From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec
Date: Thu, 13 Jan 2011 14:22:41 -0500 [thread overview]
Message-ID: <4D2F5101.8050404@tresys.com> (raw)
In-Reply-To: <4D25EEE3.9080608@tycho.ncsc.mil>
On 01/06/11 11:33, Paul Nuzzi wrote:
> On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
>> On 12/16/10 12:32, Paul Nuzzi wrote:
>>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
>>>>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
>>>>> the architecture of Hadoop without having to modify any of the code. This adds a level of
>>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>>
>>>> A few things.
>>>>
>>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>>> (a holdover from previous labeled networking implementations). So the
>>>> interfaces are like hadoop_recvfrom_datanode().
>>>
>>> Easy change.
>>>
>>>> It seems like setkey should be able to setcontext any type used on ipsec
>>>> associations. I think the best thing would be to add additional support
>>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>>> yet) for associations. So, say we have an interface called
>>>> ipsec_spd_type() which adds the parameter type to the attribute
>>>> ipsec_spd_types. Then we can have an allow setkey_t
>>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>>> every time more labeled network is added.
>>>
>>> That seems a lot less clunky than updating setkey every time we add a new association.
>>>
>>>> This is definitely wrong since its not a file:
>>>> +files_type(hadoop_lan_t)
>>>
>>> Let me know how you would like to handle associations and I could update the
>>> patch.
>>
>> Lets go with putting the associations in corenetwork.
>>
>>> Will the files_type error be cleared up when we re-engineer this?
>>
>> I'm not sure what you mean. The incorrect rule was added in your patch.
>>
>
> Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.
Merged. I did some interface renaming and rearranging.
> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>
> ---
> policy/modules/kernel/corenetwork.if.in | 38 ++++++
> policy/modules/kernel/corenetwork.te.in | 1
> policy/modules/services/hadoop.if | 182 ++++++++++++++++++++++++++++++++
> policy/modules/services/hadoop.te | 45 +++++++
> policy/modules/system/ipsec.te | 2
> 5 files changed, 268 insertions(+)
>
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index b06df19..3103644 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -3042,3 +3042,41 @@ interface(`corenet_unconfined',`
>
> typeattribute $1 corenet_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Make the specified type usable
> +## for labeled ipsec.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for labeled ipsec.
> +## </summary>
> +## </param>
> +#
> +interface(`ipsec_spd_type',`
> + gen_require(`
> + attribute ipsec_spd_types;
> + ')
> +
> + typeattribute $1 ipsec_spd_types;
> +')
> +
> +########################################
> +## <summary>
> +## Make the specified type usable
> +## for labeled ipsec.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for labeled ipsec.
> +## </summary>
> +## </param>
> +#
> +interface(`ipsec_spd_type_setcontext',`
> + gen_require(`
> + attribute ipsec_spd_types;
> + ')
> +
> + allow $1 ipsec_spd_types:association setcontext;
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index edefaf3..8ee5e51 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -6,6 +6,7 @@ policy_module(corenetwork, 1.15.0)
> #
>
> attribute client_packet_type;
> +attribute ipsec_spd_types;
> attribute netif_type;
> attribute node_type;
> attribute packet_type;
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index b5ab49e..3fc31f7 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -110,6 +110,8 @@ template(`hadoop_domain_template',`
>
> auth_domtrans_chkpwd(hadoop_$1_t)
>
> + hadoop_lan_polmatch(hadoop_$1_t)
> +
> init_read_utmp(hadoop_$1_t)
> init_use_fds(hadoop_$1_t)
> init_use_script_fds(hadoop_$1_t)
> @@ -350,3 +352,183 @@ interface(`hadoop_exec_config',`
> hadoop_read_config($1)
> allow $1 hadoop_etc_t:file exec_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## polmatch on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing polmatch
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_polmatch',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association polmatch;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_datanode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_datanode',`
> + gen_require(`
> + type hadoop_datanode_t;
> + ')
> +
> + allow $1 hadoop_datanode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_namenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_namenode',`
> + gen_require(`
> + type hadoop_namenode_t;
> + ')
> +
> + allow $1 hadoop_namenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_jobtracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_jobtracker',`
> + gen_require(`
> + type hadoop_jobtracker_t;
> + ')
> +
> + allow $1 hadoop_jobtracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_tasktracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_tasktracker',`
> + gen_require(`
> + type hadoop_tasktracker_t;
> + ')
> +
> + allow $1 hadoop_tasktracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_secondarynamenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_secondarynamenode',`
> + gen_require(`
> + type hadoop_secondarynamenode_t;
> + ')
> +
> + allow $1 hadoop_secondarynamenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom',`
> + gen_require(`
> + type hadoop_t;
> + ')
> +
> + allow $1 hadoop_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom zookeeper_server_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_recvfrom_server',`
> + gen_require(`
> + type zookeeper_server_t;
> + ')
> +
> + allow $1 zookeeper_server_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom zookeeper_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_recvfrom',`
> + gen_require(`
> + type zookeeper_t;
> + ')
> +
> + allow $1 zookeeper_t:peer recv;
> +')
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 9a9c206..b1427eb 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -18,6 +18,9 @@ files_config_file(hadoop_etc_t)
> type hadoop_home_t;
> userdom_user_home_content(hadoop_home_t)
>
> +type hadoop_lan_t;
> +ipsec_spd_type(hadoop_lan_t)
> +
> type hadoop_log_t;
> logging_log_file(hadoop_log_t)
>
> @@ -88,6 +91,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>
> allow hadoop_t hadoop_domain:process signull;
>
> +hadoop_lan_polmatch(hadoop_t)
> +allow hadoop_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_t)
> +hadoop_recvfrom_jobtracker(hadoop_t)
> +hadoop_recvfrom_namenode(hadoop_t)
> +hadoop_recvfrom_tasktracker(hadoop_t)
> +
> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> can_exec(hadoop_t, hadoop_etc_t)
> @@ -184,6 +194,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>
> fs_getattr_xattr_fs(hadoop_datanode_t)
>
> +allow hadoop_datanode_t self:peer recv;
> +hadoop_recvfrom_jobtracker(hadoop_datanode_t)
> +hadoop_recvfrom_namenode(hadoop_datanode_t)
> +hadoop_recvfrom(hadoop_datanode_t)
> +hadoop_recvfrom_tasktracker(hadoop_datanode_t)
> +
> ########################################
> #
> # Hadoop jobtracker policy.
> @@ -198,6 +214,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>
> +allow hadoop_jobtracker_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_jobtracker_t)
> +hadoop_recvfrom_namenode(hadoop_jobtracker_t)
> +hadoop_recvfrom(hadoop_jobtracker_t)
> +hadoop_recvfrom_tasktracker(hadoop_jobtracker_t)
> +
> ########################################
> #
> # Hadoop namenode policy.
> @@ -209,6 +231,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>
> +allow hadoop_namenode_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_namenode_t)
> +hadoop_recvfrom_jobtracker(hadoop_namenode_t)
> +hadoop_recvfrom(hadoop_namenode_t)
> +hadoop_recvfrom_secondarynamenode(hadoop_namenode_t)
> +hadoop_recvfrom_tasktracker(hadoop_namenode_t)
> +
> ########################################
> #
> # Hadoop secondary namenode policy.
> @@ -218,6 +247,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>
> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>
> +allow hadoop_secondarynamenode_t self:peer recv;
> +hadoop_recvfrom_namenode(hadoop_secondarynamenode_t)
> +
> ########################################
> #
> # Hadoop tasktracker policy.
> @@ -240,6 +272,12 @@ corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>
> +allow hadoop_tasktracker_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_tasktracker_t)
> +hadoop_recvfrom_jobtracker(hadoop_tasktracker_t)
> +hadoop_recvfrom(hadoop_tasktracker_t)
> +hadoop_recvfrom_namenode(hadoop_tasktracker_t)
> +
> ########################################
> #
> # Hadoop zookeeper client policy.
> @@ -251,6 +289,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_t self:udp_socket create_socket_perms;
> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_t)
> +zookeeper_recvfrom_server(zookeeper_t)
> +
> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>
> @@ -325,6 +366,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_server_t self:udp_socket create_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_server_t)
> +allow zookeeper_server_t self:peer recv;
> +zookeeper_recvfrom(zookeeper_server_t)
> +
> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d82ff45..13f76a3 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -414,6 +414,7 @@ init_dontaudit_use_fds(setkey_t)
>
> # allow setkey to set the context for ipsec SAs and policy.
> ipsec_setcontext_default_spd(setkey_t)
> +ipsec_spd_type_setcontext(setkey_t)
>
> locallogin_use_fds(setkey_t)
>
> @@ -422,3 +423,4 @@ miscfiles_read_localization(setkey_t)
> seutil_read_config(setkey_t)
>
> userdom_use_user_terminals(setkey_t)
> +
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2011-01-13 19:22 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-10 23:22 [refpolicy] [PATCH 2/2] hadoop: labeled ipsec Paul Nuzzi
2010-12-11 8:56 ` Dominick Grift
2010-12-13 15:41 ` Paul Nuzzi
2010-12-15 20:54 ` Christopher J. PeBenito
2010-12-16 17:32 ` Paul Nuzzi
2011-01-05 13:48 ` Christopher J. PeBenito
2011-01-06 16:33 ` Paul Nuzzi
2011-01-13 19:22 ` Christopher J. PeBenito [this message]
2010-12-15 20:55 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D2F5101.8050404@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.