Commit Graph

37 Commits

Author SHA1 Message Date
Ondrej Mosnacek
73218e291c
selinux: prepare for anon inode controls enablement
We plan to start labeling anon inodes (userfaultfd and io_uring file
descriptors) properly in selinux-policy, which means that domains using
these will need new rules.

See: https://github.com/fedora-selinux/selinux-policy/pull/1351

Since ceph may optionally use io_uring, this patch adds the necessary
interface call to its policy to avoid a regression. As the new interface
call is put under a conditional, the policy package will be buildable
against selinux-policy with or without the above PR merged, but it will
need to be rebuilt against the updated selinux-policy to actually pick
up the new rules.

I tested this on a minimal ceph cluster with 'bdev_ioring = true' added
to ceph.conf. I got io_uring denials without this patch + with
selinux-policy with PR#1351 and no denials with ceph rebuilt with this
patch.

Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2022-08-29 14:42:44 +02:00
Thomas Serlin
c3c5129748 selinux: add amqp and soundd types to ceph.te
Signed-off-by: Thomas Serlin <tserlin@redhat.com>
2020-07-10 01:38:00 -04:00
kalebskeithley
05c523185b
selinux: allow ceph_t amqp_port_t:tcp_socket
allow ceph_t amqp_port_t:tcp_socket name_connect;
allow ceph_t soundd_port_t:tcp_socket name_connect;

Required for running RabbitMQ

(soundd_port_t) for running RabbitMQ on port 8000

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1854083
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
2020-07-08 15:20:30 -04:00
Mike Christie
53be181653 selinux: Fix ceph-iscsi etc access
This fixes the selinux errors like this for /etc/target

-----------------------------------
Additional Information:
Source Context                system_u:system_r:ceph_t:s0
Target Context                system_u:object_r:targetd_etc_rw_t:s0
Target Objects                target [ dir ]
Source                        rbd-target-api
Source Path                   rbd-target-api
Port                          <Unknown>
Host                          ans8
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ans8
Platform                      Linux ans8 4.18.0-147.el8.x86_64 #1 SMP
Thu Sep 26
                              15:52:44 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2020-01-08 18:39:48 EST
Last Seen                     2020-01-08 18:39:48 EST
Local ID                      9a13ee18-eaf2-4f2a-872f-2809ee4928f6

Raw Audit Messages
type=AVC msg=audit(1578526788.148:69): avc:  denied  { search } for
pid=995 comm="rbd-target-api" name="target" dev="sda1" ino=52198
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:targetd_etc_rw_t:s0 tclass=dir permissive=1

Hash: rbd-target-api,ceph_t,targetd_etc_rw_t,dir,search

which are a result of the rtslib library the ceph-iscsi daemons use
accessing /etc/target to read/write a file which stores meta data the
target uses.

Signed-off-by: Mike Christie <mchristi@redhat.com>
2020-04-22 11:52:02 -05:00
Mike Christie
8187235c91 selinux: Fix ceph-iscsi configfs access
This fixes the the following selinux error when using ceph-iscsi's
rbd-target-api daemon (rbd-target-gw has the same issue). They are
a result of the a python library, rtslib, which the daemons use.

Additional Information:
Source Context                system_u:system_r:ceph_t:s0
Target Context                system_u:object_r:configfs_t:s0
Target Objects
/sys/kernel/config/target/iscsi/iqn.2003-01.com.re
                              dhat:ceph-iscsi/tpgt_1/attrib/authentication
[
                              file ]
Source                        rbd-target-api
Source Path                   /usr/libexec/platform-python3.6
Port                          <Unknown>
Host                          ans8
Source RPM Packages           platform-python-3.6.8-15.1.el8.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.14.3-20.el8.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ans8
Platform                      Linux ans8 4.18.0-147.el8.x86_64 #1 SMP
Thu Sep 26
                              15:52:44 UTC 2019 x86_64 x86_64
Alert Count                   1
First Seen                    2020-01-08 18:39:47 EST
Last Seen                     2020-01-08 18:39:47 EST
Local ID                      6f8c3415-7a50-4dc8-b3d2-2621e1d00ca3

Raw Audit Messages
type=AVC msg=audit(1578526787.577:68): avc:  denied  { ioctl } for
pid=995 comm="rbd-target-api"
path="/sys/kernel/config/target/iscsi/iqn.2003-01.com.redhat:ceph-iscsi/tpgt_1/attrib/authentication"
dev="configfs" ino=25703 ioctlcmd=0x5401
scontext=system_u:system_r:ceph_t:s0
tcontext=system_u:object_r:configfs_t:s0 tclass=file permissive=1

type=SYSCALL msg=audit(1578526787.577:68): arch=x86_64 syscall=ioctl
success=no exit=ENOTTY a0=34 a1=5401 a2=7ffd4f8f1f60 a3=3052cd2d95839b96
items=0 ppid=1 pid=995 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=rbd-target-api
exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:ceph_t:s0
key=(null)

Hash: rbd-target-api,ceph_t,configfs_t,file,ioctl

Signed-off-by: Mike Christie <mchristi@redhat.com>
2020-04-22 11:52:00 -05:00
Kefu Chai
4ca9ef4d27 selinux: add "type http_cache_port_t" in require section
this addresses the regression introduced by
611a2a7ce1

Fixes: https://tracker.ceph.com/issues/45022
Signed-off-by: Kefu Chai <kchai@redhat.com>
2020-04-10 14:28:20 +08:00
kalebskeithley
611a2a7ce1
Update ceph.te
Fixes: https://tracker.ceph.com/issues/45022
Signed-off-by: Kaleb S. KEITHLEY <kkeithle@redhat.com>
2020-04-09 13:00:57 -04:00
Brad Hubbard
43103e0207 selinux: Allow ceph to setsched
In several places, such as common/numa.cc we call sched_setaffinity
which requires this permission.

Fixes: https://tracker.ceph.com/issues/44196

Signed-off-by: Brad Hubbard <bhubbard@redhat.com>
2020-02-19 14:28:07 +10:00
Boris Ranto
ef191068d6 selinux: Allow ceph to read udev db
We are using libudev and reading the udev db files because of that. We
need to allow ceph to access these files in the SELinux policy.

Signed-off-by: Boris Ranto <branto@redhat.com>
2019-07-16 19:10:51 +02:00
Boris Ranto
9c6cdf1e50 selinux: Update the policy for RHEL8
We hit a couple more SELinux denials when running ceph on RHEL8. The
dac_read_search change is related to a kernel change where it checks
dac_read_search before dac_override, now.

Signed-off-by: Boris Ranto <branto@redhat.com>
2019-06-05 19:29:23 +02:00
Mike Christie
3b0550297f igw: Add selinux support for ceph iscsi
This adds selinux support for the ceph iscsi daemons under the ceph
github:

ceph-iscsi-config - rbd-target-gw
ceph-iscsi-cli - rbd-target-api

We use tcmu-runner, but that will go into the core policy to avoid
conflicts with gluster and distro bases.

This requires the patches:

https://github.com/ceph/ceph-iscsi-config/pull/90
https://github.com/ceph/ceph-iscsi-cli/pull/134

Signed-off-by: Mike Christie <mchristi@redhat.com>
2018-11-05 13:05:19 -06:00
Patrick Donnelly
2bfaac762d
ceph-fuse: add to selinux profile
Fixes: http://tracker.ceph.com/issues/36103

Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
2018-09-20 10:27:43 -07:00
Boris Ranto
e3be372d85 selinux: Allow ceph to block suspend
Ceph is now trying to block suspend in certain cases, we need to update
the policy accordingly.

Signed-off-by: Boris Ranto <branto@redhat.com>
2018-05-14 12:24:19 +02:00
Boris Ranto
fa5071b6d7 selinux: Allow ceph to execute ldconfig
The ceph-volume testing showed that the ceph daemons can run ldconfig in
a corner case when they are forbidden access to some files. This patch
allows ceph to execute ldconfig in Enforcing mode.

Fixes: https://tracker.ceph.com/issues/22302

Signed-off-by: Boris Ranto <branto@redhat.com>
2018-05-14 12:24:19 +02:00
Boris Ranto
394c26adb9 selinux: Allow getattr on lnk sysfs files
This showed up during downstream testing for luminous. We are doing
getattr on the sysfs lnk files and the current policy does not allow
this.

Signed-off-by: Boris Ranto <branto@redhat.com>
2017-09-21 17:24:10 +02:00
Boris Ranto
a8af61c8da selinux: Allow nvme devices
This commit allows nvme devices which use a different label than
standard block devices.

Fixes: http://tracker.ceph.com/issues/19200
Signed-off-by: Boris Ranto <branto@redhat.com>
2017-08-14 13:24:48 +02:00
Boris Ranto
899adbf55c selinux: Allow read on var_run_t
Fixes: http://tracker.ceph.com/issues/16674
Signed-off-by: Boris Ranto <branto@redhat.com>
2017-06-06 21:27:58 +02:00
Kefu Chai
8f6a526f9a selinux: clip the ceph context to ceph-mgr also
Signed-off-by: Kefu Chai <kchai@redhat.com>
2017-06-02 13:06:50 -04:00
Boris Ranto
dfd6880071 selinux: Allow ceph daemons to read net stats
Fixes: http://tracker.ceph.com/issues/19254

Signed-off-by: Boris Ranto <branto@redhat.com>
2017-03-13 17:51:48 +01:00
Boris Ranto
f8a0e201ee selinux: Allow ceph to manage tmp files
Two new denials showed up in testing that relate to ceph trying to
manage (rename and unlink) tmp files. This commit allows ceph to manage
the files.

Fixes: http://tracker.ceph.com/issues/17436

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-09-29 15:02:23 +02:00
Sage Weil
fba798dcad remove autotools
Signed-off-by: Sage Weil <sage@redhat.com>
2016-09-07 11:50:14 -04:00
Kefu Chai
b05b41e3ca selinux: allow read /proc/<pid>/cmdline
we read /proc/<pid>/cmdline to figure out who is terminating us.

Fixes: http://tracker.ceph.com/issues/16675
Signed-off-by: Kefu Chai <kchai@redhat.com>
2016-07-19 11:35:34 +08:00
Boris Ranto
2a6c738abd selinux: allow chown for self and setattr for /var/run/ceph
Fixes: http://tracker.ceph.com/issues/16126

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-06-13 12:35:19 +02:00
Kefu Chai
af902ec962 cmake: enable selinux support
Signed-off-by: Kefu Chai <kchai@redhat.com>
2016-05-16 23:09:06 +08:00
Kefu Chai
788bbb55ed automake: use :: rule for adding target
Signed-off-by: Kefu Chai <kchai@redhat.com>
2016-05-03 10:35:28 +08:00
Boris Ranto
5cd4ce517c selinux: Allow to manage locks
We currently create the ceph lock by an unconfined process (ceph-disk).
Unconfined processes inherit the context from the parrent directory.
This allows ceph daemons to access the files with context inherrited
from the parent directory (/var/lock | /run/lock).

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-03-08 10:59:38 +01:00
Boris Ranto
519b03f4b0 selinux: allow dac_override capability
Fixes: #14870
Signed-off-by: Boris Ranto <branto@redhat.com>
2016-03-08 10:57:59 +01:00
Boris Ranto
bcf12049fb selinux: Allow log files to be located in /var/log/radosgw
We do suggest users to put their logs in /var/log/radosgw in the
documentation at times. We should also label that directory with
ceph_var_log_t so that ceph daemons can also write there.

The commit also updates the man page for this policy. This man page is
automatically generated by

* sepolicy manpage -p . -d ceph_t

and have not been reloaded in a while. Hence, it contains few more
changes than the new radosgw directory.

Signed-off-by: Boris Ranto <branto@redhat.com>
2016-02-11 12:37:51 +01:00
Boris Ranto
bc48ef0fef selinux: Fix man page location
The SELinux man page was previously located in two places and the man
page that was supposed to be updated when rgw selinux changes were
proposed did not get updated properly. Fixing this by moving
selinux/ceph_selinux.8 to man/ceph_selinux.8. Also, populate EXTRA_DIST
with ceph_selinux.8.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-10-06 18:08:15 +02:00
Sage Weil
c1b28591a2 radosgw: log to /var/log/ceph instead of /var/log/radosgw
This is simpler.

Signed-off-by: Sage Weil <sage@redhat.com>
2015-09-15 18:05:59 -04:00
Boris Ranto
338bd3d177 selinux: Update policy for radosgw
The current SELinux policy does not cover radosgw daemon. This patch
introduces the SELinux support for radosgw daemon (civetweb only).

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-09-11 11:08:08 +02:00
Boris Ranto
736fe06235 selinux: Add .gitignore file
The gitbuilders release script needs this. Otherwise, the ceph-release
build will fail because there were some untracked files.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
73bf34d90f selinux: Update the SELinux policy rules
Few new denials were found while testing the policy. Updating the policy
rules to refelct that.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
03d7a65b94 SELinux Makefile can't work in parallel
We need to force single-core compilation of SELinux policy files in the
sub-make target as SELinux Makefile does not work properly when run in
parallel mode.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
bed5703367 selinux: Allow setuid and setgid to ceph-mon and ceph-osd
Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:47 +02:00
Milan Broz
d0fd8ffa40 Update selinux policy (after local test).
Changes enerated with ceph-test package.

Signed-off-by: Milan Broz <mbroz@redhat.com>
2015-08-05 15:21:47 +02:00
Boris Ranto
c52eb995e0 Add initial SELinux support
This patch modifies the build system and spec file to provide a support
for SELinux enforcing in an opt-in matter via ceph-selinux package.

Signed-off-by: Boris Ranto <branto@redhat.com>
2015-08-05 15:21:41 +02:00