From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-819835-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 2D40E138D17
	for <garchives@archives.gentoo.org>; Mon, 13 Jul 2015 17:42:25 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 29465E08ED;
	Mon, 13 Jul 2015 17:42:23 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 5AA01E08ED
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Jul 2015 17:42:22 +0000 (UTC)
Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 205C434072E
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Jul 2015 17:42:21 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id E0475905
	for <gentoo-commits@lists.gentoo.org>; Mon, 13 Jul 2015 17:42:19 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1436809259.e030706d32967b72aca1937437c3d81636f97f08.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/ceph.fc policy/modules/contrib/ceph.if policy/modules/contrib/ceph.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: e030706d32967b72aca1937437c3d81636f97f08
X-VCS-Branch: master
Date: Mon, 13 Jul 2015 17:42:19 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 3b425e6a-e326-4179-8f51-06f17f9d6860
X-Archives-Hash: 67bdb0b41eb5e945e33a51f143562722

commit:     e030706d32967b72aca1937437c3d81636f97f08
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Jul 13 17:40:59 2015 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Jul 13 17:40:59 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e030706d

Introduce Ceph policy

 policy/modules/contrib/ceph.fc |  30 ++++++++++++
 policy/modules/contrib/ceph.if | 104 +++++++++++++++++++++++++++++++++++++++++
 policy/modules/contrib/ceph.te |  92 ++++++++++++++++++++++++++++++++++++
 3 files changed, 226 insertions(+)

diff --git a/policy/modules/contrib/ceph.fc b/policy/modules/contrib/ceph.fc
new file mode 100644
index 0000000..1548b1e
--- /dev/null
+++ b/policy/modules/contrib/ceph.fc
@@ -0,0 +1,30 @@
+#
+# /etc
+#
+/etc/ceph(/.*)?		gen_context(system_u:object_r:ceph_conf_t,s0)
+/etc/ceph/.*\.secret	--	gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/ceph/.*\.keyring	--	gen_context(system_u:object_r:ceph_key_t,s0)
+/etc/rc\.d/init\.d/ceph.*	gen_context(system_u:object_r:ceph_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/ceph-mds	--	gen_context(system_u:object_r:ceph_mds_exec_t,s0)
+/usr/bin/ceph-mon	--	gen_context(system_u:object_r:ceph_mon_exec_t,s0)
+/usr/bin/ceph-osd	--	gen_context(system_u:object_r:ceph_osd_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/ceph(/.*)?		gen_context(system_u:object_r:ceph_var_lib_t,s0)
+/var/lib/ceph/mds(/.*)?		gen_context(system_u:object_r:ceph_mds_data_t,s0)
+/var/lib/ceph/mon(/.*)?		gen_context(system_u:object_r:ceph_mon_data_t,s0)
+/var/lib/ceph/osd(/.*)?		gen_context(system_u:object_r:ceph_osd_data_t,s0)
+
+/var/log/ceph(/.*)?		gen_context(system_u:object_r:ceph_log_t,s0)
+
+/var/run/ceph	-d	gen_context(system_u:object_r:ceph_var_run_t,s0)
+/var/run/ceph/ceph-osd.*		gen_context(system_u:object_r:ceph_osd_var_run_t,s0)
+/var/run/ceph/ceph-mon.*		gen_context(system_u:object_r:ceph_mon_var_run_t,s0)
+/var/run/ceph/ceph-mds.*		gen_context(system_u:object_r:ceph_mds_var_run_t,s0)
+/var/run/ceph/mds.*	--	gen_context(system_u:object_r:ceph_mds_var_run_t,s0)

diff --git a/policy/modules/contrib/ceph.if b/policy/modules/contrib/ceph.if
new file mode 100644
index 0000000..26db16f
--- /dev/null
+++ b/policy/modules/contrib/ceph.if
@@ -0,0 +1,104 @@
+## <summary>Ceph distributed object storage</summary>
+
+#########################################
+## <summary>
+##	Create the individual Ceph domains
+## </summary>
+## <param name="cephdaemon">
+##	<summary>
+##	The daemon (osd, mds or mon) for which the rules are created
+##	</summary>
+## </param>
+#
+template(`ceph_domain_template',`
+	gen_require(`
+		attribute cephdomain;
+		attribute cephdata;
+		attribute cephpidfile;
+		attribute_role ceph_roles;
+		
+		type ceph_var_run_t;
+	')
+
+	type ceph_$1_t, cephdomain;
+	type ceph_$1_exec_t;
+	init_system_domain(ceph_$1_t, ceph_$1_exec_t)
+	role ceph_roles types ceph_$1_t;
+
+	type ceph_$1_data_t, cephdata;
+	files_type(ceph_$1_data_t)
+
+	type ceph_$1_var_run_t, cephpidfile;
+	files_pid_file(ceph_$1_var_run_t)
+
+	########################################
+	#
+	# Local policy 
+	#
+	# Rules which cannot be made part of the domain
+
+	allow ceph_$1_t ceph_$1_var_run_t:file manage_file_perms;
+	allow ceph_$1_t ceph_$1_var_run_t:sock_file manage_file_perms;
+	allow ceph_$1_t ceph_$1_data_t:dir manage_dir_perms;
+	allow ceph_$1_t ceph_$1_data_t:file manage_file_perms;
+
+	filetrans_pattern(ceph_$1_t, ceph_var_run_t, ceph_$1_var_run_t, { file sock_file })
+
+	files_var_lib_filetrans(ceph_$1_t, ceph_$1_data_t, { file dir })
+')
+
+#########################################
+## <summary>
+## 	Administrative access for Ceph
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`ceph_admin',`
+	gen_require(`
+		attribute cephdomain;
+		attribute cephdata;
+		type ceph_initrc_exec_t;
+	')
+
+	allow $1 cephdomain:process { ptrace signal_perms };
+	ps_process_pattern($1, cephdomain)
+
+	init_startstop_service($1, $2, cephdomain, ceph_initrc_exec_t)
+	allow $1 ceph_initrc_exec_t:lnk_file read_lnk_file_perms;
+	allow $1 ceph_initrc_exec_t:file read_file_perms;
+
+	files_list_etc($1)
+	admin_pattern($1, ceph_conf_t)
+	admin_pattern($1, ceph_key_t)
+
+	admin_pattern($1, cephdata)
+
+	admin_pattern($1, ceph_log_t)
+')
+
+#########################################
+## <summary>
+##	Read Ceph key files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`ceph_read_key',`
+	gen_require(`
+		type ceph_key_t;
+	')
+
+	allow $1 ceph_key_t:file read_file_perms;
+')

diff --git a/policy/modules/contrib/ceph.te b/policy/modules/contrib/ceph.te
new file mode 100644
index 0000000..9704dd4
--- /dev/null
+++ b/policy/modules/contrib/ceph.te
@@ -0,0 +1,92 @@
+policy_module(ceph, 1.0)
+
+attribute_role ceph_roles;
+
+# Attribute for all ceph runtime domains (not clients)
+attribute cephdomain;
+
+# Attribute for the ceph runtime daemon data
+attribute cephdata;
+
+# Attribute for the ceph pidfile data
+attribute cephpidfile;
+
+# Init support
+type ceph_initrc_exec_t;
+init_script_file(ceph_initrc_exec_t)
+
+type ceph_conf_t;
+files_config_file(ceph_conf_t)
+
+# Private / shared keys for cephx support
+type ceph_key_t;
+files_type(ceph_key_t)
+
+type ceph_log_t;
+logging_log_file(ceph_log_t)
+
+type ceph_var_lib_t;
+files_type(ceph_var_lib_t)
+
+type ceph_var_run_t;
+files_pid_file(ceph_var_run_t)
+
+#########################################
+#
+# General Ceph domain rules
+#
+
+ceph_domain_template(osd)
+ceph_domain_template(mds)
+ceph_domain_template(mon)
+
+allow cephdomain self:fifo_file rw_file_perms;
+
+read_files_pattern(cephdomain, ceph_conf_t, { ceph_conf_t ceph_key_t })
+allow cephdomain ceph_log_t:dir manage_dir_perms;
+allow cephdomain ceph_log_t:file { create_file_perms rw_file_perms };
+allow cephdomain ceph_var_lib_t:dir search_dir_perms;
+allow cephdomain self:netlink_route_socket { rw_netlink_socket_perms };
+allow cephdomain self:tcp_socket { create_socket_perms listen accept }; 
+allow cephdomain ceph_var_run_t:file manage_file_perms;
+allow cephdomain ceph_var_run_t:dir manage_dir_perms;
+
+kernel_read_system_state(cephdomain)
+
+corenet_tcp_bind_generic_node(cephdomain)
+corenet_tcp_bind_all_unreserved_ports(cephdomain)
+corenet_tcp_connect_all_unreserved_ports(cephdomain)
+
+files_read_etc_files(cephdomain)
+files_search_pids(cephdomain)
+files_search_var_lib(cephdomain)
+files_pid_filetrans(cephdomain, ceph_var_run_t, dir)
+
+fs_getattr_all_fs(cephdomain)
+
+logging_search_logs(cephdomain)
+
+miscfiles_read_localization(cephdomain)
+
+init_use_script_ptys(cephdomain)
+
+
+#########################################
+#
+# Local OSD policy
+#
+
+corecmd_exec_shell(ceph_osd_t)
+
+
+#########################################
+#
+# Local MDS policy
+#
+
+
+#########################################
+#
+# Local MON policy
+#
+