diff options
Diffstat (limited to 'policy/modules/contrib/ceph.if')
-rw-r--r-- | policy/modules/contrib/ceph.if | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if new file mode 100644 index 000000000..010c6b110 --- /dev/null +++ b/policy/modules/contrib/ceph.if @@ -0,0 +1,105 @@ +## <summary>Ceph distributed object storage</summary> + +######################################### +## <summary> +## Create the individual Ceph domains +## </summary> +## <param name="cephdaemon"> +## <summary> +## The daemon (osd, mds or mon) for which the rules are created +## </summary> +## </param> +# +template(`ceph_domain_template',` + gen_require(` + attribute cephdomain; + attribute cephdata; + attribute cephpidfile; + attribute_role ceph_roles; + + type ceph_runtime_t; + ') + + type ceph_$1_t, cephdomain; + type ceph_$1_exec_t; + init_system_domain(ceph_$1_t, ceph_$1_exec_t) + role ceph_roles types ceph_$1_t; + + type ceph_$1_data_t, cephdata; + files_type(ceph_$1_data_t) + + type ceph_$1_runtime_t, cephpidfile; + typealias ceph_$1_runtime_t alias ceph_$1_var_run_t; + files_runtime_file(ceph_$1_runtime_t) + + ######################################## + # + # Local policy + # + # Rules which cannot be made part of the domain + + allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms; + allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms; + allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms; + allow ceph_$1_t ceph_$1_data_t:file manage_file_perms; + + filetrans_pattern(ceph_$1_t, ceph_runtime_t, ceph_$1_runtime_t, { file sock_file }) + + files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir }) +') + +######################################### +## <summary> +## Administrative access for Ceph +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`ceph_admin',` + gen_require(` + attribute cephdomain, cephdata; + type ceph_initrc_exec_t, ceph_log_t; + type ceph_conf_t, ceph_key_t; + ') + + allow $1 cephdomain:process { ptrace signal_perms }; + ps_process_pattern($1, cephdomain) + + init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t) + allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms; + allow $1 ceph_initrc_exec_t:file read_file_perms; + + files_list_etc($1) + admin_pattern($1, ceph_conf_t) + admin_pattern($1, ceph_key_t) + + admin_pattern($1, cephdata) + + admin_pattern($1, ceph_log_t) +') + +######################################### +## <summary> +## Read Ceph key files +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +# +interface(`ceph_read_key',` + gen_require(` + type ceph_key_t; + ') + + allow $1 ceph_key_t:file read_file_perms; +') |