initial code repo

This patch creates initial code repo.

For ceph, luminous stable release will be used for base code,
and next changes and optimization for ceph will be added to it.

For opensds, currently any changes can be upstreamed into original
opensds repo (https://github.com/opensds/opensds), and so stor4nfv
will directly clone opensds code to deploy stor4nfv environment.
And the scripts for deployment based on ceph and opensds will be
put into 'ci' directory.

Change-Id: I46a32218884c75dda2936337604ff03c554648e4
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com>

1 files changed, 265 insertions, 0 deletions

diff --git a/src/ceph/selinux/ceph.if b/src/ceph/selinux/ceph.if
new file mode 100644
index 0000000..ed747a8
--- /dev/null
+++ b/src/ceph/selinux/ceph.if
@@ -0,0 +1,265 @@
+
+## <summary>policy for ceph</summary>
+
+########################################
+## <summary>
+##	Execute ceph_exec_t in the ceph domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ceph_domtrans',`
+	gen_require(`
+		type ceph_t, ceph_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ceph_exec_t, ceph_t)
+')
+
+######################################
+## <summary>
+##	Execute ceph in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_exec',`
+	gen_require(`
+		type ceph_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ceph_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ceph server in the ceph domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_initrc_domtrans',`
+	gen_require(`
+		type ceph_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ceph_initrc_exec_t)
+')
+########################################
+## <summary>
+##	Read ceph's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ceph_read_log',`
+	gen_require(`
+		type ceph_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##	Append to ceph log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_append_log',`
+	gen_require(`
+		type ceph_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##	Manage ceph log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_manage_log',`
+	gen_require(`
+		type ceph_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, ceph_log_t, ceph_log_t)
+	manage_files_pattern($1, ceph_log_t, ceph_log_t)
+	manage_lnk_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##	Search ceph lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_search_lib',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	allow $1 ceph_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read ceph lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_read_lib_files',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage ceph lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_manage_lib_files',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage ceph lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_manage_lib_dirs',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read ceph PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_read_pid_files',`
+	gen_require(`
+		type ceph_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, ceph_var_run_t, ceph_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ceph environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ceph_admin',`
+	gen_require(`
+		type ceph_t;
+		type ceph_initrc_exec_t;
+		type ceph_log_t;
+		type ceph_var_lib_t;
+		type ceph_var_run_t;
+	')
+
+	allow $1 ceph_t:process { signal_perms };
+	ps_process_pattern($1, ceph_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ceph_t:process ptrace;
+    ')
+
+	ceph_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 ceph_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, ceph_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, ceph_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, ceph_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')