LinuxLists.cc - [refpolicy] [PATCH] hadoop 1/10 -- unconfined

2010-09-20 14:34:28

Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined

I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge.

Signed-off-by: Paul Nuzzi <[email protected]>

---
policy/modules/system/unconfined.if | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 416e668..3364eb3 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -279,6 +279,31 @@ interface(`unconfined_domtrans_to',`

########################################
## <summary>
+## Allow a program to enter the specified domain through the
+## unconfined role.
+## </summary>
+## <desc>
+## 
+## Allow unconfined role to execute the specified program in
+## the specified domain.
+## 
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain to execute in.
+## </summary>
+## </param>
+#
+interface(`unconfined_roletrans',`
+ gen_require(`
+ role unconfined_r;
+ ')
+
+ role unconfined_r types $1;
+')
+
+########################################
+## <summary>
## Allow unconfined to execute the specified program in
## the specified domain. Allow the specified domain the
## unconfined role and use of unconfined user terminals.

2010-09-20 17:03:25

by domg472

[permalink] [raw]

Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined

On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
> I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge.

Why did the init script domain not work for you?

I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.

>
> Signed-off-by: Paul Nuzzi <[email protected]>
>
> ---
> policy/modules/system/unconfined.if | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 416e668..3364eb3 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -279,6 +279,31 @@ interface(`unconfined_domtrans_to',`
>
> ########################################
> ## <summary>
> +## Allow a program to enter the specified domain through the
> +## unconfined role.
> +## </summary>
> +## <desc>
> +## 
> +## Allow unconfined role to execute the specified program in
> +## the specified domain.
> +## 
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain to execute in.
> +## </summary>
> +## </param>
> +#
> +interface(`unconfined_roletrans',`
> + gen_require(`
> + role unconfined_r;
> + ')
> +
> + role unconfined_r types $1;
> +')
> +
> +########################################
> +## <summary>
> ## Allow unconfined to execute the specified program in
> ## the specified domain. Allow the specified domain the
> ## unconfined role and use of unconfined user terminals.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/42b8d5ff/attachment.bin

2010-09-20 18:02:12

by Paul Nuzzi

[permalink] [raw]

Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined

On 09/20/2010 01:03 PM, Dominick Grift wrote:
> On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
>> I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge.
>
> Why did the init script domain not work for you?
>
> I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.
>

I wasn't able to transfer into the pseudo initrc domain with init_script_domain. Using
init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t. Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t. Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has.

Searching through refpolicy I don't see any references to init_script_domain. Lets see what everyone else thinks.

2010-09-20 19:01:24

by domg472

[permalink] [raw]

Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined

On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
> I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge.
>
> Signed-off-by: Paul Nuzzi <[email protected]>

I do not think it is a good idea to run these services with the unconfined_r (or sysadm_r) roles instead try:

init_script_role_transition()

>
> ---
> policy/modules/system/unconfined.if | 25 +++++++++++++++++++++++++
> 1 file changed, 25 insertions(+)
>
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 416e668..3364eb3 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -279,6 +279,31 @@ interface(`unconfined_domtrans_to',`
>
> ########################################
> ## <summary>
> +## Allow a program to enter the specified domain through the
> +## unconfined role.
> +## </summary>
> +## <desc>
> +## 
> +## Allow unconfined role to execute the specified program in
> +## the specified domain.
> +## 
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain to execute in.
> +## </summary>
> +## </param>
> +#
> +interface(`unconfined_roletrans',`
> + gen_require(`
> + role unconfined_r;
y> + ')
> +
> + role unconfined_r types $1;
> +')
> +
> +########################################
> +## <summary>
> ## Allow unconfined to execute the specified program in
> ## the specified domain. Allow the specified domain the
> ## unconfined role and use of unconfined user terminals.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/2afb0e85/attachment.bin

2010-09-20 19:33:23

by domg472

[permalink] [raw]

Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined

On Mon, Sep 20, 2010 at 02:02:12PM -0400, Paul Nuzzi wrote:
> On 09/20/2010 01:03 PM, Dominick Grift wrote:
> > On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
> >> I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge.
> >
> > Why did the init script domain not work for you?
> >
> > I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.
> >
>
> I wasn't able to transfer into the pseudo initrc domain with init_script_domain. Using
> init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t. Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t. Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has.

I just test it and it works provided that you use run_init to start the daemon.

I suspect Fedora broken the functionality to make it work by default:

These seem to be the culprits:

init_exec_script_files(sysadm_t)
init_domtrans_script(unconfined_t)

Here is how to reproduce how i got it to work:

policy_module(test, 1.0.0)

type test_t;
type test_exec_t;
init_script_domain(test_t, test_exec_t)
role system_r types test_t;

chcon -t test_exec_t /etc/rc.d/init.d/httpd

sudo -r sysadm_r -t sysadm_t
run_init service httpd start

sudo -r unconfined_r -t unconfined_t
run_init service httpd start

>
> Searching through refpolicy I don't see any references to init_script_domain. Lets see what everyone else thinks.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/2e8bf76c/attachment.bin

2010-09-20 19:50:48

by domg472

[permalink] [raw]

Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined

On 09/20/2010 09:33 PM, Dominick Grift wrote:
> On Mon, Sep 20, 2010 at 02:02:12PM -0400, Paul Nuzzi wrote:
>> On 09/20/2010 01:03 PM, Dominick Grift wrote:
>>> On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
>>>> I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge.
>>>
>>> Why did the init script domain not work for you?
>>>
>>> I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.
>>>
>>
>> I wasn't able to transfer into the pseudo initrc domain with init_script_domain. Using
>> init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t. Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t. Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has.
>
> I just test it and it works provided that you use run_init to start the daemon.
>
> I suspect Fedora broken the functionality to make it work by default:
>
> These seem to be the culprits:
>
> init_exec_script_files(sysadm_t)
> init_domtrans_script(unconfined_t)
>
> Here is how to reproduce how i got it to work:
>
> policy_module(test, 1.0.0)
>
> type test_t;
> type test_exec_t;
> init_script_domain(test_t, test_exec_t)
> role system_r types test_t;
>
> chcon -t test_exec_t /etc/rc.d/init.d/httpd
>
> sudo -r sysadm_r -t sysadm_t
> run_init service httpd start
>
> sudo -r unconfined_r -t unconfined_t
> run_init service httpd start
>
>

The problem i think is that redhats policy diverged from refpolicy,
especially with regard to this functionality.

This makes it that much harder to develop policy on redhat
configurations that should get adopted in refpolicy.

The use of the init script domain() will probably work just fine in
refpolicy, and so if you want your policy upstreamed you should probably
use that.

Redhat will have to deal with it once it merges refpolicy into its
branch (or they just exclude it).

>
>>
>> Searching through refpolicy I don't see any references to init_script_domain. Lets see what everyone else thinks.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/e96a3a31/attachment.bin