Signed-off-by: Paul Nuzzi <[email protected]>
---
policy/modules/kernel/corenetwork.te.in | 3 +
policy/modules/services/hadoop_zookeeper.fc | 5 +
policy/modules/services/hadoop_zookeeper.if | 47 +++++++++++++++
policy/modules/services/hadoop_zookeeper.te | 83 ++++++++++++++++++++++++++++
4 files changed, 138 insertions(+)
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 549763c..da504dd 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -213,6 +213,9 @@ network_port(xen, tcp,8002,s0)
network_port(xfs, tcp,7100,s0)
network_port(xserver, tcp,6000-6020,s0)
network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0)
+network_port(zookeeper_client, tcp, 2181,s0)
+network_port(zookeeper_election, tcp, 3888,s0)
+network_port(zookeeper_leader, tcp, 2888,s0)
network_port(zope, tcp,8021,s0)
# Defaults for reserved ports. Earlier portcon entries take precedence;
diff --git a/policy/modules/services/hadoop_zookeeper.fc b/policy/modules/services/hadoop_zookeeper.fc
new file mode 100644
index 0000000..c3677bf
--- /dev/null
+++ b/policy/modules/services/hadoop_zookeeper.fc
@@ -0,0 +1,5 @@
+/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t, s0)
+
+/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t, s0)
+
+/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_data_t, s0)
diff --git a/policy/modules/services/hadoop_zookeeper.if b/policy/modules/services/hadoop_zookeeper.if
new file mode 100644
index 0000000..46d18e5
--- /dev/null
+++ b/policy/modules/services/hadoop_zookeeper.if
@@ -0,0 +1,47 @@
+## <summary>Hadoop Zookeeper Server</summary>
+
+########################################
+## <summary>
+## Give permission to a domain to signull zookeeper_server_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_server_signull', `
+ gen_require(`
+ type zookeeper_server_t;
+ ')
+
+ allow $1 zookeeper_server_t:process signull;
+')
+
+########################################
+## <summary>
+## Role access for zookeeper server
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access
+## </summary>
+## </param>
+## <param name="domain">
+## <summary>
+## User domain for the role
+## </summary>
+## </param>
+#
+interface(`zookeeper_server_role',`
+ gen_require(`
+ type zookeeper_server_initrc_exec_t;
+ type zookeeper_server_exec_t;
+ type zookeeper_server_t;
+ ')
+
+ role $1 types zookeeper_server_t;
+ allow $2 zookeeper_server_initrc_exec_t:file { execute execute_no_trans };
+ allow $2 zookeeper_server_exec_t:file { execute execute_no_trans };
+ domtrans_pattern($2, zookeeper_server_exec_t, zookeeper_server_t)
+')
diff --git a/policy/modules/services/hadoop_zookeeper.te b/policy/modules/services/hadoop_zookeeper.te
new file mode 100644
index 0000000..56041ff
--- /dev/null
+++ b/policy/modules/services/hadoop_zookeeper.te
@@ -0,0 +1,83 @@
+policy_module(zookeeper_server,1.0.0)
+
+type zookeeper_server_t;
+domain_type(zookeeper_server_t)
+
+type zookeeper_server_exec_t;
+files_type(zookeeper_server_exec_t)
+domain_entry_file(zookeeper_server_t, zookeeper_server_exec_t)
+
+optional_policy(`
+ unconfined_run_to(zookeeper_server_t, zookeeper_server_exec_t)
+')
+
+type zookeeper_server_initrc_exec_t;
+files_type(zookeeper_server_initrc_exec_t)
+allow zookeeper_server_t zookeeper_server_exec_t:file execute_no_trans;
+
+type zookeeper_server_pid_t;
+files_pid_file(zookeeper_server_pid_t)
+allow zookeeper_server_t zookeeper_server_pid_t:file manage_file_perms;
+allow zookeeper_server_t zookeeper_server_pid_t:dir rw_dir_perms;
+files_pid_filetrans(zookeeper_server_t,zookeeper_server_pid_t,file)
+
+files_manage_generic_tmp_files(zookeeper_server_t)
+files_manage_generic_tmp_dirs(zookeeper_server_t)
+
+type zookeeper_server_tmp_t;
+files_tmp_file(zookeeper_server_tmp_t)
+allow zookeeper_server_t zookeeper_server_tmp_t:file manage_file_perms;
+files_tmp_filetrans(zookeeper_server_t, zookeeper_server_tmp_t, file)
+
+type zookeeper_server_data_t;
+files_type(zookeeper_server_data_t)
+allow zookeeper_server_t zookeeper_server_data_t:file manage_file_perms;
+allow zookeeper_server_t zookeeper_server_data_t:dir manage_dir_perms;
+files_var_filetrans(zookeeper_server_t, zookeeper_server_data_t, dir)
+
+allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(zookeeper_server_t)
+corenet_tcp_sendrecv_all_nodes(zookeeper_server_t)
+corenet_tcp_sendrecv_all_ports(zookeeper_server_t)
+corenet_all_recvfrom_unlabeled(zookeeper_server_t)
+sysnet_read_config(zookeeper_server_t)
+corenet_tcp_connect_generic_port(zookeeper_server_t)
+corenet_tcp_bind_all_nodes(zookeeper_server_t)
+
+allow zookeeper_server_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(zookeeper_server_t)
+corenet_udp_sendrecv_all_nodes(zookeeper_server_t)
+corenet_udp_sendrecv_all_ports(zookeeper_server_t)
+corenet_udp_bind_all_nodes(zookeeper_server_t)
+corenet_udp_bind_all_ports(zookeeper_server_t)
+
+libs_use_ld_so(zookeeper_server_t)
+libs_use_shared_libs(zookeeper_server_t)
+miscfiles_read_localization(zookeeper_server_t)
+dev_read_urand(zookeeper_server_t)
+dev_read_rand(zookeeper_server_t)
+corecmd_exec_bin(zookeeper_server_t)
+corecmd_exec_shell(zookeeper_server_t)
+kernel_read_system_state(zookeeper_server_t)
+kernel_read_network_state(zookeeper_server_t)
+files_read_etc_files(zookeeper_server_t)
+files_read_usr_files(zookeeper_server_t)
+dev_read_sysfs(zookeeper_server_t)
+java_exec(zookeeper_server_t)
+allow zookeeper_server_t self:fifo_file rw_file_perms;
+allow zookeeper_server_t self:process { getsched execmem sigkill signal signull };
+zookeeper_write_log(zookeeper_server_t)
+zookeeper_read_etc(zookeeper_server_t)
+
+logging_send_syslog_msg(zookeeper_server_t)
+init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t)
+files_read_usr_files(zookeeper_server_t)
+fs_getattr_xattr_fs(zookeeper_server_t)
+allow zookeeper_server_t self:netlink_route_socket { rw_netlink_socket_perms };
+corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t)
+corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t)
+allow zookeeper_server_t self:capability kill;
+