From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec
Date: Mon, 13 Dec 2010 10:41:42 -0500 [thread overview]
Message-ID: <4D063EB6.6080601@tycho.ncsc.mil> (raw)
In-Reply-To: <4D033CBE.9020000@gmail.com>
On 12/11/2010 03:56 AM, Dominick Grift wrote:
> ^ I think this should probably be optional as i believe there is no need
> for the ipsec module to depend in the hadoop module.
>
> optional_policy(`
> hadoop_lan_setcontext(setkey_t)
> ')
>
You are right.
Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
---
policy/modules/services/hadoop.if | 202 ++++++++++++++++++++++++++++++++++++++
policy/modules/services/hadoop.te | 45 ++++++++
policy/modules/system/ipsec.te | 5
3 files changed, 252 insertions(+)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index d07e172..c1ca3a6 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_t)
+ hadoop_lan_polmatch(hadoop_$1_t)
+
init_read_utmp(hadoop_$1_t)
init_use_fds(hadoop_$1_t)
init_use_script_fds(hadoop_$1_t)
@@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
hadoop_read_config($1)
allow $1 hadoop_etc_t:file exec_file_perms;
')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## polmatch on hadoop_lan_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing polmatch
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_lan_polmatch',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association polmatch;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## setcontext on hadoop_lan_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing setcontext
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_lan_setcontext',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association setcontext;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_datanode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_datanode_recv',`
+ gen_require(`
+ type hadoop_datanode_t;
+ ')
+
+ allow $1 hadoop_datanode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_namenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_namenode_recv',`
+ gen_require(`
+ type hadoop_namenode_t;
+ ')
+
+ allow $1 hadoop_namenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_jobtracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_jobtracker_recv',`
+ gen_require(`
+ type hadoop_jobtracker_t;
+ ')
+
+ allow $1 hadoop_jobtracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_tasktracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_tasktracker_recv',`
+ gen_require(`
+ type hadoop_tasktracker_t;
+ ')
+
+ allow $1 hadoop_tasktracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_secondarynamenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_secondarynamenode_recv',`
+ gen_require(`
+ type hadoop_secondarynamenode_t;
+ ')
+
+ allow $1 hadoop_secondarynamenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recv',`
+ gen_require(`
+ type hadoop_t;
+ ')
+
+ allow $1 hadoop_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv zookeeper_server_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_server_recv',`
+ gen_require(`
+ type zookeeper_server_t;
+ ')
+
+ allow $1 zookeeper_server_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv zookeeper_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_recv',`
+ gen_require(`
+ type zookeeper_t;
+ ')
+
+ allow $1 zookeeper_t:peer recv;
+')
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index b103f89..e4bbe97 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
type hadoop_etc_t;
files_config_file(hadoop_etc_t)
+type hadoop_lan_t;
+files_type(hadoop_lan_t)
+
type hadoop_log_t;
logging_log_file(hadoop_log_t)
@@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
allow hadoop_t hadoop_domain:process signull;
+hadoop_lan_polmatch(hadoop_t)
+allow hadoop_t self:peer recv;
+hadoop_datanode_recv(hadoop_t)
+hadoop_jobtracker_recv(hadoop_t)
+hadoop_namenode_recv(hadoop_t)
+hadoop_tasktracker_recv(hadoop_t)
+
read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
can_exec(hadoop_t, hadoop_etc_t)
@@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
fs_getattr_xattr_fs(hadoop_datanode_t)
+allow hadoop_datanode_t self:peer recv;
+hadoop_jobtracker_recv(hadoop_datanode_t)
+hadoop_namenode_recv(hadoop_datanode_t)
+hadoop_recv(hadoop_datanode_t)
+hadoop_tasktracker_recv(hadoop_datanode_t)
+
########################################
#
# Hadoop jobtracker policy.
@@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
+allow hadoop_jobtracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_jobtracker_t)
+hadoop_namenode_recv(hadoop_jobtracker_t)
+hadoop_recv(hadoop_jobtracker_t)
+hadoop_tasktracker_recv(hadoop_jobtracker_t)
+
########################################
#
# Hadoop namenode policy.
@@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
+allow hadoop_namenode_t self:peer recv;
+hadoop_datanode_recv(hadoop_namenode_t)
+hadoop_jobtracker_recv(hadoop_namenode_t)
+hadoop_recv(hadoop_namenode_t)
+hadoop_secondarynamenode_recv(hadoop_namenode_t)
+hadoop_tasktracker_recv(hadoop_namenode_t)
+
########################################
#
# Hadoop secondary namenode policy.
@@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
+allow hadoop_secondarynamenode_t self:peer recv;
+hadoop_namenode_recv(hadoop_secondarynamenode_t)
+
########################################
#
# Hadoop tasktracker policy.
@@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
fs_getattr_xattr_fs(hadoop_tasktracker_t)
+allow hadoop_tasktracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_tasktracker_t)
+hadoop_jobtracker_recv(hadoop_tasktracker_t)
+hadoop_recv(hadoop_tasktracker_t)
+hadoop_namenode_recv(hadoop_tasktracker_t)
+
########################################
#
# Hadoop zookeeper client policy.
@@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_t self:udp_socket create_socket_perms;
dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
+hadoop_lan_polmatch(zookeeper_t)
+zookeeper_server_recv(zookeeper_t)
+
read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
@@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_server_t self:udp_socket create_socket_perms;
+hadoop_lan_polmatch(zookeeper_server_t)
+allow zookeeper_server_t self:peer recv;
+zookeeper_recv(zookeeper_server_t)
+
allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d82ff45..c6545bb 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -422,3 +422,8 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+
+optional_policy(`
+ hadoop_lan_setcontext(setkey_t)
+')
+
next prev parent reply other threads:[~2010-12-13 15:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-10 23:22 [refpolicy] [PATCH 2/2] hadoop: labeled ipsec Paul Nuzzi
2010-12-11 8:56 ` Dominick Grift
2010-12-13 15:41 ` Paul Nuzzi [this message]
2010-12-15 20:54 ` Christopher J. PeBenito
2010-12-16 17:32 ` Paul Nuzzi
2011-01-05 13:48 ` Christopher J. PeBenito
2011-01-06 16:33 ` Paul Nuzzi
2011-01-13 19:22 ` Christopher J. PeBenito
2010-12-15 20:55 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D063EB6.6080601@tycho.ncsc.mil \
--to=pjnuzzi@tycho.ncsc.mil \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.