Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/ceph.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/ceph.if')
-rw-r--r--policy/modules/contrib/ceph.if105
1 files changed, 105 insertions, 0 deletions
diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
new file mode 100644
index 000000000..010c6b110
--- /dev/null
+++ b/policy/modules/contrib/ceph.if
@@ -0,0 +1,105 @@
+## <summary>Ceph distributed object storage</summary>
+
+#########################################
+## <summary>
+## Create the individual Ceph domains
+## </summary>
+## <param name="cephdaemon">
+## <summary>
+## The daemon (osd, mds or mon) for which the rules are created
+## </summary>
+## </param>
+#
+template(`ceph_domain_template',`
+ gen_require(`
+ attribute cephdomain;
+ attribute cephdata;
+ attribute cephpidfile;
+ attribute_role ceph_roles;
+
+ type ceph_runtime_t;
+ ')
+
+ type ceph_$1_t, cephdomain;
+ type ceph_$1_exec_t;
+ init_system_domain(ceph_$1_t, ceph_$1_exec_t)
+ role ceph_roles types ceph_$1_t;
+
+ type ceph_$1_data_t, cephdata;
+ files_type(ceph_$1_data_t)
+
+ type ceph_$1_runtime_t, cephpidfile;
+ typealias ceph_$1_runtime_t alias ceph_$1_var_run_t;
+ files_runtime_file(ceph_$1_runtime_t)
+
+ ########################################
+ #
+ # Local policy
+ #
+ # Rules which cannot be made part of the domain
+
+ allow ceph_$1_t ceph_$1_runtime_t:file manage_file_perms;
+ allow ceph_$1_t ceph_$1_runtime_t:sock_file manage_sock_file_perms;
+ allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms;
+ allow ceph_$1_t ceph_$1_data_t:file manage_file_perms;
+
+ filetrans_pattern(ceph_$1_t, ceph_runtime_t, ceph_$1_runtime_t, { file sock_file })
+
+ files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir })
+')
+
+#########################################
+## <summary>
+## Administrative access for Ceph
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`ceph_admin',`
+ gen_require(`
+ attribute cephdomain, cephdata;
+ type ceph_initrc_exec_t, ceph_log_t;
+ type ceph_conf_t, ceph_key_t;
+ ')
+
+ allow $1 cephdomain:process { ptrace signal_perms };
+ ps_process_pattern($1, cephdomain)
+
+ init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t)
+ allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms;
+ allow $1 ceph_initrc_exec_t:file read_file_perms;
+
+ files_list_etc($1)
+ admin_pattern($1, ceph_conf_t)
+ admin_pattern($1, ceph_key_t)
+
+ admin_pattern($1, cephdata)
+
+ admin_pattern($1, ceph_log_t)
+')
+
+#########################################
+## <summary>
+## Read Ceph key files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`ceph_read_key',`
+ gen_require(`
+ type ceph_key_t;
+ ')
+
+ allow $1 ceph_key_t:file read_file_perms;
+')