[refpolicy] [PATCH] hadoop 1/10 -- unconfined

[domg472@gmail.com (Dominick Grift)]

On Mon, Sep 20, 2010 at 02:02:12PM -0400, Paul Nuzzi wrote:
> On 09/20/2010 01:03 PM, Dominick Grift wrote:
> > On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
> >> I fixed the hadoop patch based on all of the feedback I received.  Added role support for sysadm_r to all of the services and programs.  Steve and I were not able to successfully use init_script_domain.  The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface.  It was also causing problems with sysadm_r.  I split up the patches since it was huge. 
> > 
> > Why did the init script domain not work for you?
> > 
> > I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.
> > 
> 
> I wasn't able to transfer into the pseudo initrc domain with init_script_domain.  Using
> init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t.  Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t.  Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has.

I just test it and it works provided that you use run_init to start the daemon.

I suspect Fedora broken the functionality to make it work by default:

These seem to be the culprits:

init_exec_script_files(sysadm_t)
init_domtrans_script(unconfined_t)

Here is how to reproduce how i got it to work:

policy_module(test, 1.0.0)

type test_t;
type test_exec_t;
init_script_domain(test_t, test_exec_t)
role system_r types test_t;

chcon -t test_exec_t /etc/rc.d/init.d/httpd

sudo -r sysadm_r -t sysadm_t
run_init service httpd start

sudo -r unconfined_r -t unconfined_t
run_init service httpd start




> 
> Searching through refpolicy I don't see any references to init_script_domain.  Lets see what everyone else thinks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/2e8bf76c/attachment.bin