Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/ceph.te
blob: b1994a5364435dc5057ad6bf269217329daca0d6 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92

policy_module(ceph, 1.0)

attribute_role ceph_roles;

# Attribute for all ceph runtime domains (not clients)
attribute cephdomain;

# Attribute for the ceph runtime daemon data
attribute cephdata;

# Attribute for the ceph pidfile data
attribute cephpidfile;

# Init support
type ceph_initrc_exec_t;
init_script_file(ceph_initrc_exec_t)

type ceph_conf_t;
files_config_file(ceph_conf_t)

# Private / shared keys for cephx support
type ceph_key_t;
files_type(ceph_key_t)

type ceph_log_t;
logging_log_file(ceph_log_t)

type ceph_var_lib_t;
files_type(ceph_var_lib_t)

type ceph_runtime_t alias ceph_var_run_t;
files_runtime_file(ceph_runtime_t)

#########################################
#
# General Ceph domain rules
#

ceph_domain_template(osd)
ceph_domain_template(mds)
ceph_domain_template(mon)

allow cephdomain self:fifo_file rw_fifo_file_perms;

read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t })
allow cephdomain ceph_log_t:dir manage_dir_perms;
allow cephdomain ceph_log_t:file { create_file_perms rw_file_perms };
allow cephdomain ceph_var_lib_t:dir search_dir_perms;
allow cephdomain self:netlink_route_socket { rw_netlink_socket_perms };
allow cephdomain self:tcp_socket { create_socket_perms listen accept };
allow cephdomain ceph_runtime_t:file manage_file_perms;
allow cephdomain ceph_runtime_t:dir manage_dir_perms;

kernel_read_system_state(cephdomain)

corenet_tcp_bind_generic_node(cephdomain)
corenet_tcp_bind_all_unreserved_ports(cephdomain)
corenet_tcp_connect_all_unreserved_ports(cephdomain)

files_read_etc_files(cephdomain)
files_search_runtime(cephdomain)
files_search_var_lib(cephdomain)
files_runtime_filetrans(cephdomain, ceph_runtime_t, dir)

fs_getattr_all_fs(cephdomain)

logging_search_logs(cephdomain)

miscfiles_read_localization(cephdomain)

init_use_script_ptys(cephdomain)


#########################################
#
# Local OSD policy
#

corecmd_exec_shell(ceph_osd_t)


#########################################
#
# Local MDS policy
#


#########################################
#
# Local MON policy
#