Signed-off-by: Paul Nuzzi <[email protected]>
---
policy/modules/apps/zookeeper.fc | 6 +++
policy/modules/apps/zookeeper.if | 68 ++++++++++++++++++++++++++++++++++++
policy/modules/apps/zookeeper.te | 73 +++++++++++++++++++++++++++++++++++++++
3 files changed, 147 insertions(+)
diff --git a/policy/modules/apps/zookeeper.fc b/policy/modules/apps/zookeeper.fc
new file mode 100644
index 0000000..c7c0ae4
--- /dev/null
+++ b/policy/modules/apps/zookeeper.fc
@@ -0,0 +1,6 @@
+/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t, s0)
+
+/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t, s0)
+
+/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t, s0)
+/etc/zookeeper.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t, s0)
diff --git a/policy/modules/apps/zookeeper.if b/policy/modules/apps/zookeeper.if
new file mode 100644
index 0000000..e8df9bf
--- /dev/null
+++ b/policy/modules/apps/zookeeper.if
@@ -0,0 +1,68 @@
+## <summary> Hadoop Zookeeper </summary>
+
+########################################
+## <summary>
+## Role access for zookeeper
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`zookeeper_role',`
+ gen_require(`
+ type zookeeper_exec_t;
+ type zookeeper_t;
+ ')
+
+ role $1 types zookeeper_t;
+ allow $2 zookeeper_exec_t:file { execute };
+ domtrans_pattern($2, zookeeper_exec_t, zookeeper_t)
+')
+
+########################################
+## <summary>
+## Give permission to a domain to access zookeeper_etc_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing read permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_read_etc',`
+ gen_require(`
+ type zookeeper_etc_t;
+ ')
+
+ allow $1 zookeeper_etc_t:file { getattr read_file_perms };
+ allow $1 zookeeper_etc_t:dir search_dir_perms;
+ allow $1 zookeeper_etc_t:lnk_file { read getattr };
+
+')
+
+########################################
+## <summary>
+## Give permission to a domain to write zookeeper_log_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing write permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_write_log',`
+ gen_require(`
+ type zookeeper_log_t;
+ ')
+
+ allow $1 zookeeper_log_t:file { create manage_file_perms };
+ allow $1 zookeeper_log_t:dir { setattr rw_dir_perms };
+ logging_log_filetrans($1, zookeeper_log_t, { file dir })
+')
diff --git a/policy/modules/apps/zookeeper.te b/policy/modules/apps/zookeeper.te
new file mode 100644
index 0000000..9f0a4e5
--- /dev/null
+++ b/policy/modules/apps/zookeeper.te
@@ -0,0 +1,73 @@
+policy_module(zookeeper,1.0.0)
+
+type zookeeper_t;
+domain_type(zookeeper_t)
+
+type zookeeper_exec_t;
+files_type(zookeeper_exec_t)
+domain_entry_file(zookeeper_t, zookeeper_exec_t)
+
+optional_policy(`
+ unconfined_run_to(zookeeper_t, zookeeper_exec_t)
+')
+
+type zookeeper_etc_t;
+files_config_file(zookeeper_etc_t)
+allow zookeeper_t zookeeper_etc_t:file { getattr read_file_perms };
+allow zookeeper_t zookeeper_etc_t:dir search_dir_perms;
+allow zookeeper_t zookeeper_etc_t:lnk_file { read getattr };
+
+files_manage_generic_tmp_files(zookeeper_t)
+files_manage_generic_tmp_dirs(zookeeper_t)
+
+type zookeeper_tmp_t;
+files_tmp_file(zookeeper_tmp_t)
+allow zookeeper_t zookeeper_tmp_t:file manage_file_perms;
+files_tmp_filetrans(zookeeper_t, zookeeper_tmp_t, file)
+
+type zookeeper_log_t;
+logging_log_file(zookeeper_log_t)
+allow zookeeper_t zookeeper_log_t:file {create manage_file_perms};
+allow zookeeper_t zookeeper_log_t:dir {setattr rw_dir_perms};
+logging_log_filetrans(zookeeper_t,zookeeper_log_t,{file dir})
+
+allow zookeeper_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(zookeeper_t)
+corenet_tcp_sendrecv_all_nodes(zookeeper_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_t)
+corenet_all_recvfrom_unlabeled(zookeeper_t)
+sysnet_read_config(zookeeper_t)
+corenet_tcp_connect_generic_port(zookeeper_t)
+corenet_tcp_bind_all_nodes(zookeeper_t)
+
+allow zookeeper_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(zookeeper_t)
+corenet_udp_sendrecv_all_nodes(zookeeper_t)
+corenet_udp_sendrecv_all_ports(zookeeper_t)
+corenet_udp_bind_all_nodes(zookeeper_t)
+corenet_udp_bind_all_ports(zookeeper_t)
+
+libs_use_ld_so(zookeeper_t)
+libs_use_shared_libs(zookeeper_t)
+miscfiles_read_localization(zookeeper_t)
+dev_read_urand(zookeeper_t)
+dev_read_rand(zookeeper_t)
+corecmd_exec_bin(zookeeper_t)
+corecmd_exec_shell(zookeeper_t)
+kernel_read_system_state(zookeeper_t)
+kernel_read_network_state(zookeeper_t)
+files_read_etc_files(zookeeper_t)
+files_read_usr_files(zookeeper_t)
+dev_read_sysfs(zookeeper_t)
+java_exec(zookeeper_t)
+allow zookeeper_t self:fifo_file rw_file_perms;
+allow zookeeper_t self:process { getsched execmem sigkill signal signull };
+
+nscd_socket_use(zookeeper_t)
+term_use_all_terms(zookeeper_t)
+logging_search_logs(zookeeper_t)
+userdom_dontaudit_search_user_home_dirs(zookeeper_t)
+allow zookeeper_t zookeeper_exec_t:file execute_no_trans;
+zookeeper_server_signull(zookeeper_t)
+corenet_tcp_connect_zookeeper_client_port(zookeeper_t)
+