* [refpolicy] [PATCH 1/2] hadoop: update to CDH3
@ 2010-12-10 23:22 Paul Nuzzi
2010-12-11 9:01 ` Dominick Grift
0 siblings, 1 reply; 6+ messages in thread
From: Paul Nuzzi @ 2010-12-10 23:22 UTC (permalink / raw)
To: refpolicy
Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
Fixed a bug where policy was preventing exporting files from the
distributed file system to the user's home directory.
Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
---
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/hadoop.fc | 14 +++++++++-----
policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
policy/modules/services/hadoop.te | 14 ++++++++++++++
4 files changed, 51 insertions(+), 8 deletions(-)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 606a257..7a48dad 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ hadoop_role(user_r, user_t)
+ ')
+
+ optional_policy(`
irc_role(user_r, user_t)
')
diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
index 3035be2..00a877d 100644
--- a/policy/modules/services/hadoop.fc
+++ b/policy/modules/services/hadoop.fc
@@ -1,10 +1,10 @@
/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
-/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
-/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
@@ -24,10 +24,14 @@
/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 9e9bfe7..d1ff90d 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
# Shared hadoop_$1 policy.
#
- allow hadoop_$1_t self:process execmem;
+ allow hadoop_$1_t self:capability { chown kill setgid setuid };
+ allow hadoop_$1_t self:key search;
+ allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
+ allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
allow hadoop_$1_t self:udp_socket create_socket_perms;
dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
files_search_var_lib(hadoop_$1_t)
- allow hadoop_$1_t hadoop_var_run_t:dir getattr;
- files_search_pids(hadoop_$1_t)
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+ files_search_pids(hadoop_$1_t)
allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
@@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_t)
+ init_read_utmp(hadoop_$1_t)
+ init_use_fds(hadoop_$1_t)
+ init_use_script_fds(hadoop_$1_t)
+ init_use_script_ptys(hadoop_$1_t)
+
+ kerberos_use(hadoop_$1_t)
+ kernel_read_kernel_sysctls(hadoop_$1_t)
+ kernel_read_sysctl(hadoop_$1_t)
+
+ logging_send_audit_msgs(hadoop_$1_t)
+ logging_send_syslog_msg(hadoop_$1_t)
+
miscfiles_read_localization(hadoop_$1_t)
+ su_exec(hadoop_$1_t)
sysnet_read_config(hadoop_$1_t)
hadoop_exec_config(hadoop_$1_t)
java_exec(hadoop_$1_t)
+ auth_domtrans_chkpwd(hadoop_$1_t)
+
optional_policy(`
nscd_socket_use(hadoop_$1_t)
')
@@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
consoletype_exec(hadoop_$1_initrc_t)
fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+ fs_search_cgroup_dirs(hadoop_$1_initrc_t)
term_use_generic_ptys(hadoop_$1_initrc_t)
hadoop_exec_config(hadoop_$1_initrc_t)
init_rw_utmp(hadoop_$1_initrc_t)
+ init_use_fds(hadoop_$1_initrc_t)
init_use_script_ptys(hadoop_$1_initrc_t)
logging_send_syslog_msg(hadoop_$1_initrc_t)
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 35a8131..b103f89 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
dev_read_rand(hadoop_t)
dev_read_sysfs(hadoop_t)
dev_read_urand(hadoop_t)
+domain_use_interactive_fds(hadoop_t)
files_dontaudit_search_spool(hadoop_t)
+files_read_etc_files(hadoop_t)
files_read_usr_files(hadoop_t)
+files_search_var_lib(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
+kerberos_use(hadoop_t)
+
miscfiles_read_localization(hadoop_t)
+sysnet_read_config(hadoop_t)
+
userdom_dontaudit_search_user_home_dirs(hadoop_t)
+userdom_list_user_home_content(hadoop_t)
+userdom_manage_user_home_content_files(hadoop_t)
userdom_use_user_terminals(hadoop_t)
java_exec(hadoop_t)
@@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
+setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
+filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
+manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
+
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
fs_getattr_xattr_fs(hadoop_tasktracker_t)
@@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
dev_read_rand(zookeeper_t)
dev_read_sysfs(zookeeper_t)
dev_read_urand(zookeeper_t)
+domain_use_interactive_fds(zookeeper_t)
files_read_etc_files(zookeeper_t)
files_read_usr_files(zookeeper_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3
2010-12-10 23:22 [refpolicy] [PATCH 1/2] hadoop: update to CDH3 Paul Nuzzi
@ 2010-12-11 9:01 ` Dominick Grift
2010-12-13 15:39 ` Paul Nuzzi
0 siblings, 1 reply; 6+ messages in thread
From: Dominick Grift @ 2010-12-11 9:01 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
> Fixed a bug where policy was preventing exporting files from the
> distributed file system to the user's home directory.
>
> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>
> ---
>
> policy/modules/roles/unprivuser.te | 4 ++++
> policy/modules/services/hadoop.fc | 14 +++++++++-----
> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
> policy/modules/services/hadoop.te | 14 ++++++++++++++
> 4 files changed, 51 insertions(+), 8 deletions(-)
>
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 606a257..7a48dad 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + hadoop_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> irc_role(user_r, user_t)
> ')
>
> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
> index 3035be2..00a877d 100644
> --- a/policy/modules/services/hadoop.fc
> +++ b/policy/modules/services/hadoop.fc
> @@ -1,10 +1,10 @@
> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
>
> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>
> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> @@ -24,10 +24,14 @@
>
> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>
> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index 9e9bfe7..d1ff90d 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
> # Shared hadoop_$1 policy.
> #
>
> - allow hadoop_$1_t self:process execmem;
> + allow hadoop_$1_t self:capability { chown kill setgid setuid };
> + allow hadoop_$1_t self:key search;
> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
> allow hadoop_$1_t self:udp_socket create_socket_perms;
> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>
> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
> files_search_var_lib(hadoop_$1_t)
>
> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
> - files_search_pids(hadoop_$1_t)
> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
> + files_search_pids(hadoop_$1_t)
>
> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>
> files_read_etc_files(hadoop_$1_t)
>
> + init_read_utmp(hadoop_$1_t)
> + init_use_fds(hadoop_$1_t)
> + init_use_script_fds(hadoop_$1_t)
> + init_use_script_ptys(hadoop_$1_t)
> +
> + kerberos_use(hadoop_$1_t)
Does hadoop depend on kerberos? If no then kerberos_use should probably
be optional.
> + kernel_read_kernel_sysctls(hadoop_$1_t)
> + kernel_read_sysctl(hadoop_$1_t)
> +
> + logging_send_audit_msgs(hadoop_$1_t)
> + logging_send_syslog_msg(hadoop_$1_t)
> +
> miscfiles_read_localization(hadoop_$1_t)
>
> + su_exec(hadoop_$1_t)
Does hadoop depend on su? If not then su_exec should probably be optional.
(btw would sudo work?)
> sysnet_read_config(hadoop_$1_t)
>
> hadoop_exec_config(hadoop_$1_t)
>
> java_exec(hadoop_$1_t)
>
> + auth_domtrans_chkpwd(hadoop_$1_t)
> +
> optional_policy(`
> nscd_socket_use(hadoop_$1_t)
> ')
> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
> consoletype_exec(hadoop_$1_initrc_t)
>
> fs_getattr_xattr_fs(hadoop_$1_initrc_t)
> + fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>
> term_use_generic_ptys(hadoop_$1_initrc_t)
>
> hadoop_exec_config(hadoop_$1_initrc_t)
>
> init_rw_utmp(hadoop_$1_initrc_t)
> + init_use_fds(hadoop_$1_initrc_t)
> init_use_script_ptys(hadoop_$1_initrc_t)
>
> logging_send_syslog_msg(hadoop_$1_initrc_t)
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 35a8131..b103f89 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
> dev_read_rand(hadoop_t)
> dev_read_sysfs(hadoop_t)
> dev_read_urand(hadoop_t)
> +domain_use_interactive_fds(hadoop_t)
>
> files_dontaudit_search_spool(hadoop_t)
> +files_read_etc_files(hadoop_t)
> files_read_usr_files(hadoop_t)
> +files_search_var_lib(hadoop_t)
>
> fs_getattr_xattr_fs(hadoop_t)
>
> +kerberos_use(hadoop_t)
> +
> miscfiles_read_localization(hadoop_t)
>
> +sysnet_read_config(hadoop_t)
> +
> userdom_dontaudit_search_user_home_dirs(hadoop_t)
> +userdom_list_user_home_content(hadoop_t)
> +userdom_manage_user_home_content_files(hadoop_t)
> userdom_use_user_terminals(hadoop_t)
>
> java_exec(hadoop_t)
> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
> corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>
> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
> +
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
> dev_read_rand(zookeeper_t)
> dev_read_sysfs(zookeeper_t)
> dev_read_urand(zookeeper_t)
> +domain_use_interactive_fds(zookeeper_t)
>
> files_read_etc_files(zookeeper_t)
> files_read_usr_files(zookeeper_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La
8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH
=qPch
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3
2010-12-11 9:01 ` Dominick Grift
@ 2010-12-13 15:39 ` Paul Nuzzi
2010-12-15 20:17 ` Christopher J. PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Paul Nuzzi @ 2010-12-13 15:39 UTC (permalink / raw)
To: refpolicy
On 12/11/2010 04:01 AM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
>> Fixed a bug where policy was preventing exporting files from the
>> distributed file system to the user's home directory.
>>
>> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>>
>> ---
>>
>> policy/modules/roles/unprivuser.te | 4 ++++
>> policy/modules/services/hadoop.fc | 14 +++++++++-----
>> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
>> policy/modules/services/hadoop.te | 14 ++++++++++++++
>> 4 files changed, 51 insertions(+), 8 deletions(-)
>>
>> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
>> index 606a257..7a48dad 100644
>> --- a/policy/modules/roles/unprivuser.te
>> +++ b/policy/modules/roles/unprivuser.te
>> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
>> ')
>>
>> optional_policy(`
>> + hadoop_role(user_r, user_t)
>> + ')
>> +
>> + optional_policy(`
>> irc_role(user_r, user_t)
>> ')
>>
>> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
>> index 3035be2..00a877d 100644
>> --- a/policy/modules/services/hadoop.fc
>> +++ b/policy/modules/services/hadoop.fc
>> @@ -1,10 +1,10 @@
>> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
>>
>> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>>
>> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> @@ -24,10 +24,14 @@
>>
>> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
>> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>>
>> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>> index 9e9bfe7..d1ff90d 100644
>> --- a/policy/modules/services/hadoop.if
>> +++ b/policy/modules/services/hadoop.if
>> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
>> # Shared hadoop_$1 policy.
>> #
>>
>> - allow hadoop_$1_t self:process execmem;
>> + allow hadoop_$1_t self:capability { chown kill setgid setuid };
>> + allow hadoop_$1_t self:key search;
>> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
>> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
>> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
>> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
>> allow hadoop_$1_t self:udp_socket create_socket_perms;
>> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>>
>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
>> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
>> files_search_var_lib(hadoop_$1_t)
>>
>> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
>> - files_search_pids(hadoop_$1_t)
>> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
>> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
>> + files_search_pids(hadoop_$1_t)
>>
>> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
>> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>>
>> files_read_etc_files(hadoop_$1_t)
>>
>> + init_read_utmp(hadoop_$1_t)
>> + init_use_fds(hadoop_$1_t)
>> + init_use_script_fds(hadoop_$1_t)
>> + init_use_script_ptys(hadoop_$1_t)
>> +
>> + kerberos_use(hadoop_$1_t)
>
> Does hadoop depend on kerberos? If no then kerberos_use should probably
> be optional.
>
The new version of hadoop added Kerberos for authentication.
>> + kernel_read_kernel_sysctls(hadoop_$1_t)
>> + kernel_read_sysctl(hadoop_$1_t)
>> +
>> + logging_send_audit_msgs(hadoop_$1_t)
>> + logging_send_syslog_msg(hadoop_$1_t)
>> +
>> miscfiles_read_localization(hadoop_$1_t)
>>
>> + su_exec(hadoop_$1_t)
>
> Does hadoop depend on su? If not then su_exec should probably be optional.
>
> (btw would sudo work?)
>
The hadoop developers have been adding more security to the software stack. From what
I can tell, the services start out as root and then execute su to drop privileges.
>> sysnet_read_config(hadoop_$1_t)
>>
>> hadoop_exec_config(hadoop_$1_t)
>>
>> java_exec(hadoop_$1_t)
>>
>> + auth_domtrans_chkpwd(hadoop_$1_t)
>> +
>> optional_policy(`
>> nscd_socket_use(hadoop_$1_t)
>> ')
>> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
>> consoletype_exec(hadoop_$1_initrc_t)
>>
>> fs_getattr_xattr_fs(hadoop_$1_initrc_t)
>> + fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>>
>> term_use_generic_ptys(hadoop_$1_initrc_t)
>>
>> hadoop_exec_config(hadoop_$1_initrc_t)
>>
>> init_rw_utmp(hadoop_$1_initrc_t)
>> + init_use_fds(hadoop_$1_initrc_t)
>> init_use_script_ptys(hadoop_$1_initrc_t)
>>
>> logging_send_syslog_msg(hadoop_$1_initrc_t)
>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>> index 35a8131..b103f89 100644
>> --- a/policy/modules/services/hadoop.te
>> +++ b/policy/modules/services/hadoop.te
>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
>> dev_read_rand(hadoop_t)
>> dev_read_sysfs(hadoop_t)
>> dev_read_urand(hadoop_t)
>> +domain_use_interactive_fds(hadoop_t)
>>
>> files_dontaudit_search_spool(hadoop_t)
>> +files_read_etc_files(hadoop_t)
>> files_read_usr_files(hadoop_t)
>> +files_search_var_lib(hadoop_t)
>>
>> fs_getattr_xattr_fs(hadoop_t)
>>
>> +kerberos_use(hadoop_t)
>> +
>> miscfiles_read_localization(hadoop_t)
>>
>> +sysnet_read_config(hadoop_t)
>> +
>> userdom_dontaudit_search_user_home_dirs(hadoop_t)
>> +userdom_list_user_home_content(hadoop_t)
>> +userdom_manage_user_home_content_files(hadoop_t)
>> userdom_use_user_terminals(hadoop_t)
>>
>> java_exec(hadoop_t)
>> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
>> corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>>
>> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
>> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
>> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>>
>> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
>> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
>> +
>> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>
>> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
>> dev_read_rand(zookeeper_t)
>> dev_read_sysfs(zookeeper_t)
>> dev_read_urand(zookeeper_t)
>> +domain_use_interactive_fds(zookeeper_t)
>>
>> files_read_etc_files(zookeeper_t)
>> files_read_usr_files(zookeeper_t)
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La
> 8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH
> =qPch
> -----END PGP SIGNATURE-----
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3
2010-12-13 15:39 ` Paul Nuzzi
@ 2010-12-15 20:17 ` Christopher J. PeBenito
2010-12-16 17:33 ` Paul Nuzzi
0 siblings, 1 reply; 6+ messages in thread
From: Christopher J. PeBenito @ 2010-12-15 20:17 UTC (permalink / raw)
To: refpolicy
On 12/13/10 10:39, Paul Nuzzi wrote:
> On 12/11/2010 04:01 AM, Dominick Grift wrote:
> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
>>>> Fixed a bug where policy was preventing exporting files from the
>>>> distributed file system to the user's home directory.
>>>>
>>>> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>>>>
>>>> ---
>>>>
>>>> policy/modules/roles/unprivuser.te | 4 ++++
>>>> policy/modules/services/hadoop.fc | 14 +++++++++-----
>>>> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
>>>> policy/modules/services/hadoop.te | 14 ++++++++++++++
>>>> 4 files changed, 51 insertions(+), 8 deletions(-)
>>>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>>>> index 9e9bfe7..d1ff90d 100644
>>>> --- a/policy/modules/services/hadoop.if
>>>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
>>>> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
>>>> files_search_var_lib(hadoop_$1_t)
>>>>
>>>> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
>>>> - files_search_pids(hadoop_$1_t)
>>>> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
>>>> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
>>>> + files_search_pids(hadoop_$1_t)
>>>>
>>>> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
>>>> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
>>>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>>>>
>>>> files_read_etc_files(hadoop_$1_t)
>>>>
>>>> + init_read_utmp(hadoop_$1_t)
>>>> + init_use_fds(hadoop_$1_t)
>>>> + init_use_script_fds(hadoop_$1_t)
>>>> + init_use_script_ptys(hadoop_$1_t)
>>>> +
>>>> + kerberos_use(hadoop_$1_t)
>
> Does hadoop depend on kerberos? If no then kerberos_use should probably
> be optional.
>
>
>> The new version of hadoop added Kerberos for authentication.
So, to be explicit, its an unconditional requirement?
>>>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>>>> index 35a8131..b103f89 100644
>>>> --- a/policy/modules/services/hadoop.te
>>>> +++ b/policy/modules/services/hadoop.te
>>>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
>>>> dev_read_rand(hadoop_t)
>>>> dev_read_sysfs(hadoop_t)
>>>> dev_read_urand(hadoop_t)
>>>> +domain_use_interactive_fds(hadoop_t)
>>>>
>>>> files_dontaudit_search_spool(hadoop_t)
>>>> +files_read_etc_files(hadoop_t)
>>>> files_read_usr_files(hadoop_t)
>>>> +files_search_var_lib(hadoop_t)
>>>>
>>>> fs_getattr_xattr_fs(hadoop_t)
>>>>
>>>> +kerberos_use(hadoop_t)
>>>> +
>>>> miscfiles_read_localization(hadoop_t)
>>>>
>>>> +sysnet_read_config(hadoop_t)
>>>> +
>>>> userdom_dontaudit_search_user_home_dirs(hadoop_t)
>>>> +userdom_list_user_home_content(hadoop_t)
>>>> +userdom_manage_user_home_content_files(hadoop_t)
It seems like there should be a hadoop_home_t that is
userdom_user_home_content()
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3
2010-12-15 20:17 ` Christopher J. PeBenito
@ 2010-12-16 17:33 ` Paul Nuzzi
2011-01-05 15:23 ` Christopher J. PeBenito
0 siblings, 1 reply; 6+ messages in thread
From: Paul Nuzzi @ 2010-12-16 17:33 UTC (permalink / raw)
To: refpolicy
On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
> On 12/13/10 10:39, Paul Nuzzi wrote:
>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>
>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>> be optional.
>>
>>
>>> The new version of hadoop added Kerberos for authentication.
>
> So, to be explicit, its an unconditional requirement?
Yes. I think all future versions of hadoop will be kerberos enabled.
> It seems like there should be a hadoop_home_t that is
> userdom_user_home_content()
Updated.
Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
---
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/hadoop.fc | 14 +++++++++-----
policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
policy/modules/services/hadoop.te | 24 +++++++++++++++++++++++-
4 files changed, 60 insertions(+), 9 deletions(-)
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 606a257..7a48dad 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
')
optional_policy(`
+ hadoop_role(user_r, user_t)
+ ')
+
+ optional_policy(`
irc_role(user_r, user_t)
')
diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
index 3035be2..00a877d 100644
--- a/policy/modules/services/hadoop.fc
+++ b/policy/modules/services/hadoop.fc
@@ -1,10 +1,10 @@
/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
-/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
-/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
@@ -24,10 +24,14 @@
/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 9e9bfe7..d07e172 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
# Shared hadoop_$1 policy.
#
- allow hadoop_$1_t self:process execmem;
+ allow hadoop_$1_t self:capability { chown kill setgid setuid };
+ allow hadoop_$1_t self:key search;
+ allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
+ allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
allow hadoop_$1_t self:udp_socket create_socket_perms;
dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
@@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
files_search_var_lib(hadoop_$1_t)
- allow hadoop_$1_t hadoop_var_run_t:dir getattr;
- files_search_pids(hadoop_$1_t)
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+ files_search_pids(hadoop_$1_t)
allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
@@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_t)
+ init_read_utmp(hadoop_$1_t)
+ init_use_fds(hadoop_$1_t)
+ init_use_script_fds(hadoop_$1_t)
+ init_use_script_ptys(hadoop_$1_t)
+
+ kerberos_use(hadoop_$1_t)
+ kernel_read_kernel_sysctls(hadoop_$1_t)
+ kernel_read_sysctl(hadoop_$1_t)
+
+ logging_send_audit_msgs(hadoop_$1_t)
+ logging_send_syslog_msg(hadoop_$1_t)
+
miscfiles_read_localization(hadoop_$1_t)
+ su_exec(hadoop_$1_t)
sysnet_read_config(hadoop_$1_t)
hadoop_exec_config(hadoop_$1_t)
java_exec(hadoop_$1_t)
+ auth_domtrans_chkpwd(hadoop_$1_t)
+
optional_policy(`
nscd_socket_use(hadoop_$1_t)
')
@@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
consoletype_exec(hadoop_$1_initrc_t)
fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+ fs_search_cgroup_dirs(hadoop_$1_initrc_t)
term_use_generic_ptys(hadoop_$1_initrc_t)
hadoop_exec_config(hadoop_$1_initrc_t)
init_rw_utmp(hadoop_$1_initrc_t)
+ init_use_fds(hadoop_$1_initrc_t)
init_use_script_ptys(hadoop_$1_initrc_t)
logging_send_syslog_msg(hadoop_$1_initrc_t)
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 35a8131..ddf9ef7 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -15,6 +15,11 @@ ubac_constrained(hadoop_t)
type hadoop_etc_t;
files_config_file(hadoop_etc_t)
+type hadoop_home_t;
+typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t };
+typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t };
+userdom_user_home_content(hadoop_home_t)
+
type hadoop_log_t;
logging_log_file(hadoop_log_t)
@@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t)
dev_read_rand(hadoop_t)
dev_read_sysfs(hadoop_t)
dev_read_urand(hadoop_t)
+domain_use_interactive_fds(hadoop_t)
files_dontaudit_search_spool(hadoop_t)
+files_read_etc_files(hadoop_t)
files_read_usr_files(hadoop_t)
+files_search_var_lib(hadoop_t)
fs_getattr_xattr_fs(hadoop_t)
+kerberos_use(hadoop_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+userdom_search_user_home_dirs(hadoop_t)
+userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
+
miscfiles_read_localization(hadoop_t)
-userdom_dontaudit_search_user_home_dirs(hadoop_t)
+sysnet_read_config(hadoop_t)
+
userdom_use_user_terminals(hadoop_t)
java_exec(hadoop_t)
@@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
+setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
+filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
+manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
+
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
fs_getattr_xattr_fs(hadoop_tasktracker_t)
@@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
dev_read_rand(zookeeper_t)
dev_read_sysfs(zookeeper_t)
dev_read_urand(zookeeper_t)
+domain_use_interactive_fds(zookeeper_t)
files_read_etc_files(zookeeper_t)
files_read_usr_files(zookeeper_t)
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/2] hadoop: update to CDH3
2010-12-16 17:33 ` Paul Nuzzi
@ 2011-01-05 15:23 ` Christopher J. PeBenito
0 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2011-01-05 15:23 UTC (permalink / raw)
To: refpolicy
On 12/16/10 12:33, Paul Nuzzi wrote:
> On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
>> On 12/13/10 10:39, Paul Nuzzi wrote:
>>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>>
>>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>>> be optional.
>>>
>>>
>>>> The new version of hadoop added Kerberos for authentication.
>>
>> So, to be explicit, its an unconditional requirement?
>
> Yes. I think all future versions of hadoop will be kerberos enabled.
>
>> It seems like there should be a hadoop_home_t that is
>> userdom_user_home_content()
>
> Updated.
Merged. I did some rule rearranging and whitespace cleanup.
> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>
> ---
> policy/modules/roles/unprivuser.te | 4 ++++
> policy/modules/services/hadoop.fc | 14 +++++++++-----
> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
> policy/modules/services/hadoop.te | 24 +++++++++++++++++++++++-
> 4 files changed, 60 insertions(+), 9 deletions(-)
>
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 606a257..7a48dad 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + hadoop_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> irc_role(user_r, user_t)
> ')
>
> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
> index 3035be2..00a877d 100644
> --- a/policy/modules/services/hadoop.fc
> +++ b/policy/modules/services/hadoop.fc
> @@ -1,10 +1,10 @@
> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
>
> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>
> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> @@ -24,10 +24,14 @@
>
> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>
> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index 9e9bfe7..d07e172 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
> # Shared hadoop_$1 policy.
> #
>
> - allow hadoop_$1_t self:process execmem;
> + allow hadoop_$1_t self:capability { chown kill setgid setuid };
> + allow hadoop_$1_t self:key search;
> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
> allow hadoop_$1_t self:udp_socket create_socket_perms;
> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>
> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
> files_search_var_lib(hadoop_$1_t)
>
> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
> - files_search_pids(hadoop_$1_t)
> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
> + files_search_pids(hadoop_$1_t)
>
> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>
> files_read_etc_files(hadoop_$1_t)
>
> + init_read_utmp(hadoop_$1_t)
> + init_use_fds(hadoop_$1_t)
> + init_use_script_fds(hadoop_$1_t)
> + init_use_script_ptys(hadoop_$1_t)
> +
> + kerberos_use(hadoop_$1_t)
> + kernel_read_kernel_sysctls(hadoop_$1_t)
> + kernel_read_sysctl(hadoop_$1_t)
> +
> + logging_send_audit_msgs(hadoop_$1_t)
> + logging_send_syslog_msg(hadoop_$1_t)
> +
> miscfiles_read_localization(hadoop_$1_t)
>
> + su_exec(hadoop_$1_t)
> sysnet_read_config(hadoop_$1_t)
>
> hadoop_exec_config(hadoop_$1_t)
>
> java_exec(hadoop_$1_t)
>
> + auth_domtrans_chkpwd(hadoop_$1_t)
> +
> optional_policy(`
> nscd_socket_use(hadoop_$1_t)
> ')
> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
> consoletype_exec(hadoop_$1_initrc_t)
>
> fs_getattr_xattr_fs(hadoop_$1_initrc_t)
> + fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>
> term_use_generic_ptys(hadoop_$1_initrc_t)
>
> hadoop_exec_config(hadoop_$1_initrc_t)
>
> init_rw_utmp(hadoop_$1_initrc_t)
> + init_use_fds(hadoop_$1_initrc_t)
> init_use_script_ptys(hadoop_$1_initrc_t)
>
> logging_send_syslog_msg(hadoop_$1_initrc_t)
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 35a8131..ddf9ef7 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -15,6 +15,11 @@ ubac_constrained(hadoop_t)
> type hadoop_etc_t;
> files_config_file(hadoop_etc_t)
>
> +type hadoop_home_t;
> +typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t };
> +typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t };
> +userdom_user_home_content(hadoop_home_t)
> +
> type hadoop_log_t;
> logging_log_file(hadoop_log_t)
>
> @@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t)
> dev_read_rand(hadoop_t)
> dev_read_sysfs(hadoop_t)
> dev_read_urand(hadoop_t)
> +domain_use_interactive_fds(hadoop_t)
>
> files_dontaudit_search_spool(hadoop_t)
> +files_read_etc_files(hadoop_t)
> files_read_usr_files(hadoop_t)
> +files_search_var_lib(hadoop_t)
>
> fs_getattr_xattr_fs(hadoop_t)
>
> +kerberos_use(hadoop_t)
> +
> +manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
> +manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
> +manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
> +userdom_search_user_home_dirs(hadoop_t)
> +userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
> +
> miscfiles_read_localization(hadoop_t)
>
> -userdom_dontaudit_search_user_home_dirs(hadoop_t)
> +sysnet_read_config(hadoop_t)
> +
> userdom_use_user_terminals(hadoop_t)
>
> java_exec(hadoop_t)
> @@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
> corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>
> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
> +
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
> @@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
> dev_read_rand(zookeeper_t)
> dev_read_sysfs(zookeeper_t)
> dev_read_urand(zookeeper_t)
> +domain_use_interactive_fds(zookeeper_t)
>
> files_read_etc_files(zookeeper_t)
> files_read_usr_files(zookeeper_t)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2011-01-05 15:23 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-12-10 23:22 [refpolicy] [PATCH 1/2] hadoop: update to CDH3 Paul Nuzzi
2010-12-11 9:01 ` Dominick Grift
2010-12-13 15:39 ` Paul Nuzzi
2010-12-15 20:17 ` Christopher J. PeBenito
2010-12-16 17:33 ` Paul Nuzzi
2011-01-05 15:23 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.