* [refpolicy] [PATCH 1/2] hadoop: update to CDH3 @ 2010-12-10 23:22 Paul Nuzzi 2010-12-11 9:01 ` Dominick Grift 0 siblings, 1 reply; 6+ messages in thread From: Paul Nuzzi @ 2010-12-10 23:22 UTC (permalink / raw) To: refpolicy Updated the hadoop policy to work with the latest Cloudera version (CDHb3). Fixed a bug where policy was preventing exporting files from the distributed file system to the user's home directory. Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> --- policy/modules/roles/unprivuser.te | 4 ++++ policy/modules/services/hadoop.fc | 14 +++++++++----- policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- policy/modules/services/hadoop.te | 14 ++++++++++++++ 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 606a257..7a48dad 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + hadoop_role(user_r, user_t) + ') + + optional_policy(` irc_role(user_r, user_t) ') diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc index 3035be2..00a877d 100644 --- a/policy/modules/services/hadoop.fc +++ b/policy/modules/services/hadoop.fc @@ -1,10 +1,10 @@ /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) @@ -24,10 +24,14 @@ /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if index 9e9bfe7..d1ff90d 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` # Shared hadoop_$1 policy. # - allow hadoop_$1_t self:process execmem; + allow hadoop_$1_t self:capability { chown kill setgid setuid }; + allow hadoop_$1_t self:key search; + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; allow hadoop_$1_t self:udp_socket create_socket_perms; dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) files_search_var_lib(hadoop_$1_t) - allow hadoop_$1_t hadoop_var_run_t:dir getattr; - files_search_pids(hadoop_$1_t) + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + files_search_pids(hadoop_$1_t) allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` files_read_etc_files(hadoop_$1_t) + init_read_utmp(hadoop_$1_t) + init_use_fds(hadoop_$1_t) + init_use_script_fds(hadoop_$1_t) + init_use_script_ptys(hadoop_$1_t) + + kerberos_use(hadoop_$1_t) + kernel_read_kernel_sysctls(hadoop_$1_t) + kernel_read_sysctl(hadoop_$1_t) + + logging_send_audit_msgs(hadoop_$1_t) + logging_send_syslog_msg(hadoop_$1_t) + miscfiles_read_localization(hadoop_$1_t) + su_exec(hadoop_$1_t) sysnet_read_config(hadoop_$1_t) hadoop_exec_config(hadoop_$1_t) java_exec(hadoop_$1_t) + auth_domtrans_chkpwd(hadoop_$1_t) + optional_policy(` nscd_socket_use(hadoop_$1_t) ') @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` consoletype_exec(hadoop_$1_initrc_t) fs_getattr_xattr_fs(hadoop_$1_initrc_t) + fs_search_cgroup_dirs(hadoop_$1_initrc_t) term_use_generic_ptys(hadoop_$1_initrc_t) hadoop_exec_config(hadoop_$1_initrc_t) init_rw_utmp(hadoop_$1_initrc_t) + init_use_fds(hadoop_$1_initrc_t) init_use_script_ptys(hadoop_$1_initrc_t) logging_send_syslog_msg(hadoop_$1_initrc_t) diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te index 35a8131..b103f89 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t) dev_read_rand(hadoop_t) dev_read_sysfs(hadoop_t) dev_read_urand(hadoop_t) +domain_use_interactive_fds(hadoop_t) files_dontaudit_search_spool(hadoop_t) +files_read_etc_files(hadoop_t) files_read_usr_files(hadoop_t) +files_search_var_lib(hadoop_t) fs_getattr_xattr_fs(hadoop_t) +kerberos_use(hadoop_t) + miscfiles_read_localization(hadoop_t) +sysnet_read_config(hadoop_t) + userdom_dontaudit_search_user_home_dirs(hadoop_t) +userdom_list_user_home_content(hadoop_t) +userdom_manage_user_home_content_files(hadoop_t) userdom_use_user_terminals(hadoop_t) java_exec(hadoop_t) @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) corenet_tcp_connect_zope_port(hadoop_tasktracker_t) manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) + manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) fs_getattr_xattr_fs(hadoop_tasktracker_t) @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) dev_read_rand(zookeeper_t) dev_read_sysfs(zookeeper_t) dev_read_urand(zookeeper_t) +domain_use_interactive_fds(zookeeper_t) files_read_etc_files(zookeeper_t) files_read_usr_files(zookeeper_t) ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3 2010-12-10 23:22 [refpolicy] [PATCH 1/2] hadoop: update to CDH3 Paul Nuzzi @ 2010-12-11 9:01 ` Dominick Grift 2010-12-13 15:39 ` Paul Nuzzi 0 siblings, 1 reply; 6+ messages in thread From: Dominick Grift @ 2010-12-11 9:01 UTC (permalink / raw) To: refpolicy -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/11/2010 12:22 AM, Paul Nuzzi wrote: > Updated the hadoop policy to work with the latest Cloudera version (CDHb3). > Fixed a bug where policy was preventing exporting files from the > distributed file system to the user's home directory. > > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- > > policy/modules/roles/unprivuser.te | 4 ++++ > policy/modules/services/hadoop.fc | 14 +++++++++----- > policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- > policy/modules/services/hadoop.te | 14 ++++++++++++++ > 4 files changed, 51 insertions(+), 8 deletions(-) > > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > index 606a257..7a48dad 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + hadoop_role(user_r, user_t) > + ') > + > + optional_policy(` > irc_role(user_r, user_t) > ') > > diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc > index 3035be2..00a877d 100644 > --- a/policy/modules/services/hadoop.fc > +++ b/policy/modules/services/hadoop.fc > @@ -1,10 +1,10 @@ > /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) > > -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) > -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) > /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) > > /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > @@ -24,10 +24,14 @@ > > /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) > +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) > +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) > +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) > +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) > /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) > > /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) > diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if > index 9e9bfe7..d1ff90d 100644 > --- a/policy/modules/services/hadoop.if > +++ b/policy/modules/services/hadoop.if > @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` > # Shared hadoop_$1 policy. > # > > - allow hadoop_$1_t self:process execmem; > + allow hadoop_$1_t self:capability { chown kill setgid setuid }; > + allow hadoop_$1_t self:key search; > + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; > allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; > allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; > + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; > allow hadoop_$1_t self:udp_socket create_socket_perms; > dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; > > @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` > filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) > files_search_var_lib(hadoop_$1_t) > > - allow hadoop_$1_t hadoop_var_run_t:dir getattr; > - files_search_pids(hadoop_$1_t) > + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) > + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) > + files_search_pids(hadoop_$1_t) > > allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; > manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) > @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` > > files_read_etc_files(hadoop_$1_t) > > + init_read_utmp(hadoop_$1_t) > + init_use_fds(hadoop_$1_t) > + init_use_script_fds(hadoop_$1_t) > + init_use_script_ptys(hadoop_$1_t) > + > + kerberos_use(hadoop_$1_t) Does hadoop depend on kerberos? If no then kerberos_use should probably be optional. > + kernel_read_kernel_sysctls(hadoop_$1_t) > + kernel_read_sysctl(hadoop_$1_t) > + > + logging_send_audit_msgs(hadoop_$1_t) > + logging_send_syslog_msg(hadoop_$1_t) > + > miscfiles_read_localization(hadoop_$1_t) > > + su_exec(hadoop_$1_t) Does hadoop depend on su? If not then su_exec should probably be optional. (btw would sudo work?) > sysnet_read_config(hadoop_$1_t) > > hadoop_exec_config(hadoop_$1_t) > > java_exec(hadoop_$1_t) > > + auth_domtrans_chkpwd(hadoop_$1_t) > + > optional_policy(` > nscd_socket_use(hadoop_$1_t) > ') > @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` > consoletype_exec(hadoop_$1_initrc_t) > > fs_getattr_xattr_fs(hadoop_$1_initrc_t) > + fs_search_cgroup_dirs(hadoop_$1_initrc_t) > > term_use_generic_ptys(hadoop_$1_initrc_t) > > hadoop_exec_config(hadoop_$1_initrc_t) > > init_rw_utmp(hadoop_$1_initrc_t) > + init_use_fds(hadoop_$1_initrc_t) > init_use_script_ptys(hadoop_$1_initrc_t) > > logging_send_syslog_msg(hadoop_$1_initrc_t) > diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te > index 35a8131..b103f89 100644 > --- a/policy/modules/services/hadoop.te > +++ b/policy/modules/services/hadoop.te > @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t) > dev_read_rand(hadoop_t) > dev_read_sysfs(hadoop_t) > dev_read_urand(hadoop_t) > +domain_use_interactive_fds(hadoop_t) > > files_dontaudit_search_spool(hadoop_t) > +files_read_etc_files(hadoop_t) > files_read_usr_files(hadoop_t) > +files_search_var_lib(hadoop_t) > > fs_getattr_xattr_fs(hadoop_t) > > +kerberos_use(hadoop_t) > + > miscfiles_read_localization(hadoop_t) > > +sysnet_read_config(hadoop_t) > + > userdom_dontaudit_search_user_home_dirs(hadoop_t) > +userdom_list_user_home_content(hadoop_t) > +userdom_manage_user_home_content_files(hadoop_t) > userdom_use_user_terminals(hadoop_t) > > java_exec(hadoop_t) > @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) > corenet_tcp_connect_zope_port(hadoop_tasktracker_t) > > manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); > +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) > filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) > > +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) > +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) > + > manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) > > fs_getattr_xattr_fs(hadoop_tasktracker_t) > @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) > dev_read_rand(zookeeper_t) > dev_read_sysfs(zookeeper_t) > dev_read_urand(zookeeper_t) > +domain_use_interactive_fds(zookeeper_t) > > files_read_etc_files(zookeeper_t) > files_read_usr_files(zookeeper_t) > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La 8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH =qPch -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3 2010-12-11 9:01 ` Dominick Grift @ 2010-12-13 15:39 ` Paul Nuzzi 2010-12-15 20:17 ` Christopher J. PeBenito 0 siblings, 1 reply; 6+ messages in thread From: Paul Nuzzi @ 2010-12-13 15:39 UTC (permalink / raw) To: refpolicy On 12/11/2010 04:01 AM, Dominick Grift wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/11/2010 12:22 AM, Paul Nuzzi wrote: >> Updated the hadoop policy to work with the latest Cloudera version (CDHb3). >> Fixed a bug where policy was preventing exporting files from the >> distributed file system to the user's home directory. >> >> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> >> >> --- >> >> policy/modules/roles/unprivuser.te | 4 ++++ >> policy/modules/services/hadoop.fc | 14 +++++++++----- >> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- >> policy/modules/services/hadoop.te | 14 ++++++++++++++ >> 4 files changed, 51 insertions(+), 8 deletions(-) >> >> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te >> index 606a257..7a48dad 100644 >> --- a/policy/modules/roles/unprivuser.te >> +++ b/policy/modules/roles/unprivuser.te >> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` >> ') >> >> optional_policy(` >> + hadoop_role(user_r, user_t) >> + ') >> + >> + optional_policy(` >> irc_role(user_r, user_t) >> ') >> >> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc >> index 3035be2..00a877d 100644 >> --- a/policy/modules/services/hadoop.fc >> +++ b/policy/modules/services/hadoop.fc >> @@ -1,10 +1,10 @@ >> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) >> >> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) >> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) >> >> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) >> @@ -24,10 +24,14 @@ >> >> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) >> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) >> >> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) >> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if >> index 9e9bfe7..d1ff90d 100644 >> --- a/policy/modules/services/hadoop.if >> +++ b/policy/modules/services/hadoop.if >> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` >> # Shared hadoop_$1 policy. >> # >> >> - allow hadoop_$1_t self:process execmem; >> + allow hadoop_$1_t self:capability { chown kill setgid setuid }; >> + allow hadoop_$1_t self:key search; >> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; >> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; >> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; >> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; >> allow hadoop_$1_t self:udp_socket create_socket_perms; >> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; >> >> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` >> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) >> files_search_var_lib(hadoop_$1_t) >> >> - allow hadoop_$1_t hadoop_var_run_t:dir getattr; >> - files_search_pids(hadoop_$1_t) >> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) >> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) >> + files_search_pids(hadoop_$1_t) >> >> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; >> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) >> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` >> >> files_read_etc_files(hadoop_$1_t) >> >> + init_read_utmp(hadoop_$1_t) >> + init_use_fds(hadoop_$1_t) >> + init_use_script_fds(hadoop_$1_t) >> + init_use_script_ptys(hadoop_$1_t) >> + >> + kerberos_use(hadoop_$1_t) > > Does hadoop depend on kerberos? If no then kerberos_use should probably > be optional. > The new version of hadoop added Kerberos for authentication. >> + kernel_read_kernel_sysctls(hadoop_$1_t) >> + kernel_read_sysctl(hadoop_$1_t) >> + >> + logging_send_audit_msgs(hadoop_$1_t) >> + logging_send_syslog_msg(hadoop_$1_t) >> + >> miscfiles_read_localization(hadoop_$1_t) >> >> + su_exec(hadoop_$1_t) > > Does hadoop depend on su? If not then su_exec should probably be optional. > > (btw would sudo work?) > The hadoop developers have been adding more security to the software stack. From what I can tell, the services start out as root and then execute su to drop privileges. >> sysnet_read_config(hadoop_$1_t) >> >> hadoop_exec_config(hadoop_$1_t) >> >> java_exec(hadoop_$1_t) >> >> + auth_domtrans_chkpwd(hadoop_$1_t) >> + >> optional_policy(` >> nscd_socket_use(hadoop_$1_t) >> ') >> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` >> consoletype_exec(hadoop_$1_initrc_t) >> >> fs_getattr_xattr_fs(hadoop_$1_initrc_t) >> + fs_search_cgroup_dirs(hadoop_$1_initrc_t) >> >> term_use_generic_ptys(hadoop_$1_initrc_t) >> >> hadoop_exec_config(hadoop_$1_initrc_t) >> >> init_rw_utmp(hadoop_$1_initrc_t) >> + init_use_fds(hadoop_$1_initrc_t) >> init_use_script_ptys(hadoop_$1_initrc_t) >> >> logging_send_syslog_msg(hadoop_$1_initrc_t) >> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te >> index 35a8131..b103f89 100644 >> --- a/policy/modules/services/hadoop.te >> +++ b/policy/modules/services/hadoop.te >> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t) >> dev_read_rand(hadoop_t) >> dev_read_sysfs(hadoop_t) >> dev_read_urand(hadoop_t) >> +domain_use_interactive_fds(hadoop_t) >> >> files_dontaudit_search_spool(hadoop_t) >> +files_read_etc_files(hadoop_t) >> files_read_usr_files(hadoop_t) >> +files_search_var_lib(hadoop_t) >> >> fs_getattr_xattr_fs(hadoop_t) >> >> +kerberos_use(hadoop_t) >> + >> miscfiles_read_localization(hadoop_t) >> >> +sysnet_read_config(hadoop_t) >> + >> userdom_dontaudit_search_user_home_dirs(hadoop_t) >> +userdom_list_user_home_content(hadoop_t) >> +userdom_manage_user_home_content_files(hadoop_t) >> userdom_use_user_terminals(hadoop_t) >> >> java_exec(hadoop_t) >> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) >> corenet_tcp_connect_zope_port(hadoop_tasktracker_t) >> >> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); >> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) >> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) >> >> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) >> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) >> + >> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) >> >> fs_getattr_xattr_fs(hadoop_tasktracker_t) >> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) >> dev_read_rand(zookeeper_t) >> dev_read_sysfs(zookeeper_t) >> dev_read_urand(zookeeper_t) >> +domain_use_interactive_fds(zookeeper_t) >> >> files_read_etc_files(zookeeper_t) >> files_read_usr_files(zookeeper_t) >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La > 8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH > =qPch > -----END PGP SIGNATURE----- > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3 2010-12-13 15:39 ` Paul Nuzzi @ 2010-12-15 20:17 ` Christopher J. PeBenito 2010-12-16 17:33 ` Paul Nuzzi 0 siblings, 1 reply; 6+ messages in thread From: Christopher J. PeBenito @ 2010-12-15 20:17 UTC (permalink / raw) To: refpolicy On 12/13/10 10:39, Paul Nuzzi wrote: > On 12/11/2010 04:01 AM, Dominick Grift wrote: > On 12/11/2010 12:22 AM, Paul Nuzzi wrote: >>>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3). >>>> Fixed a bug where policy was preventing exporting files from the >>>> distributed file system to the user's home directory. >>>> >>>> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> >>>> >>>> --- >>>> >>>> policy/modules/roles/unprivuser.te | 4 ++++ >>>> policy/modules/services/hadoop.fc | 14 +++++++++----- >>>> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- >>>> policy/modules/services/hadoop.te | 14 ++++++++++++++ >>>> 4 files changed, 51 insertions(+), 8 deletions(-) >>>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if >>>> index 9e9bfe7..d1ff90d 100644 >>>> --- a/policy/modules/services/hadoop.if >>>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` >>>> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) >>>> files_search_var_lib(hadoop_$1_t) >>>> >>>> - allow hadoop_$1_t hadoop_var_run_t:dir getattr; >>>> - files_search_pids(hadoop_$1_t) >>>> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) >>>> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) >>>> + files_search_pids(hadoop_$1_t) >>>> >>>> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; >>>> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) >>>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` >>>> >>>> files_read_etc_files(hadoop_$1_t) >>>> >>>> + init_read_utmp(hadoop_$1_t) >>>> + init_use_fds(hadoop_$1_t) >>>> + init_use_script_fds(hadoop_$1_t) >>>> + init_use_script_ptys(hadoop_$1_t) >>>> + >>>> + kerberos_use(hadoop_$1_t) > > Does hadoop depend on kerberos? If no then kerberos_use should probably > be optional. > > >> The new version of hadoop added Kerberos for authentication. So, to be explicit, its an unconditional requirement? >>>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te >>>> index 35a8131..b103f89 100644 >>>> --- a/policy/modules/services/hadoop.te >>>> +++ b/policy/modules/services/hadoop.te >>>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t) >>>> dev_read_rand(hadoop_t) >>>> dev_read_sysfs(hadoop_t) >>>> dev_read_urand(hadoop_t) >>>> +domain_use_interactive_fds(hadoop_t) >>>> >>>> files_dontaudit_search_spool(hadoop_t) >>>> +files_read_etc_files(hadoop_t) >>>> files_read_usr_files(hadoop_t) >>>> +files_search_var_lib(hadoop_t) >>>> >>>> fs_getattr_xattr_fs(hadoop_t) >>>> >>>> +kerberos_use(hadoop_t) >>>> + >>>> miscfiles_read_localization(hadoop_t) >>>> >>>> +sysnet_read_config(hadoop_t) >>>> + >>>> userdom_dontaudit_search_user_home_dirs(hadoop_t) >>>> +userdom_list_user_home_content(hadoop_t) >>>> +userdom_manage_user_home_content_files(hadoop_t) It seems like there should be a hadoop_home_t that is userdom_user_home_content() -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3 2010-12-15 20:17 ` Christopher J. PeBenito @ 2010-12-16 17:33 ` Paul Nuzzi 2011-01-05 15:23 ` Christopher J. PeBenito 0 siblings, 1 reply; 6+ messages in thread From: Paul Nuzzi @ 2010-12-16 17:33 UTC (permalink / raw) To: refpolicy On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote: > On 12/13/10 10:39, Paul Nuzzi wrote: >> On 12/11/2010 04:01 AM, Dominick Grift wrote: >> On 12/11/2010 12:22 AM, Paul Nuzzi wrote: >> >> Does hadoop depend on kerberos? If no then kerberos_use should probably >> be optional. >> >> >>> The new version of hadoop added Kerberos for authentication. > > So, to be explicit, its an unconditional requirement? Yes. I think all future versions of hadoop will be kerberos enabled. > It seems like there should be a hadoop_home_t that is > userdom_user_home_content() Updated. Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> --- policy/modules/roles/unprivuser.te | 4 ++++ policy/modules/services/hadoop.fc | 14 +++++++++----- policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- policy/modules/services/hadoop.te | 24 +++++++++++++++++++++++- 4 files changed, 60 insertions(+), 9 deletions(-) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 606a257..7a48dad 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + hadoop_role(user_r, user_t) + ') + + optional_policy(` irc_role(user_r, user_t) ') diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc index 3035be2..00a877d 100644 --- a/policy/modules/services/hadoop.fc +++ b/policy/modules/services/hadoop.fc @@ -1,10 +1,10 @@ /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) @@ -24,10 +24,14 @@ /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if index 9e9bfe7..d07e172 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` # Shared hadoop_$1 policy. # - allow hadoop_$1_t self:process execmem; + allow hadoop_$1_t self:capability { chown kill setgid setuid }; + allow hadoop_$1_t self:key search; + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; allow hadoop_$1_t self:udp_socket create_socket_perms; dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) files_search_var_lib(hadoop_$1_t) - allow hadoop_$1_t hadoop_var_run_t:dir getattr; - files_search_pids(hadoop_$1_t) + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + files_search_pids(hadoop_$1_t) allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` files_read_etc_files(hadoop_$1_t) + init_read_utmp(hadoop_$1_t) + init_use_fds(hadoop_$1_t) + init_use_script_fds(hadoop_$1_t) + init_use_script_ptys(hadoop_$1_t) + + kerberos_use(hadoop_$1_t) + kernel_read_kernel_sysctls(hadoop_$1_t) + kernel_read_sysctl(hadoop_$1_t) + + logging_send_audit_msgs(hadoop_$1_t) + logging_send_syslog_msg(hadoop_$1_t) + miscfiles_read_localization(hadoop_$1_t) + su_exec(hadoop_$1_t) sysnet_read_config(hadoop_$1_t) hadoop_exec_config(hadoop_$1_t) java_exec(hadoop_$1_t) + auth_domtrans_chkpwd(hadoop_$1_t) + optional_policy(` nscd_socket_use(hadoop_$1_t) ') @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` consoletype_exec(hadoop_$1_initrc_t) fs_getattr_xattr_fs(hadoop_$1_initrc_t) + fs_search_cgroup_dirs(hadoop_$1_initrc_t) term_use_generic_ptys(hadoop_$1_initrc_t) hadoop_exec_config(hadoop_$1_initrc_t) init_rw_utmp(hadoop_$1_initrc_t) + init_use_fds(hadoop_$1_initrc_t) init_use_script_ptys(hadoop_$1_initrc_t) logging_send_syslog_msg(hadoop_$1_initrc_t) diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te index 35a8131..ddf9ef7 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te @@ -15,6 +15,11 @@ ubac_constrained(hadoop_t) type hadoop_etc_t; files_config_file(hadoop_etc_t) +type hadoop_home_t; +typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t }; +typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t }; +userdom_user_home_content(hadoop_home_t) + type hadoop_log_t; logging_log_file(hadoop_log_t) @@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t) dev_read_rand(hadoop_t) dev_read_sysfs(hadoop_t) dev_read_urand(hadoop_t) +domain_use_interactive_fds(hadoop_t) files_dontaudit_search_spool(hadoop_t) +files_read_etc_files(hadoop_t) files_read_usr_files(hadoop_t) +files_search_var_lib(hadoop_t) fs_getattr_xattr_fs(hadoop_t) +kerberos_use(hadoop_t) + +manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) +userdom_search_user_home_dirs(hadoop_t) +userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir }) + miscfiles_read_localization(hadoop_t) -userdom_dontaudit_search_user_home_dirs(hadoop_t) +sysnet_read_config(hadoop_t) + userdom_use_user_terminals(hadoop_t) java_exec(hadoop_t) @@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) corenet_tcp_connect_zope_port(hadoop_tasktracker_t) manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) + manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) fs_getattr_xattr_fs(hadoop_tasktracker_t) @@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) dev_read_rand(zookeeper_t) dev_read_sysfs(zookeeper_t) dev_read_urand(zookeeper_t) +domain_use_interactive_fds(zookeeper_t) files_read_etc_files(zookeeper_t) files_read_usr_files(zookeeper_t) ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3 2010-12-16 17:33 ` Paul Nuzzi @ 2011-01-05 15:23 ` Christopher J. PeBenito 0 siblings, 0 replies; 6+ messages in thread From: Christopher J. PeBenito @ 2011-01-05 15:23 UTC (permalink / raw) To: refpolicy On 12/16/10 12:33, Paul Nuzzi wrote: > On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote: >> On 12/13/10 10:39, Paul Nuzzi wrote: >>> On 12/11/2010 04:01 AM, Dominick Grift wrote: >>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote: >>> >>> Does hadoop depend on kerberos? If no then kerberos_use should probably >>> be optional. >>> >>> >>>> The new version of hadoop added Kerberos for authentication. >> >> So, to be explicit, its an unconditional requirement? > > Yes. I think all future versions of hadoop will be kerberos enabled. > >> It seems like there should be a hadoop_home_t that is >> userdom_user_home_content() > > Updated. Merged. I did some rule rearranging and whitespace cleanup. > Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil> > > --- > policy/modules/roles/unprivuser.te | 4 ++++ > policy/modules/services/hadoop.fc | 14 +++++++++----- > policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- > policy/modules/services/hadoop.te | 24 +++++++++++++++++++++++- > 4 files changed, 60 insertions(+), 9 deletions(-) > > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > index 606a257..7a48dad 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + hadoop_role(user_r, user_t) > + ') > + > + optional_policy(` > irc_role(user_r, user_t) > ') > > diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc > index 3035be2..00a877d 100644 > --- a/policy/modules/services/hadoop.fc > +++ b/policy/modules/services/hadoop.fc > @@ -1,10 +1,10 @@ > /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) > > -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) > -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) > /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) > > /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > @@ -24,10 +24,14 @@ > > /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) > +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) > +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) > +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) > +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) > /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) > > /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) > diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if > index 9e9bfe7..d07e172 100644 > --- a/policy/modules/services/hadoop.if > +++ b/policy/modules/services/hadoop.if > @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` > # Shared hadoop_$1 policy. > # > > - allow hadoop_$1_t self:process execmem; > + allow hadoop_$1_t self:capability { chown kill setgid setuid }; > + allow hadoop_$1_t self:key search; > + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; > allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; > allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; > + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; > allow hadoop_$1_t self:udp_socket create_socket_perms; > dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; > > @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` > filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) > files_search_var_lib(hadoop_$1_t) > > - allow hadoop_$1_t hadoop_var_run_t:dir getattr; > - files_search_pids(hadoop_$1_t) > + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) > + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) > + files_search_pids(hadoop_$1_t) > > allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; > manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) > @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` > > files_read_etc_files(hadoop_$1_t) > > + init_read_utmp(hadoop_$1_t) > + init_use_fds(hadoop_$1_t) > + init_use_script_fds(hadoop_$1_t) > + init_use_script_ptys(hadoop_$1_t) > + > + kerberos_use(hadoop_$1_t) > + kernel_read_kernel_sysctls(hadoop_$1_t) > + kernel_read_sysctl(hadoop_$1_t) > + > + logging_send_audit_msgs(hadoop_$1_t) > + logging_send_syslog_msg(hadoop_$1_t) > + > miscfiles_read_localization(hadoop_$1_t) > > + su_exec(hadoop_$1_t) > sysnet_read_config(hadoop_$1_t) > > hadoop_exec_config(hadoop_$1_t) > > java_exec(hadoop_$1_t) > > + auth_domtrans_chkpwd(hadoop_$1_t) > + > optional_policy(` > nscd_socket_use(hadoop_$1_t) > ') > @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` > consoletype_exec(hadoop_$1_initrc_t) > > fs_getattr_xattr_fs(hadoop_$1_initrc_t) > + fs_search_cgroup_dirs(hadoop_$1_initrc_t) > > term_use_generic_ptys(hadoop_$1_initrc_t) > > hadoop_exec_config(hadoop_$1_initrc_t) > > init_rw_utmp(hadoop_$1_initrc_t) > + init_use_fds(hadoop_$1_initrc_t) > init_use_script_ptys(hadoop_$1_initrc_t) > > logging_send_syslog_msg(hadoop_$1_initrc_t) > diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te > index 35a8131..ddf9ef7 100644 > --- a/policy/modules/services/hadoop.te > +++ b/policy/modules/services/hadoop.te > @@ -15,6 +15,11 @@ ubac_constrained(hadoop_t) > type hadoop_etc_t; > files_config_file(hadoop_etc_t) > > +type hadoop_home_t; > +typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t }; > +typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t }; > +userdom_user_home_content(hadoop_home_t) > + > type hadoop_log_t; > logging_log_file(hadoop_log_t) > > @@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t) > dev_read_rand(hadoop_t) > dev_read_sysfs(hadoop_t) > dev_read_urand(hadoop_t) > +domain_use_interactive_fds(hadoop_t) > > files_dontaudit_search_spool(hadoop_t) > +files_read_etc_files(hadoop_t) > files_read_usr_files(hadoop_t) > +files_search_var_lib(hadoop_t) > > fs_getattr_xattr_fs(hadoop_t) > > +kerberos_use(hadoop_t) > + > +manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) > +manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) > +manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) > +userdom_search_user_home_dirs(hadoop_t) > +userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir }) > + > miscfiles_read_localization(hadoop_t) > > -userdom_dontaudit_search_user_home_dirs(hadoop_t) > +sysnet_read_config(hadoop_t) > + > userdom_use_user_terminals(hadoop_t) > > java_exec(hadoop_t) > @@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) > corenet_tcp_connect_zope_port(hadoop_tasktracker_t) > > manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); > +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) > filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) > > +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) > +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) > + > manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) > > fs_getattr_xattr_fs(hadoop_tasktracker_t) > @@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) > dev_read_rand(zookeeper_t) > dev_read_sysfs(zookeeper_t) > dev_read_urand(zookeeper_t) > +domain_use_interactive_fds(zookeeper_t) > > files_read_etc_files(zookeeper_t) > files_read_usr_files(zookeeper_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-01-05 15:23 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2010-12-10 23:22 [refpolicy] [PATCH 1/2] hadoop: update to CDH3 Paul Nuzzi 2010-12-11 9:01 ` Dominick Grift 2010-12-13 15:39 ` Paul Nuzzi 2010-12-15 20:17 ` Christopher J. PeBenito 2010-12-16 17:33 ` Paul Nuzzi 2011-01-05 15:23 ` Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.