[refpolicy] SELinux policy for Hadoop

All of lore.kernel.org
 help / color / mirror / Atom feed

From: jkhosali@nps.edu (Jean Khosalim)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] SELinux policy for Hadoop
Date: Tue, 14 Feb 2012 08:24:20 -0800	[thread overview]
Message-ID: <000101cceb35$24a09700$6de1c500$@edu> (raw)
In-Reply-To: <4F3A6EE5.5010305@redhat.com>

> > Then /usr/lib/hadoop-0.20/bin/hadoop script (labeled
> > system_u:object_r:hadoop_exec_t:s0) invoke java: nohup su
> > $HADOOP_DAEMON_USER -s $JAVA -- -Dproc_$COMMAND_JAVA.....
> >
> Ok what label does this run as?
The 'su' processes seem to run as 'system_u:system_r:initrc_t:s0'.
The actual java processes run as 'system_u:system_r:unconfined_java_t:s0'

The following is the output of 'ps auxZ | grep java' (with portion of the ps
line replaced with '.....' because it is too long):

----- Begin output of 'ps auxZ | grep java' ------

system_u:system_r:initrc_t:s0   root      1107  0.0  0.2   7808  2180 ?
S    10:44   0:00 su mapred -s /usr/java/jdk1.6.0_30/bin/java --
-Dproc_tasktracker ..... org.apache.hadoop.mapred.TaskTracker

system_u:system_r:initrc_t:s0   root      1109  0.0  0.2   7812  2188 ?
S    10:44   0:00 su mapred -s /usr/java/jdk1.6.0_30/bin/java --
-Dproc_jobtracker .....  org.apache.hadoop.mapred.JobTracker

system_u:system_r:initrc_t:s0   root      1111  0.0  0.2   7812  2188 ?
S    10:44   0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java --
-Dproc_secondarynamenode .....
org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode

system_u:system_r:initrc_t:s0   root      1113  0.0  0.2   7812  2192 ?
S    10:44   0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java --
-Dproc_datanode .....  org.apache.hadoop.hdfs.server.datanode.DataNode

system_u:system_r:initrc_t:s0   root      1115  0.0  0.2   7812  2184 ?
S    10:44   0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java --
-Dproc_namenode .....  org.apache.hadoop.hdfs.server.namenode.NameNode

system_u:system_r:unconfined_java_t:s0 mapred 1130 1.1  4.1 1197024 42552 ?
Sl   10:44   0:06 java -Dproc_jobtracker .....
org.apache.hadoop.mapred.JobTracker

system_u:system_r:unconfined_java_t:s0 hdfs 1131 1.1  6.3 1197864 64808 ?
Sl   10:44   0:05 java -Dproc_namenode .....
org.apache.hadoop.hdfs.server.namenode.NameNode

system_u:system_r:unconfined_java_t:s0 hdfs 1132 1.0  6.1 1191856 62752 ?
Sl   10:44   0:05 java -Dproc_secondarynamenode .....
org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode

system_u:system_r:unconfined_java_t:s0 mapred 1133 1.3  4.1 1195780 42856 ?
Sl   10:44   0:07 java -Dproc_tasktracker .....
org.apache.hadoop.mapred.TaskTracker

system_u:system_r:unconfined_java_t:s0 hdfs 1134 1.1  4.1 1194756 42528 ?
Sl   10:44   0:05 java -Dproc_datanode .....
org.apache.hadoop.hdfs.server.datanode.DataNode

----- End output of 'ps auxZ | grep java' ------

> >
> > If I try to run: runcon -t hadoop_t su hdfs -s
> > /usr/java/jdk1.6.0_30/bin/java -- -Dproc_$COMMAND_JAVA..... I got
> > runcon: invalid contect: unconfined_u:
> > unconfined_r:hadoop_t:s0-s0:c0.c1023: Invalid argument.
> >
> Try
> 
> runcon system_u:system_r:hadoop_t:s0  su hdfs -s
> /usr/java/jdk1.6.0_30/bin/java --
I got the following error when I run the above:
runcon: invalid context: system_u:system_r:hadoop_t:s0: Invalid argument


Thanks,
Jean Khosalim

     prev parent reply	other threads:[~2012-02-14 16:24 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-02-08 19:29 [refpolicy] SELinux policy for Hadoop Jean Khosalim
2012-02-08 19:46 ` Christopher J. PeBenito
2012-02-08 20:33   ` Jean Khosalim
2012-02-08 20:40     ` Daniel J Walsh
2012-02-08 21:00       ` Jean Khosalim
2012-02-09 19:02         ` Daniel J Walsh
2012-02-09 19:30           ` Jean Khosalim
2012-02-09 21:59             ` Daniel J Walsh
2012-02-13 21:26               ` Jean Khosalim
2012-02-13 21:44                 ` Daniel J Walsh
2012-02-13 22:25                   ` Jean Khosalim
2012-02-14 14:25                     ` Daniel J Walsh
2012-02-14 16:24                       ` Jean Khosalim [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='000101cceb35$24a09700$6de1c500$@edu' \
    --to=jkhosali@nps.edu \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.