igw: Add selinux support for ceph iscsi

This adds selinux support for the ceph iscsi daemons under the ceph
github:

ceph-iscsi-config - rbd-target-gw
ceph-iscsi-cli - rbd-target-api

We use tcmu-runner, but that will go into the core policy to avoid
conflicts with gluster and distro bases.

This requires the patches:

https://github.com/ceph/ceph-iscsi-config/pull/90
https://github.com/ceph/ceph-iscsi-cli/pull/134

Signed-off-by: Mike Christie <mchristi@redhat.com>

diff --git a/selinux/ceph.fc b/selinux/ceph.fc
index b942dd704dbd088336614e65b1752dc0898a4a94..395c7caa5af3dcf88e1c4b850fb9c639412e1006 100644 (file)
--- a/selinux/ceph.fc
+++ b/selinux/ceph.fc
@@ -7,10 +7,14 @@
 /usr/bin/ceph-fuse             --      gen_context(system_u:object_r:ceph_exec_t,s0)
 /usr/bin/ceph-osd              --      gen_context(system_u:object_r:ceph_exec_t,s0)
 /usr/bin/radosgw               --      gen_context(system_u:object_r:ceph_exec_t,s0)
+/usr/bin/rbd-target-gw         --      gen_context(system_u:object_r:ceph_exec_t,s0)
+/usr/bin/rbd-target-api                --      gen_context(system_u:object_r:ceph_exec_t,s0)
 
 /var/lib/ceph(/.*)?            gen_context(system_u:object_r:ceph_var_lib_t,s0)
 
 /var/log/ceph(/.*)?            gen_context(system_u:object_r:ceph_log_t,s0)
 /var/log/radosgw(/.*)?         gen_context(system_u:object_r:ceph_log_t,s0)
+/var/log/rbd-target-api(/.*)?  gen_context(system_u:object_r:ceph_log_t,s0)
+/var/log/rbd-target-gw(/.*)?   gen_context(system_u:object_r:ceph_log_t,s0)
 
 /var/run/ceph(/.*)?            gen_context(system_u:object_r:ceph_var_run_t,s0)

diff --git a/selinux/ceph.te b/selinux/ceph.te
index a56eb6a55abc9ace03e5ede6d97f3513a2e8f326..96571df3240c040e13d4ffcf5b17a2662d0378ec 100644 (file)
--- a/selinux/ceph.te
+++ b/selinux/ceph.te
@@ -2,15 +2,21 @@ policy_module(ceph, 1.1.1)
 
 require {
        type sysfs_t;
+       type configfs_t;
+       type commplex_main_port_t;
+       type rpm_exec_t;
+       type rpm_var_lib_t;
+       type kernel_t;
        type var_run_t;
        type random_device_t;
        type urandom_device_t;
        type setfiles_t;
        type nvme_device_t;
        class sock_file unlink;
-       class lnk_file read;
-       class dir read;
-       class file { getattr read open };
+       class tcp_socket name_connect_t;
+       class lnk_file { create getattr read unlink };
+       class dir { add_name create getattr open read remove_name rmdir search write };
+       class file { create getattr open read rename unlink write };
        class blk_file { getattr ioctl open read write };
        class capability2 block_suspend;
 }
@@ -63,6 +69,7 @@ manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
 
 kernel_read_system_state(ceph_t)
 kernel_read_network_state(ceph_t)
+allow ceph_t kernel_t:system module_request;
 
 corenet_all_recvfrom_unlabeled(ceph_t)
 corenet_all_recvfrom_netlabel(ceph_t)
@@ -75,9 +82,15 @@ corenet_sendrecv_cyphesis_server_packets(ceph_t)
 corenet_tcp_bind_cyphesis_port(ceph_t)
 corenet_tcp_sendrecv_cyphesis_port(ceph_t)
 
+allow ceph_t commplex_main_port_t:tcp_socket name_connect;
+
 corecmd_exec_bin(ceph_t)
 corecmd_exec_shell(ceph_t)
 
+allow ceph_t rpm_exec_t:file getattr;
+allow ceph_t rpm_var_lib_t:dir { add_name write };
+allow ceph_t rpm_var_lib_t:file { create open };
+
 dev_read_urand(ceph_t)
 
 domain_read_all_domains_state(ceph_t)
@@ -111,6 +124,11 @@ allow ceph_t sysfs_t:dir read;
 allow ceph_t sysfs_t:file { read getattr open };
 allow ceph_t sysfs_t:lnk_file { read getattr };
 
+allow ceph_t configfs_t:dir { add_name create getattr open read remove_name rmdir search write };
+allow ceph_t configfs_t:file { getattr open read write };
+allow ceph_t configfs_t:lnk_file { create getattr read unlink };
+
+
 allow ceph_t random_device_t:chr_file getattr;
 allow ceph_t urandom_device_t:chr_file getattr;
 allow ceph_t self:process setpgid;