initial code repo

This patch creates initial code repo.

For ceph, luminous stable release will be used for base code,
and next changes and optimization for ceph will be added to it.

For opensds, currently any changes can be upstreamed into original
opensds repo (https://github.com/opensds/opensds), and so stor4nfv
will directly clone opensds code to deploy stor4nfv environment.
And the scripts for deployment based on ceph and opensds will be
put into 'ci' directory.

Change-Id: I46a32218884c75dda2936337604ff03c554648e4
Signed-off-by: Qiaowei Ren <qiaowei.ren@intel.com>

5 files changed, 413 insertions, 0 deletions

diff --git a/src/ceph/selinux/.gitignore b/src/ceph/selinux/.gitignore
new file mode 100644
index 0000000..6c00c98
--- /dev/null
+++ b/src/ceph/selinux/.gitignore
@@ -0,0 +1,2 @@
+/ceph.pp
+/tmp
diff --git a/src/ceph/selinux/CMakeLists.txt b/src/ceph/selinux/CMakeLists.txt
new file mode 100644
index 0000000..d0a7e54
--- /dev/null
+++ b/src/ceph/selinux/CMakeLists.txt
@@ -0,0 +1,11 @@
+add_custom_target(
+  ceph.pp ALL
+  COMMAND ln -sf ${CMAKE_CURRENT_SOURCE_DIR}/ceph.* .
+  COMMAND make -f ${SELINUX_MAKEFILE} ceph.pp
+  DEPENDS ceph.te ceph.fc ceph.if)
+
+set(datadir ${CMAKE_INSTALL_PREFIX}/share/selinux)
+install(FILES ${CMAKE_CURRENT_BINARY_DIR}/ceph.pp
+  DESTINATION ${datadir}/packages)
+install(FILES ceph.if
+  DESTINATION ${datadir}/devel/include/contrib)
diff --git a/src/ceph/selinux/ceph.fc b/src/ceph/selinux/ceph.fc
new file mode 100644
index 0000000..df47fe1
--- /dev/null
+++ b/src/ceph/selinux/ceph.fc
@@ -0,0 +1,15 @@
+/etc/rc\.d/init\.d/ceph		--	gen_context(system_u:object_r:ceph_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/radosgw	--	gen_context(system_u:object_r:ceph_initrc_exec_t,s0)
+
+/usr/bin/ceph-mgr		--	gen_context(system_u:object_r:ceph_exec_t,s0)
+/usr/bin/ceph-mon		--	gen_context(system_u:object_r:ceph_exec_t,s0)
+/usr/bin/ceph-mds		--	gen_context(system_u:object_r:ceph_exec_t,s0)
+/usr/bin/ceph-osd		--	gen_context(system_u:object_r:ceph_exec_t,s0)
+/usr/bin/radosgw		--	gen_context(system_u:object_r:ceph_exec_t,s0)
+
+/var/lib/ceph(/.*)?		gen_context(system_u:object_r:ceph_var_lib_t,s0)
+
+/var/log/ceph(/.*)?		gen_context(system_u:object_r:ceph_log_t,s0)
+/var/log/radosgw(/.*)?		gen_context(system_u:object_r:ceph_log_t,s0)
+
+/var/run/ceph(/.*)?		gen_context(system_u:object_r:ceph_var_run_t,s0)
diff --git a/src/ceph/selinux/ceph.if b/src/ceph/selinux/ceph.if
new file mode 100644
index 0000000..ed747a8
--- /dev/null
+++ b/src/ceph/selinux/ceph.if
@@ -0,0 +1,265 @@
+
+## <summary>policy for ceph</summary>
+
+########################################
+## <summary>
+##	Execute ceph_exec_t in the ceph domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`ceph_domtrans',`
+	gen_require(`
+		type ceph_t, ceph_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, ceph_exec_t, ceph_t)
+')
+
+######################################
+## <summary>
+##	Execute ceph in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_exec',`
+	gen_require(`
+		type ceph_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, ceph_exec_t)
+')
+
+########################################
+## <summary>
+##	Execute ceph server in the ceph domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_initrc_domtrans',`
+	gen_require(`
+		type ceph_initrc_exec_t;
+	')
+
+	init_labeled_script_domtrans($1, ceph_initrc_exec_t)
+')
+########################################
+## <summary>
+##	Read ceph's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ceph_read_log',`
+	gen_require(`
+		type ceph_log_t;
+	')
+
+	logging_search_logs($1)
+	read_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##	Append to ceph log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_append_log',`
+	gen_require(`
+		type ceph_log_t;
+	')
+
+	logging_search_logs($1)
+	append_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##	Manage ceph log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_manage_log',`
+	gen_require(`
+		type ceph_log_t;
+	')
+
+	logging_search_logs($1)
+	manage_dirs_pattern($1, ceph_log_t, ceph_log_t)
+	manage_files_pattern($1, ceph_log_t, ceph_log_t)
+	manage_lnk_files_pattern($1, ceph_log_t, ceph_log_t)
+')
+
+########################################
+## <summary>
+##	Search ceph lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_search_lib',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	allow $1 ceph_var_lib_t:dir search_dir_perms;
+	files_search_var_lib($1)
+')
+
+########################################
+## <summary>
+##	Read ceph lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_read_lib_files',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	read_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage ceph lib files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_manage_lib_files',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_files_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Manage ceph lib directories.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_manage_lib_dirs',`
+	gen_require(`
+		type ceph_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	manage_dirs_pattern($1, ceph_var_lib_t, ceph_var_lib_t)
+')
+
+########################################
+## <summary>
+##	Read ceph PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ceph_read_pid_files',`
+	gen_require(`
+		type ceph_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, ceph_var_run_t, ceph_var_run_t)
+')
+
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an ceph environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`ceph_admin',`
+	gen_require(`
+		type ceph_t;
+		type ceph_initrc_exec_t;
+		type ceph_log_t;
+		type ceph_var_lib_t;
+		type ceph_var_run_t;
+	')
+
+	allow $1 ceph_t:process { signal_perms };
+	ps_process_pattern($1, ceph_t)
+
+    tunable_policy(`deny_ptrace',`',`
+        allow $1 ceph_t:process ptrace;
+    ')
+
+	ceph_initrc_domtrans($1)
+	domain_system_change_exemption($1)
+	role_transition $2 ceph_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	logging_search_logs($1)
+	admin_pattern($1, ceph_log_t)
+
+	files_search_var_lib($1)
+	admin_pattern($1, ceph_var_lib_t)
+
+	files_search_pids($1)
+	admin_pattern($1, ceph_var_run_t)
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
diff --git a/src/ceph/selinux/ceph.te b/src/ceph/selinux/ceph.te
new file mode 100644
index 0000000..0a93498
--- /dev/null
+++ b/src/ceph/selinux/ceph.te
@@ -0,0 +1,120 @@
+policy_module(ceph, 1.1.1)
+
+require {
+	type sysfs_t;
+	type var_run_t;
+	type random_device_t;
+	type urandom_device_t;
+	type setfiles_t;
+	type nvme_device_t;
+	class sock_file unlink;
+	class lnk_file read;
+	class dir read;
+	class file { getattr read open };
+	class blk_file { getattr ioctl open read write };
+}
+
+########################################
+#
+# Declarations
+#
+
+type ceph_t;
+type ceph_exec_t;
+init_daemon_domain(ceph_t, ceph_exec_t)
+
+permissive ceph_t;
+
+type ceph_initrc_exec_t;
+init_script_file(ceph_initrc_exec_t)
+
+type ceph_log_t;
+logging_log_file(ceph_log_t)
+
+type ceph_var_lib_t;
+files_type(ceph_var_lib_t)
+
+type ceph_var_run_t;
+files_pid_file(ceph_var_run_t)
+
+########################################
+#
+# ceph local policy
+#
+
+allow ceph_t self:process { signal_perms };
+allow ceph_t self:fifo_file rw_fifo_file_perms;
+allow ceph_t self:unix_stream_socket create_stream_socket_perms;
+allow ceph_t self:capability { setuid setgid dac_override };
+
+manage_dirs_pattern(ceph_t, ceph_log_t, ceph_log_t)
+manage_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
+manage_lnk_files_pattern(ceph_t, ceph_log_t, ceph_log_t)
+
+manage_dirs_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
+manage_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
+manage_lnk_files_pattern(ceph_t, ceph_var_lib_t, ceph_var_lib_t)
+
+manage_dirs_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
+manage_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
+manage_lnk_files_pattern(ceph_t, ceph_var_run_t, ceph_var_run_t)
+
+kernel_read_system_state(ceph_t)
+kernel_read_network_state(ceph_t)
+
+corenet_all_recvfrom_unlabeled(ceph_t)
+corenet_all_recvfrom_netlabel(ceph_t)
+corenet_udp_sendrecv_generic_if(ceph_t)
+corenet_udp_sendrecv_generic_node(ceph_t)
+corenet_udp_bind_generic_node(ceph_t)
+corenet_tcp_bind_generic_node(ceph_t)
+
+corenet_sendrecv_cyphesis_server_packets(ceph_t)
+corenet_tcp_bind_cyphesis_port(ceph_t)
+corenet_tcp_sendrecv_cyphesis_port(ceph_t)
+
+corecmd_exec_bin(ceph_t)
+corecmd_exec_shell(ceph_t)
+
+dev_read_urand(ceph_t)
+
+domain_read_all_domains_state(ceph_t)
+
+fs_getattr_all_fs(ceph_t)
+
+auth_use_nsswitch(ceph_t)
+
+logging_send_syslog_msg(ceph_t)
+
+sysnet_dns_name_resolve(ceph_t)
+
+allow ceph_t nvme_device_t:blk_file { getattr ioctl open read write };
+
+# basis for future security review
+allow ceph_t ceph_var_run_t:sock_file { create unlink write setattr };
+allow ceph_t self:capability { sys_rawio chown };
+
+allow ceph_t self:tcp_socket { accept listen };
+corenet_tcp_connect_cyphesis_port(ceph_t)
+corenet_tcp_connect_generic_port(ceph_t)
+files_list_tmp(ceph_t)
+files_manage_generic_tmp_files(ceph_t)
+fstools_exec(ceph_t)
+nis_use_ypbind_uncond(ceph_t)
+storage_raw_rw_fixed_disk(ceph_t)
+files_manage_generic_locks(ceph_t)
+
+allow ceph_t sysfs_t:dir read;
+allow ceph_t sysfs_t:file { read getattr open };
+allow ceph_t sysfs_t:lnk_file { read getattr };
+
+allow ceph_t random_device_t:chr_file getattr;
+allow ceph_t urandom_device_t:chr_file getattr;
+allow ceph_t self:process setpgid;
+allow ceph_t var_run_t:dir { write create add_name };
+allow ceph_t var_run_t:file { read write create open getattr };
+
+fsadm_manage_pid(ceph_t)
+
+#============= setfiles_t ==============
+allow setfiles_t ceph_var_lib_t:file write;