[refpolicy] [PATCH] hadoop 1/10 -- unconfined

[domg472@gmail.com (Dominick Grift)]

On 09/20/2010 09:33 PM, Dominick Grift wrote:
> On Mon, Sep 20, 2010 at 02:02:12PM -0400, Paul Nuzzi wrote:
>> On 09/20/2010 01:03 PM, Dominick Grift wrote:
>>> On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
>>>> I fixed the hadoop patch based on all of the feedback I received.  Added role support for sysadm_r to all of the services and programs.  Steve and I were not able to successfully use init_script_domain.  The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface.  It was also causing problems with sysadm_r.  I split up the patches since it was huge. 
>>>
>>> Why did the init script domain not work for you?
>>>
>>> I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.
>>>
>>
>> I wasn't able to transfer into the pseudo initrc domain with init_script_domain.  Using
>> init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t.  Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t.  Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has.
> 
> I just test it and it works provided that you use run_init to start the daemon.
> 
> I suspect Fedora broken the functionality to make it work by default:
> 
> These seem to be the culprits:
> 
> init_exec_script_files(sysadm_t)
> init_domtrans_script(unconfined_t)
> 
> Here is how to reproduce how i got it to work:
> 
> policy_module(test, 1.0.0)
> 
> type test_t;
> type test_exec_t;
> init_script_domain(test_t, test_exec_t)
> role system_r types test_t;
> 
> chcon -t test_exec_t /etc/rc.d/init.d/httpd
> 
> sudo -r sysadm_r -t sysadm_t
> run_init service httpd start
> 
> sudo -r unconfined_r -t unconfined_t
> run_init service httpd start
> 
> 

The problem i think is that redhats policy diverged from refpolicy,
especially with regard to this functionality.

This makes it that much harder to develop policy on redhat
configurations that should get adopted in refpolicy.

The use of the init script domain() will probably work just fine in
refpolicy, and so if you want your policy upstreamed you should probably
use that.

Redhat will have to deal with it once it merges refpolicy into its
branch (or they just exclude it).

> 
>>
>> Searching through refpolicy I don't see any references to init_script_domain.  Lets see what everyone else thinks.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/e96a3a31/attachment.bin