From 19fcec84d8d7d21e796c7624e521b60d28ee21ed Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 20:45:59 +0200
Subject: Adding upstream version 16.2.11+ds.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 selinux/ceph.te | 163 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 163 insertions(+)
 create mode 100644 selinux/ceph.te

(limited to 'selinux/ceph.te')

diff --git a/selinux/ceph.te b/selinux/ceph.te
new file mode 100644
index 000000000..77d35d971
--- /dev/null
+++ b/selinux/ceph.te
@@ -0,0 +1,163 @@
+policy_module(ceph, 1.1.1)
+
+require {
+	type sysfs_t;
+	type configfs_t;
+	type commplex_main_port_t;
+	type http_cache_port_t;
+	type rpm_exec_t;
+	type rpm_var_lib_t;
+	type kernel_t;
+	type var_run_t;
+	type random_device_t;
+	type urandom_device_t;
+	type setfiles_t;
+	type nvme_device_t;
+	type targetd_etc_rw_t;
+	type amqp_port_t;
+	type soundd_port_t;
+	class sock_file unlink;
+	class tcp_socket name_connect_t;
+	class lnk_file { create getattr read unlink };
+	class dir { add_name create getattr open read remove_name rmdir search write };
+	class file { create getattr open read rename unlink write ioctl };
+	class blk_file { getattr ioctl open read write };
+	class capability2 block_suspend;
+	class process2 { nnp_transition nosuid_transition };
+}
+
+########################################
+#
+# Declarations
+#
+
+type ceph_t;
+type ceph_exec_t;
+init_daemon_domain(ceph_t, ceph_exec_t)
+ceph_exec(ceph_t)
+
+permissive ceph_t;
+
+type ceph_initrc_exec_t;
+init_script_file(ceph_initrc_exec_t)
+
+type ceph_log_t;
+logging_log_file(ceph_log_t)
+
+type ceph_var_lib_t;
+files_type(ceph_var_lib_t)
+
+type ceph_var_run_t;
+files_pid_file(ceph_var_run_t)
+
+########################################
+#
+# ceph local policy
+#
+
+allow ceph_t self:process { signal_perms };
+allow ceph_t self:fifo_file rw_fifo_file_perms;
+allow ceph_t self:unix_stream_socket create_stream_socket_perms;
+allow ceph_t self:capability { setuid setgid dac_override dac_read_search };
+allow ceph_t self:capability2 block_suspend;
+
+manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
+manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
+manage_lnk_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
+
+manage_dirs_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
+manage_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
+manage_lnk_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
+
+manage_dirs_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
+manage_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
+manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
+
+kernel_read_system_state(ceph_t)
+kernel_read_network_state(ceph_t)
+allow ceph_t kernel_t:system module_request;
+
+corenet_all_recvfrom_unlabeled(ceph_t)
+corenet_all_recvfrom_netlabel(ceph_t)
+corenet_udp_sendrecv_generic_if(ceph_t)
+corenet_udp_sendrecv_generic_node(ceph_t)
+corenet_udp_bind_generic_node(ceph_t)
+corenet_tcp_bind_generic_node(ceph_t)
+
+corenet_sendrecv_cyphesis_server_packets(ceph_t)
+corenet_tcp_bind_cyphesis_port(ceph_t)
+corenet_tcp_sendrecv_cyphesis_port(ceph_t)
+
+allow ceph_t commplex_main_port_t:tcp_socket name_connect;
+allow ceph_t http_cache_port_t:tcp_socket name_connect;
+allow ceph_t amqp_port_t:tcp_socket name_connect;
+allow ceph_t soundd_port_t:tcp_socket name_connect;
+
+corecmd_exec_bin(ceph_t)
+corecmd_exec_shell(ceph_t)
+
+allow ceph_t rpm_exec_t:file getattr;
+allow ceph_t rpm_var_lib_t:dir { add_name write };
+allow ceph_t rpm_var_lib_t:file { create open };
+
+dev_read_urand(ceph_t)
+
+domain_read_all_domains_state(ceph_t)
+
+fs_getattr_all_fs(ceph_t)
+
+auth_use_nsswitch(ceph_t)
+
+logging_send_syslog_msg(ceph_t)
+
+sysnet_dns_name_resolve(ceph_t)
+
+udev_read_db(ceph_t)
+
+allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };
+
+# basis for future security review
+allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
+allow ceph_t self:capability { sys_rawio chown };
+
+allow ceph_t self:tcp_socket { accept listen };
+corenet_tcp_connect_cyphesis_port(ceph_t)
+corenet_tcp_connect_generic_port(ceph_t)
+files_list_tmp(ceph_t)
+files_manage_generic_tmp_files(ceph_t)
+fstools_exec(ceph_t)
+nis_use_ypbind_uncond(ceph_t)
+storage_raw_rw_fixed_disk(ceph_t)
+files_manage_generic_locks(ceph_t)
+libs_exec_ldconfig(ceph_t)
+fs_list_hugetlbfs(ceph_t)
+fs_list_tmpfs(ceph_t)
+fs_read_cgroup_files(ceph_t)
+fs_read_tmpfs_symlinks(ceph_t)
+fs_search_cgroup_dirs(ceph_t)
+ceph_read_lib_files(init_t)
+
+allow ceph_t sysfs_t:dir read;
+allow ceph_t sysfs_t:file { read getattr open };
+allow ceph_t sysfs_t:lnk_file { read getattr };
+
+allow ceph_t configfs_t:dir { add_name create getattr open read remove_name rmdir search write };
+allow ceph_t configfs_t:file { getattr open read write ioctl };
+allow ceph_t configfs_t:lnk_file { create getattr read unlink };
+
+
+allow ceph_t random_device_t:chr_file getattr;
+allow ceph_t urandom_device_t:chr_file getattr;
+allow ceph_t self:process setpgid;
+allow ceph_t self:process setsched;
+allow ceph_t var_run_t:dir { write create add_name };
+allow ceph_t var_run_t:file { read write create open getattr };
+allow ceph_t init_var_run_t:file getattr;
+allow init_t ceph_t:process2 { nnp_transition nosuid_transition };
+
+allow ceph_t targetd_etc_rw_t:dir { getattr search };
+
+fsadm_manage_pid(ceph_t)
+
+#============= setfiles_t ==============
+allow setfiles_t ceph_var_lib_t:file write;
-- 
cgit v1.2.3