic_node(cephdomain)
+corenet_tcp_bind_all_unreserved_ports(cephdomain)
+corenet_tcp_connect_all_unreserved_ports(cephdomain)
+
+files_read_etc_files(cephdomain)
+files_search_pids(cephdomain)
+files_search_var_lib(cephdomain)
+files_pid_filetrans(cephdomain, ceph_var_run_t, dir)
+
+fs_getattr_all_fs(cephdomain)
+
+logging_search_logs(cephdomain)
+
+miscfiles_read_localization(cephdomain)
+
+init_use_script_ptys(cephdomain)
+
+
+#########################################
+#
+# Local OSD policy
+#
+
+corecmd_exec_shell(ceph_osd_t)
+
+
+#########################################
+#
+# Local MDS policy
+#
+
+
+#########################################
+#
+# Local MON policy
+#
+

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

Reply via email to