From 19fcec84d8d7d21e796c7624e521b60d28ee21ed Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 20:45:59 +0200 Subject: Adding upstream version 16.2.11+ds. Signed-off-by: Daniel Baumann --- selinux/ceph.te | 163 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 163 insertions(+) create mode 100644 selinux/ceph.te (limited to 'selinux/ceph.te') diff --git a/selinux/ceph.te b/selinux/ceph.te new file mode 100644 index 000000000..77d35d971 --- /dev/null +++ b/selinux/ceph.te @@ -0,0 +1,163 @@ +policy_module(ceph, 1.1.1) + +require { + type sysfs_t; + type configfs_t; + type commplex_main_port_t; + type http_cache_port_t; + type rpm_exec_t; + type rpm_var_lib_t; + type kernel_t; + type var_run_t; + type random_device_t; + type urandom_device_t; + type setfiles_t; + type nvme_device_t; + type targetd_etc_rw_t; + type amqp_port_t; + type soundd_port_t; + class sock_file unlink; + class tcp_socket name_connect_t; + class lnk_file { create getattr read unlink }; + class dir { add_name create getattr open read remove_name rmdir search write }; + class file { create getattr open read rename unlink write ioctl }; + class blk_file { getattr ioctl open read write }; + class capability2 block_suspend; + class process2 { nnp_transition nosuid_transition }; +} + +######################################## +# +# Declarations +# + +type ceph_t; +type ceph_exec_t; +init_daemon_domain(ceph_t, ceph_exec_t) +ceph_exec(ceph_t) + +permissive ceph_t; + +type ceph_initrc_exec_t; +init_script_file(ceph_initrc_exec_t) + +type ceph_log_t; +logging_log_file(ceph_log_t) + +type ceph_var_lib_t; +files_type(ceph_var_lib_t) + +type ceph_var_run_t; +files_pid_file(ceph_var_run_t) + +######################################## +# +# ceph local policy +# + +allow ceph_t self:process { signal_perms }; +allow ceph_t self:fifo_file rw_fifo_file_perms; +allow ceph_t self:unix_stream_socket create_stream_socket_perms; +allow ceph_t self:capability { setuid setgid dac_override dac_read_search }; +allow ceph_t self:capability2 block_suspend; + +manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t) +manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t) +manage_lnk_files_pattern(ceph_t, ceph_log_t, ceph_log_t) + +manage_dirs_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t) +manage_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t) +manage_lnk_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t) + +manage_dirs_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t) +manage_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t) +manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t) + +kernel_read_system_state(ceph_t) +kernel_read_network_state(ceph_t) +allow ceph_t kernel_t:system module_request; + +corenet_all_recvfrom_unlabeled(ceph_t) +corenet_all_recvfrom_netlabel(ceph_t) +corenet_udp_sendrecv_generic_if(ceph_t) +corenet_udp_sendrecv_generic_node(ceph_t) +corenet_udp_bind_generic_node(ceph_t) +corenet_tcp_bind_generic_node(ceph_t) + +corenet_sendrecv_cyphesis_server_packets(ceph_t) +corenet_tcp_bind_cyphesis_port(ceph_t) +corenet_tcp_sendrecv_cyphesis_port(ceph_t) + +allow ceph_t commplex_main_port_t:tcp_socket name_connect; +allow ceph_t http_cache_port_t:tcp_socket name_connect; +allow ceph_t amqp_port_t:tcp_socket name_connect; +allow ceph_t soundd_port_t:tcp_socket name_connect; + +corecmd_exec_bin(ceph_t) +corecmd_exec_shell(ceph_t) + +allow ceph_t rpm_exec_t:file getattr; +allow ceph_t rpm_var_lib_t:dir { add_name write }; +allow ceph_t rpm_var_lib_t:file { create open }; + +dev_read_urand(ceph_t) + +domain_read_all_domains_state(ceph_t) + +fs_getattr_all_fs(ceph_t) + +auth_use_nsswitch(ceph_t) + +logging_send_syslog_msg(ceph_t) + +sysnet_dns_name_resolve(ceph_t) + +udev_read_db(ceph_t) + +allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write }; + +# basis for future security review +allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr }; +allow ceph_t self:capability { sys_rawio chown }; + +allow ceph_t self:tcp_socket { accept listen }; +corenet_tcp_connect_cyphesis_port(ceph_t) +corenet_tcp_connect_generic_port(ceph_t) +files_list_tmp(ceph_t) +files_manage_generic_tmp_files(ceph_t) +fstools_exec(ceph_t) +nis_use_ypbind_uncond(ceph_t) +storage_raw_rw_fixed_disk(ceph_t) +files_manage_generic_locks(ceph_t) +libs_exec_ldconfig(ceph_t) +fs_list_hugetlbfs(ceph_t) +fs_list_tmpfs(ceph_t) +fs_read_cgroup_files(ceph_t) +fs_read_tmpfs_symlinks(ceph_t) +fs_search_cgroup_dirs(ceph_t) +ceph_read_lib_files(init_t) + +allow ceph_t sysfs_t:dir read; +allow ceph_t sysfs_t:file { read getattr open }; +allow ceph_t sysfs_t:lnk_file { read getattr }; + +allow ceph_t configfs_t:dir { add_name create getattr open read remove_name rmdir search write }; +allow ceph_t configfs_t:file { getattr open read write ioctl }; +allow ceph_t configfs_t:lnk_file { create getattr read unlink }; + + +allow ceph_t random_device_t:chr_file getattr; +allow ceph_t urandom_device_t:chr_file getattr; +allow ceph_t self:process setpgid; +allow ceph_t self:process setsched; +allow ceph_t var_run_t:dir { write create add_name }; +allow ceph_t var_run_t:file { read write create open getattr }; +allow ceph_t init_var_run_t:file getattr; +allow init_t ceph_t:process2 { nnp_transition nosuid_transition }; + +allow ceph_t targetd_etc_rw_t:dir { getattr search }; + +fsadm_manage_pid(ceph_t) + +#============= setfiles_t ============== +allow setfiles_t ceph_var_lib_t:file write; -- cgit v1.2.3