Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
the architecture of Hadoop without having to modify any of the code. This adds a level of
confidentiality, integrity, and authentication provided outside the software stack.
Signed-off-by: Paul Nuzzi <[email protected]>
---
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index d07e172..c1ca3a6 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_t)
+ hadoop_lan_polmatch(hadoop_$1_t)
+
init_read_utmp(hadoop_$1_t)
init_use_fds(hadoop_$1_t)
init_use_script_fds(hadoop_$1_t)
@@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
hadoop_read_config($1)
allow $1 hadoop_etc_t:file exec_file_perms;
')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## polmatch on hadoop_lan_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing polmatch
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_lan_polmatch',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association polmatch;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## setcontext on hadoop_lan_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing setcontext
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_lan_setcontext',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association setcontext;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_datanode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_datanode_recv',`
+ gen_require(`
+ type hadoop_datanode_t;
+ ')
+
+ allow $1 hadoop_datanode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_namenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_namenode_recv',`
+ gen_require(`
+ type hadoop_namenode_t;
+ ')
+
+ allow $1 hadoop_namenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_jobtracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_jobtracker_recv',`
+ gen_require(`
+ type hadoop_jobtracker_t;
+ ')
+
+ allow $1 hadoop_jobtracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_tasktracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_tasktracker_recv',`
+ gen_require(`
+ type hadoop_tasktracker_t;
+ ')
+
+ allow $1 hadoop_tasktracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_secondarynamenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_secondarynamenode_recv',`
+ gen_require(`
+ type hadoop_secondarynamenode_t;
+ ')
+
+ allow $1 hadoop_secondarynamenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recv',`
+ gen_require(`
+ type hadoop_t;
+ ')
+
+ allow $1 hadoop_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv zookeeper_server_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_server_recv',`
+ gen_require(`
+ type zookeeper_server_t;
+ ')
+
+ allow $1 zookeeper_server_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv zookeeper_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_recv',`
+ gen_require(`
+ type zookeeper_t;
+ ')
+
+ allow $1 zookeeper_t:peer recv;
+')
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index b103f89..e4bbe97 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
type hadoop_etc_t;
files_config_file(hadoop_etc_t)
+type hadoop_lan_t;
+files_type(hadoop_lan_t)
+
type hadoop_log_t;
logging_log_file(hadoop_log_t)
@@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
allow hadoop_t hadoop_domain:process signull;
+hadoop_lan_polmatch(hadoop_t)
+allow hadoop_t self:peer recv;
+hadoop_datanode_recv(hadoop_t)
+hadoop_jobtracker_recv(hadoop_t)
+hadoop_namenode_recv(hadoop_t)
+hadoop_tasktracker_recv(hadoop_t)
+
read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
can_exec(hadoop_t, hadoop_etc_t)
@@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
fs_getattr_xattr_fs(hadoop_datanode_t)
+allow hadoop_datanode_t self:peer recv;
+hadoop_jobtracker_recv(hadoop_datanode_t)
+hadoop_namenode_recv(hadoop_datanode_t)
+hadoop_recv(hadoop_datanode_t)
+hadoop_tasktracker_recv(hadoop_datanode_t)
+
########################################
#
# Hadoop jobtracker policy.
@@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
+allow hadoop_jobtracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_jobtracker_t)
+hadoop_namenode_recv(hadoop_jobtracker_t)
+hadoop_recv(hadoop_jobtracker_t)
+hadoop_tasktracker_recv(hadoop_jobtracker_t)
+
########################################
#
# Hadoop namenode policy.
@@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
+allow hadoop_namenode_t self:peer recv;
+hadoop_datanode_recv(hadoop_namenode_t)
+hadoop_jobtracker_recv(hadoop_namenode_t)
+hadoop_recv(hadoop_namenode_t)
+hadoop_secondarynamenode_recv(hadoop_namenode_t)
+hadoop_tasktracker_recv(hadoop_namenode_t)
+
########################################
#
# Hadoop secondary namenode policy.
@@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
+allow hadoop_secondarynamenode_t self:peer recv;
+hadoop_namenode_recv(hadoop_secondarynamenode_t)
+
########################################
#
# Hadoop tasktracker policy.
@@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
fs_getattr_xattr_fs(hadoop_tasktracker_t)
+allow hadoop_tasktracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_tasktracker_t)
+hadoop_jobtracker_recv(hadoop_tasktracker_t)
+hadoop_recv(hadoop_tasktracker_t)
+hadoop_namenode_recv(hadoop_tasktracker_t)
+
########################################
#
# Hadoop zookeeper client policy.
@@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_t self:udp_socket create_socket_perms;
dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
+hadoop_lan_polmatch(zookeeper_t)
+zookeeper_server_recv(zookeeper_t)
+
read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
@@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_server_t self:udp_socket create_socket_perms;
+hadoop_lan_polmatch(zookeeper_server_t)
+allow zookeeper_server_t self:peer recv;
+zookeeper_recv(zookeeper_server_t)
+
allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d82ff45..be9e5f1 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
files_read_etc_files(setkey_t)
+hadoop_lan_setcontext(setkey_t)
+
init_dontaudit_use_fds(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
> the architecture of Hadoop without having to modify any of the code. This adds a level of
> confidentiality, integrity, and authentication provided outside the software stack.
>
> Signed-off-by: Paul Nuzzi <[email protected]>
>
> ---
>
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index d07e172..c1ca3a6 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
>
> files_read_etc_files(hadoop_$1_t)
>
> + hadoop_lan_polmatch(hadoop_$1_t)
> +
> init_read_utmp(hadoop_$1_t)
> init_use_fds(hadoop_$1_t)
> init_use_script_fds(hadoop_$1_t)
> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
> hadoop_read_config($1)
> allow $1 hadoop_etc_t:file exec_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## polmatch on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing polmatch
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_polmatch',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association polmatch;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## setcontext on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing setcontext
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_setcontext',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association setcontext;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_datanode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_datanode_recv',`
> + gen_require(`
> + type hadoop_datanode_t;
> + ')
> +
> + allow $1 hadoop_datanode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_namenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_namenode_recv',`
> + gen_require(`
> + type hadoop_namenode_t;
> + ')
> +
> + allow $1 hadoop_namenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_jobtracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_jobtracker_recv',`
> + gen_require(`
> + type hadoop_jobtracker_t;
> + ')
> +
> + allow $1 hadoop_jobtracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_tasktracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_tasktracker_recv',`
> + gen_require(`
> + type hadoop_tasktracker_t;
> + ')
> +
> + allow $1 hadoop_tasktracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_secondarynamenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_secondarynamenode_recv',`
> + gen_require(`
> + type hadoop_secondarynamenode_t;
> + ')
> +
> + allow $1 hadoop_secondarynamenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recv',`
> + gen_require(`
> + type hadoop_t;
> + ')
> +
> + allow $1 hadoop_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv zookeeper_server_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_server_recv',`
> + gen_require(`
> + type zookeeper_server_t;
> + ')
> +
> + allow $1 zookeeper_server_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv zookeeper_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_recv',`
> + gen_require(`
> + type zookeeper_t;
> + ')
> +
> + allow $1 zookeeper_t:peer recv;
> +')
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index b103f89..e4bbe97 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
> type hadoop_etc_t;
> files_config_file(hadoop_etc_t)
>
> +type hadoop_lan_t;
> +files_type(hadoop_lan_t)
> +
> type hadoop_log_t;
> logging_log_file(hadoop_log_t)
>
> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>
> allow hadoop_t hadoop_domain:process signull;
>
> +hadoop_lan_polmatch(hadoop_t)
> +allow hadoop_t self:peer recv;
> +hadoop_datanode_recv(hadoop_t)
> +hadoop_jobtracker_recv(hadoop_t)
> +hadoop_namenode_recv(hadoop_t)
> +hadoop_tasktracker_recv(hadoop_t)
> +
> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> can_exec(hadoop_t, hadoop_etc_t)
> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>
> fs_getattr_xattr_fs(hadoop_datanode_t)
>
> +allow hadoop_datanode_t self:peer recv;
> +hadoop_jobtracker_recv(hadoop_datanode_t)
> +hadoop_namenode_recv(hadoop_datanode_t)
> +hadoop_recv(hadoop_datanode_t)
> +hadoop_tasktracker_recv(hadoop_datanode_t)
> +
> ########################################
> #
> # Hadoop jobtracker policy.
> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>
> +allow hadoop_jobtracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_jobtracker_t)
> +hadoop_namenode_recv(hadoop_jobtracker_t)
> +hadoop_recv(hadoop_jobtracker_t)
> +hadoop_tasktracker_recv(hadoop_jobtracker_t)
> +
> ########################################
> #
> # Hadoop namenode policy.
> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>
> +allow hadoop_namenode_t self:peer recv;
> +hadoop_datanode_recv(hadoop_namenode_t)
> +hadoop_jobtracker_recv(hadoop_namenode_t)
> +hadoop_recv(hadoop_namenode_t)
> +hadoop_secondarynamenode_recv(hadoop_namenode_t)
> +hadoop_tasktracker_recv(hadoop_namenode_t)
> +
> ########################################
> #
> # Hadoop secondary namenode policy.
> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>
> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>
> +allow hadoop_secondarynamenode_t self:peer recv;
> +hadoop_namenode_recv(hadoop_secondarynamenode_t)
> +
> ########################################
> #
> # Hadoop tasktracker policy.
> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>
> +allow hadoop_tasktracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_tasktracker_t)
> +hadoop_jobtracker_recv(hadoop_tasktracker_t)
> +hadoop_recv(hadoop_tasktracker_t)
> +hadoop_namenode_recv(hadoop_tasktracker_t)
> +
> ########################################
> #
> # Hadoop zookeeper client policy.
> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_t self:udp_socket create_socket_perms;
> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_t)
> +zookeeper_server_recv(zookeeper_t)
> +
> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>
> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_server_t self:udp_socket create_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_server_t)
> +allow zookeeper_server_t self:peer recv;
> +zookeeper_recv(zookeeper_server_t)
> +
> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d82ff45..be9e5f1 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
>
> files_read_etc_files(setkey_t)
>
> +hadoop_lan_setcontext(setkey_t)
> +
^ I think this should probably be optional as i believe there is no need
for the ipsec module to depend in the hadoop module.
optional_policy(`
hadoop_lan_setcontext(setkey_t)
')
> init_dontaudit_use_fds(setkey_t)
>
> # allow setkey to set the context for ipsec SAs and policy.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk0DPL4ACgkQMlxVo39jgT80aACgkMpaimtdti5UU4/7g77uoc51
l30AoLilMysgmkqTmuXa4J95slNBI+LP
=Z3Xy
-----END PGP SIGNATURE-----
On 12/11/2010 03:56 AM, Dominick Grift wrote:
> ^ I think this should probably be optional as i believe there is no need
> for the ipsec module to depend in the hadoop module.
>
> optional_policy(`
> hadoop_lan_setcontext(setkey_t)
> ')
>
You are right.
Signed-off-by: Paul Nuzzi <[email protected]>
---
policy/modules/services/hadoop.if | 202 ++++++++++++++++++++++++++++++++++++++
policy/modules/services/hadoop.te | 45 ++++++++
policy/modules/system/ipsec.te | 5
3 files changed, 252 insertions(+)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index d07e172..c1ca3a6 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
files_read_etc_files(hadoop_$1_t)
+ hadoop_lan_polmatch(hadoop_$1_t)
+
init_read_utmp(hadoop_$1_t)
init_use_fds(hadoop_$1_t)
init_use_script_fds(hadoop_$1_t)
@@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
hadoop_read_config($1)
allow $1 hadoop_etc_t:file exec_file_perms;
')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## polmatch on hadoop_lan_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing polmatch
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_lan_polmatch',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association polmatch;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## setcontext on hadoop_lan_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing setcontext
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_lan_setcontext',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association setcontext;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_datanode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_datanode_recv',`
+ gen_require(`
+ type hadoop_datanode_t;
+ ')
+
+ allow $1 hadoop_datanode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_namenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_namenode_recv',`
+ gen_require(`
+ type hadoop_namenode_t;
+ ')
+
+ allow $1 hadoop_namenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_jobtracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_jobtracker_recv',`
+ gen_require(`
+ type hadoop_jobtracker_t;
+ ')
+
+ allow $1 hadoop_jobtracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_tasktracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_tasktracker_recv',`
+ gen_require(`
+ type hadoop_tasktracker_t;
+ ')
+
+ allow $1 hadoop_tasktracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_secondarynamenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_secondarynamenode_recv',`
+ gen_require(`
+ type hadoop_secondarynamenode_t;
+ ')
+
+ allow $1 hadoop_secondarynamenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv hadoop_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recv',`
+ gen_require(`
+ type hadoop_t;
+ ')
+
+ allow $1 hadoop_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv zookeeper_server_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_server_recv',`
+ gen_require(`
+ type zookeeper_server_t;
+ ')
+
+ allow $1 zookeeper_server_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recv zookeeper_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recv
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_recv',`
+ gen_require(`
+ type zookeeper_t;
+ ')
+
+ allow $1 zookeeper_t:peer recv;
+')
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index b103f89..e4bbe97 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
type hadoop_etc_t;
files_config_file(hadoop_etc_t)
+type hadoop_lan_t;
+files_type(hadoop_lan_t)
+
type hadoop_log_t;
logging_log_file(hadoop_log_t)
@@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
allow hadoop_t hadoop_domain:process signull;
+hadoop_lan_polmatch(hadoop_t)
+allow hadoop_t self:peer recv;
+hadoop_datanode_recv(hadoop_t)
+hadoop_jobtracker_recv(hadoop_t)
+hadoop_namenode_recv(hadoop_t)
+hadoop_tasktracker_recv(hadoop_t)
+
read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
can_exec(hadoop_t, hadoop_etc_t)
@@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
fs_getattr_xattr_fs(hadoop_datanode_t)
+allow hadoop_datanode_t self:peer recv;
+hadoop_jobtracker_recv(hadoop_datanode_t)
+hadoop_namenode_recv(hadoop_datanode_t)
+hadoop_recv(hadoop_datanode_t)
+hadoop_tasktracker_recv(hadoop_datanode_t)
+
########################################
#
# Hadoop jobtracker policy.
@@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
+allow hadoop_jobtracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_jobtracker_t)
+hadoop_namenode_recv(hadoop_jobtracker_t)
+hadoop_recv(hadoop_jobtracker_t)
+hadoop_tasktracker_recv(hadoop_jobtracker_t)
+
########################################
#
# Hadoop namenode policy.
@@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
+allow hadoop_namenode_t self:peer recv;
+hadoop_datanode_recv(hadoop_namenode_t)
+hadoop_jobtracker_recv(hadoop_namenode_t)
+hadoop_recv(hadoop_namenode_t)
+hadoop_secondarynamenode_recv(hadoop_namenode_t)
+hadoop_tasktracker_recv(hadoop_namenode_t)
+
########################################
#
# Hadoop secondary namenode policy.
@@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
+allow hadoop_secondarynamenode_t self:peer recv;
+hadoop_namenode_recv(hadoop_secondarynamenode_t)
+
########################################
#
# Hadoop tasktracker policy.
@@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
fs_getattr_xattr_fs(hadoop_tasktracker_t)
+allow hadoop_tasktracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_tasktracker_t)
+hadoop_jobtracker_recv(hadoop_tasktracker_t)
+hadoop_recv(hadoop_tasktracker_t)
+hadoop_namenode_recv(hadoop_tasktracker_t)
+
########################################
#
# Hadoop zookeeper client policy.
@@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_t self:udp_socket create_socket_perms;
dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
+hadoop_lan_polmatch(zookeeper_t)
+zookeeper_server_recv(zookeeper_t)
+
read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
@@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_server_t self:udp_socket create_socket_perms;
+hadoop_lan_polmatch(zookeeper_server_t)
+allow zookeeper_server_t self:peer recv;
+zookeeper_recv(zookeeper_server_t)
+
allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d82ff45..c6545bb 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -422,3 +422,8 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+
+optional_policy(`
+ hadoop_lan_setcontext(setkey_t)
+')
+
On 12/10/10 18:22, Paul Nuzzi wrote:
> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
> the architecture of Hadoop without having to modify any of the code. This adds a level of
> confidentiality, integrity, and authentication provided outside the software stack.
A few things.
The verb used in Reference Policy interfaces for peer recv is recvfrom
(a holdover from previous labeled networking implementations). So the
interfaces are like hadoop_recvfrom_datanode().
It seems like setkey should be able to setcontext any type used on ipsec
associations. I think the best thing would be to add additional support
to either the ipsec or corenetwork modules (I haven't decided which one
yet) for associations. So, say we have an interface called
ipsec_spd_type() which adds the parameter type to the attribute
ipsec_spd_types. Then we can have an allow setkey_t
ipsec_spd_types:association setkey; rule and we don't have to update it
every time more labeled network is added.
This is definitely wrong since its not a file:
+files_type(hadoop_lan_t)
> Signed-off-by: Paul Nuzzi <[email protected]>
>
> ---
>
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index d07e172..c1ca3a6 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
>
> files_read_etc_files(hadoop_$1_t)
>
> + hadoop_lan_polmatch(hadoop_$1_t)
> +
> init_read_utmp(hadoop_$1_t)
> init_use_fds(hadoop_$1_t)
> init_use_script_fds(hadoop_$1_t)
> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
> hadoop_read_config($1)
> allow $1 hadoop_etc_t:file exec_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## polmatch on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing polmatch
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_polmatch',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association polmatch;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## setcontext on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing setcontext
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_setcontext',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association setcontext;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_datanode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_datanode_recv',`
> + gen_require(`
> + type hadoop_datanode_t;
> + ')
> +
> + allow $1 hadoop_datanode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_namenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_namenode_recv',`
> + gen_require(`
> + type hadoop_namenode_t;
> + ')
> +
> + allow $1 hadoop_namenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_jobtracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_jobtracker_recv',`
> + gen_require(`
> + type hadoop_jobtracker_t;
> + ')
> +
> + allow $1 hadoop_jobtracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_tasktracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_tasktracker_recv',`
> + gen_require(`
> + type hadoop_tasktracker_t;
> + ')
> +
> + allow $1 hadoop_tasktracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_secondarynamenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_secondarynamenode_recv',`
> + gen_require(`
> + type hadoop_secondarynamenode_t;
> + ')
> +
> + allow $1 hadoop_secondarynamenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recv',`
> + gen_require(`
> + type hadoop_t;
> + ')
> +
> + allow $1 hadoop_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv zookeeper_server_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_server_recv',`
> + gen_require(`
> + type zookeeper_server_t;
> + ')
> +
> + allow $1 zookeeper_server_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv zookeeper_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_recv',`
> + gen_require(`
> + type zookeeper_t;
> + ')
> +
> + allow $1 zookeeper_t:peer recv;
> +')
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index b103f89..e4bbe97 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
> type hadoop_etc_t;
> files_config_file(hadoop_etc_t)
>
> +type hadoop_lan_t;
> +files_type(hadoop_lan_t)
> +
> type hadoop_log_t;
> logging_log_file(hadoop_log_t)
>
> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>
> allow hadoop_t hadoop_domain:process signull;
>
> +hadoop_lan_polmatch(hadoop_t)
> +allow hadoop_t self:peer recv;
> +hadoop_datanode_recv(hadoop_t)
> +hadoop_jobtracker_recv(hadoop_t)
> +hadoop_namenode_recv(hadoop_t)
> +hadoop_tasktracker_recv(hadoop_t)
> +
> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> can_exec(hadoop_t, hadoop_etc_t)
> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>
> fs_getattr_xattr_fs(hadoop_datanode_t)
>
> +allow hadoop_datanode_t self:peer recv;
> +hadoop_jobtracker_recv(hadoop_datanode_t)
> +hadoop_namenode_recv(hadoop_datanode_t)
> +hadoop_recv(hadoop_datanode_t)
> +hadoop_tasktracker_recv(hadoop_datanode_t)
> +
> ########################################
> #
> # Hadoop jobtracker policy.
> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>
> +allow hadoop_jobtracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_jobtracker_t)
> +hadoop_namenode_recv(hadoop_jobtracker_t)
> +hadoop_recv(hadoop_jobtracker_t)
> +hadoop_tasktracker_recv(hadoop_jobtracker_t)
> +
> ########################################
> #
> # Hadoop namenode policy.
> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>
> +allow hadoop_namenode_t self:peer recv;
> +hadoop_datanode_recv(hadoop_namenode_t)
> +hadoop_jobtracker_recv(hadoop_namenode_t)
> +hadoop_recv(hadoop_namenode_t)
> +hadoop_secondarynamenode_recv(hadoop_namenode_t)
> +hadoop_tasktracker_recv(hadoop_namenode_t)
> +
> ########################################
> #
> # Hadoop secondary namenode policy.
> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>
> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>
> +allow hadoop_secondarynamenode_t self:peer recv;
> +hadoop_namenode_recv(hadoop_secondarynamenode_t)
> +
> ########################################
> #
> # Hadoop tasktracker policy.
> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>
> +allow hadoop_tasktracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_tasktracker_t)
> +hadoop_jobtracker_recv(hadoop_tasktracker_t)
> +hadoop_recv(hadoop_tasktracker_t)
> +hadoop_namenode_recv(hadoop_tasktracker_t)
> +
> ########################################
> #
> # Hadoop zookeeper client policy.
> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_t self:udp_socket create_socket_perms;
> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_t)
> +zookeeper_server_recv(zookeeper_t)
> +
> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>
> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_server_t self:udp_socket create_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_server_t)
> +allow zookeeper_server_t self:peer recv;
> +zookeeper_recv(zookeeper_server_t)
> +
> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d82ff45..be9e5f1 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
>
> files_read_etc_files(setkey_t)
>
> +hadoop_lan_setcontext(setkey_t)
> +
> init_dontaudit_use_fds(setkey_t)
>
> # allow setkey to set the context for ipsec SAs and policy.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/10/10 18:22, Paul Nuzzi wrote:
> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
> the architecture of Hadoop without having to modify any of the code. This adds a level of
> confidentiality, integrity, and authentication provided outside the software stack.
A few things.
The verb used in Reference Policy interfaces for peer recv is recvfrom
(a holdover from previous labeled networking implementations). So the
interfaces are like hadoop_recvfrom_datanode().
It seems like setkey should be able to setcontext any type used on ipsec
associations. I think the best thing would be to add additional support
to either the ipsec or corenetwork modules (I haven't decided which one
yet) for associations. So, say we have an interface called
ipsec_spd_type() which adds the parameter type to the attribute
ipsec_spd_types. Then we can have an allow setkey_t
ipsec_spd_types:association setkey; rule and we don't have to update it
every time more labeled network is added.
This is definitely wrong since its not a file:
+files_type(hadoop_lan_t)
> Signed-off-by: Paul Nuzzi <[email protected]>
>
> ---
>
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index d07e172..c1ca3a6 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
>
> files_read_etc_files(hadoop_$1_t)
>
> + hadoop_lan_polmatch(hadoop_$1_t)
> +
> init_read_utmp(hadoop_$1_t)
> init_use_fds(hadoop_$1_t)
> init_use_script_fds(hadoop_$1_t)
> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
> hadoop_read_config($1)
> allow $1 hadoop_etc_t:file exec_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## polmatch on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing polmatch
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_polmatch',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association polmatch;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## setcontext on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing setcontext
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_setcontext',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association setcontext;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_datanode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_datanode_recv',`
> + gen_require(`
> + type hadoop_datanode_t;
> + ')
> +
> + allow $1 hadoop_datanode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_namenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_namenode_recv',`
> + gen_require(`
> + type hadoop_namenode_t;
> + ')
> +
> + allow $1 hadoop_namenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_jobtracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_jobtracker_recv',`
> + gen_require(`
> + type hadoop_jobtracker_t;
> + ')
> +
> + allow $1 hadoop_jobtracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_tasktracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_tasktracker_recv',`
> + gen_require(`
> + type hadoop_tasktracker_t;
> + ')
> +
> + allow $1 hadoop_tasktracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_secondarynamenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_secondarynamenode_recv',`
> + gen_require(`
> + type hadoop_secondarynamenode_t;
> + ')
> +
> + allow $1 hadoop_secondarynamenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv hadoop_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recv',`
> + gen_require(`
> + type hadoop_t;
> + ')
> +
> + allow $1 hadoop_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv zookeeper_server_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_server_recv',`
> + gen_require(`
> + type zookeeper_server_t;
> + ')
> +
> + allow $1 zookeeper_server_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recv zookeeper_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recv
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_recv',`
> + gen_require(`
> + type zookeeper_t;
> + ')
> +
> + allow $1 zookeeper_t:peer recv;
> +')
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index b103f89..e4bbe97 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
> type hadoop_etc_t;
> files_config_file(hadoop_etc_t)
>
> +type hadoop_lan_t;
> +files_type(hadoop_lan_t)
> +
> type hadoop_log_t;
> logging_log_file(hadoop_log_t)
>
> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>
> allow hadoop_t hadoop_domain:process signull;
>
> +hadoop_lan_polmatch(hadoop_t)
> +allow hadoop_t self:peer recv;
> +hadoop_datanode_recv(hadoop_t)
> +hadoop_jobtracker_recv(hadoop_t)
> +hadoop_namenode_recv(hadoop_t)
> +hadoop_tasktracker_recv(hadoop_t)
> +
> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> can_exec(hadoop_t, hadoop_etc_t)
> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>
> fs_getattr_xattr_fs(hadoop_datanode_t)
>
> +allow hadoop_datanode_t self:peer recv;
> +hadoop_jobtracker_recv(hadoop_datanode_t)
> +hadoop_namenode_recv(hadoop_datanode_t)
> +hadoop_recv(hadoop_datanode_t)
> +hadoop_tasktracker_recv(hadoop_datanode_t)
> +
> ########################################
> #
> # Hadoop jobtracker policy.
> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>
> +allow hadoop_jobtracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_jobtracker_t)
> +hadoop_namenode_recv(hadoop_jobtracker_t)
> +hadoop_recv(hadoop_jobtracker_t)
> +hadoop_tasktracker_recv(hadoop_jobtracker_t)
> +
> ########################################
> #
> # Hadoop namenode policy.
> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>
> +allow hadoop_namenode_t self:peer recv;
> +hadoop_datanode_recv(hadoop_namenode_t)
> +hadoop_jobtracker_recv(hadoop_namenode_t)
> +hadoop_recv(hadoop_namenode_t)
> +hadoop_secondarynamenode_recv(hadoop_namenode_t)
> +hadoop_tasktracker_recv(hadoop_namenode_t)
> +
> ########################################
> #
> # Hadoop secondary namenode policy.
> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>
> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>
> +allow hadoop_secondarynamenode_t self:peer recv;
> +hadoop_namenode_recv(hadoop_secondarynamenode_t)
> +
> ########################################
> #
> # Hadoop tasktracker policy.
> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>
> +allow hadoop_tasktracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_tasktracker_t)
> +hadoop_jobtracker_recv(hadoop_tasktracker_t)
> +hadoop_recv(hadoop_tasktracker_t)
> +hadoop_namenode_recv(hadoop_tasktracker_t)
> +
> ########################################
> #
> # Hadoop zookeeper client policy.
> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_t self:udp_socket create_socket_perms;
> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_t)
> +zookeeper_server_recv(zookeeper_t)
> +
> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>
> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_server_t self:udp_socket create_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_server_t)
> +allow zookeeper_server_t self:peer recv;
> +zookeeper_recv(zookeeper_server_t)
> +
> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d82ff45..be9e5f1 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
>
> files_read_etc_files(setkey_t)
>
> +hadoop_lan_setcontext(setkey_t)
> +
> init_dontaudit_use_fds(setkey_t)
>
> # allow setkey to set the context for ipsec SAs and policy.
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
> On 12/10/10 18:22, Paul Nuzzi wrote:
>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
>> the architecture of Hadoop without having to modify any of the code. This adds a level of
>> confidentiality, integrity, and authentication provided outside the software stack.
>
> A few things.
>
> The verb used in Reference Policy interfaces for peer recv is recvfrom
> (a holdover from previous labeled networking implementations). So the
> interfaces are like hadoop_recvfrom_datanode().
Easy change.
> It seems like setkey should be able to setcontext any type used on ipsec
> associations. I think the best thing would be to add additional support
> to either the ipsec or corenetwork modules (I haven't decided which one
> yet) for associations. So, say we have an interface called
> ipsec_spd_type() which adds the parameter type to the attribute
> ipsec_spd_types. Then we can have an allow setkey_t
> ipsec_spd_types:association setkey; rule and we don't have to update it
> every time more labeled network is added.
That seems a lot less clunky than updating setkey every time we add a new association.
> This is definitely wrong since its not a file:
> +files_type(hadoop_lan_t)
Let me know how you would like to handle associations and I could update the
patch. Will the files_type error be cleared up when we re-engineer this?
>> Signed-off-by: Paul Nuzzi <[email protected]>
>>
>> ---
>>
>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>> index d07e172..c1ca3a6 100644
>> --- a/policy/modules/services/hadoop.if
>> +++ b/policy/modules/services/hadoop.if
>> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
>>
>> files_read_etc_files(hadoop_$1_t)
>>
>> + hadoop_lan_polmatch(hadoop_$1_t)
>> +
>> init_read_utmp(hadoop_$1_t)
>> init_use_fds(hadoop_$1_t)
>> init_use_script_fds(hadoop_$1_t)
>> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
>> hadoop_read_config($1)
>> allow $1 hadoop_etc_t:file exec_file_perms;
>> ')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## polmatch on hadoop_lan_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing polmatch
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_lan_polmatch',`
>> + gen_require(`
>> + type hadoop_lan_t;
>> + ')
>> +
>> + allow $1 hadoop_lan_t:association polmatch;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## setcontext on hadoop_lan_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing setcontext
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_lan_setcontext',`
>> + gen_require(`
>> + type hadoop_lan_t;
>> + ')
>> +
>> + allow $1 hadoop_lan_t:association setcontext;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv hadoop_datanode_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_datanode_recv',`
>> + gen_require(`
>> + type hadoop_datanode_t;
>> + ')
>> +
>> + allow $1 hadoop_datanode_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv hadoop_namenode_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_namenode_recv',`
>> + gen_require(`
>> + type hadoop_namenode_t;
>> + ')
>> +
>> + allow $1 hadoop_namenode_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv hadoop_jobtracker_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_jobtracker_recv',`
>> + gen_require(`
>> + type hadoop_jobtracker_t;
>> + ')
>> +
>> + allow $1 hadoop_jobtracker_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv hadoop_tasktracker_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_tasktracker_recv',`
>> + gen_require(`
>> + type hadoop_tasktracker_t;
>> + ')
>> +
>> + allow $1 hadoop_tasktracker_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv hadoop_secondarynamenode_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_secondarynamenode_recv',`
>> + gen_require(`
>> + type hadoop_secondarynamenode_t;
>> + ')
>> +
>> + allow $1 hadoop_secondarynamenode_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv hadoop_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`hadoop_recv',`
>> + gen_require(`
>> + type hadoop_t;
>> + ')
>> +
>> + allow $1 hadoop_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv zookeeper_server_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`zookeeper_server_recv',`
>> + gen_require(`
>> + type zookeeper_server_t;
>> + ')
>> +
>> + allow $1 zookeeper_server_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +## Give permission to a domain to
>> +## recv zookeeper_t
>> +## </summary>
>> +## <param name="domain">
>> +## <summary>
>> +## Domain needing recv
>> +## permission
>> +## </summary>
>> +## </param>
>> +#
>> +interface(`zookeeper_recv',`
>> + gen_require(`
>> + type zookeeper_t;
>> + ')
>> +
>> + allow $1 zookeeper_t:peer recv;
>> +')
>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>> index b103f89..e4bbe97 100644
>> --- a/policy/modules/services/hadoop.te
>> +++ b/policy/modules/services/hadoop.te
>> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
>> type hadoop_etc_t;
>> files_config_file(hadoop_etc_t)
>>
>> +type hadoop_lan_t;
>> +files_type(hadoop_lan_t)
>> +
>> type hadoop_log_t;
>> logging_log_file(hadoop_log_t)
>>
>> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>>
>> allow hadoop_t hadoop_domain:process signull;
>>
>> +hadoop_lan_polmatch(hadoop_t)
>> +allow hadoop_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_t)
>> +hadoop_jobtracker_recv(hadoop_t)
>> +hadoop_namenode_recv(hadoop_t)
>> +hadoop_tasktracker_recv(hadoop_t)
>> +
>> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>> can_exec(hadoop_t, hadoop_etc_t)
>> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>>
>> fs_getattr_xattr_fs(hadoop_datanode_t)
>>
>> +allow hadoop_datanode_t self:peer recv;
>> +hadoop_jobtracker_recv(hadoop_datanode_t)
>> +hadoop_namenode_recv(hadoop_datanode_t)
>> +hadoop_recv(hadoop_datanode_t)
>> +hadoop_tasktracker_recv(hadoop_datanode_t)
>> +
>> ########################################
>> #
>> # Hadoop jobtracker policy.
>> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
>> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
>> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>>
>> +allow hadoop_jobtracker_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_jobtracker_t)
>> +hadoop_namenode_recv(hadoop_jobtracker_t)
>> +hadoop_recv(hadoop_jobtracker_t)
>> +hadoop_tasktracker_recv(hadoop_jobtracker_t)
>> +
>> ########################################
>> #
>> # Hadoop namenode policy.
>> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
>> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
>> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>>
>> +allow hadoop_namenode_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_namenode_t)
>> +hadoop_jobtracker_recv(hadoop_namenode_t)
>> +hadoop_recv(hadoop_namenode_t)
>> +hadoop_secondarynamenode_recv(hadoop_namenode_t)
>> +hadoop_tasktracker_recv(hadoop_namenode_t)
>> +
>> ########################################
>> #
>> # Hadoop secondary namenode policy.
>> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>>
>> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>>
>> +allow hadoop_secondarynamenode_t self:peer recv;
>> +hadoop_namenode_recv(hadoop_secondarynamenode_t)
>> +
>> ########################################
>> #
>> # Hadoop tasktracker policy.
>> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>
>> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>>
>> +allow hadoop_tasktracker_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_tasktracker_t)
>> +hadoop_jobtracker_recv(hadoop_tasktracker_t)
>> +hadoop_recv(hadoop_tasktracker_t)
>> +hadoop_namenode_recv(hadoop_tasktracker_t)
>> +
>> ########################################
>> #
>> # Hadoop zookeeper client policy.
>> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
>> allow zookeeper_t self:udp_socket create_socket_perms;
>> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>>
>> +hadoop_lan_polmatch(zookeeper_t)
>> +zookeeper_server_recv(zookeeper_t)
>> +
>> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>>
>> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
>> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
>> allow zookeeper_server_t self:udp_socket create_socket_perms;
>>
>> +hadoop_lan_polmatch(zookeeper_server_t)
>> +allow zookeeper_server_t self:peer recv;
>> +zookeeper_recv(zookeeper_server_t)
>> +
>> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
>> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>>
>> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
>> index d82ff45..be9e5f1 100644
>> --- a/policy/modules/system/ipsec.te
>> +++ b/policy/modules/system/ipsec.te
>> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
>>
>> files_read_etc_files(setkey_t)
>>
>> +hadoop_lan_setcontext(setkey_t)
>> +
>> init_dontaudit_use_fds(setkey_t)
>>
>> # allow setkey to set the context for ipsec SAs and policy.
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
>
On 12/16/10 12:32, Paul Nuzzi wrote:
> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
>>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
>>> the architecture of Hadoop without having to modify any of the code. This adds a level of
>>> confidentiality, integrity, and authentication provided outside the software stack.
>>
>> A few things.
>>
>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>> (a holdover from previous labeled networking implementations). So the
>> interfaces are like hadoop_recvfrom_datanode().
>
> Easy change.
>
>> It seems like setkey should be able to setcontext any type used on ipsec
>> associations. I think the best thing would be to add additional support
>> to either the ipsec or corenetwork modules (I haven't decided which one
>> yet) for associations. So, say we have an interface called
>> ipsec_spd_type() which adds the parameter type to the attribute
>> ipsec_spd_types. Then we can have an allow setkey_t
>> ipsec_spd_types:association setkey; rule and we don't have to update it
>> every time more labeled network is added.
>
> That seems a lot less clunky than updating setkey every time we add a new association.
>
>> This is definitely wrong since its not a file:
>> +files_type(hadoop_lan_t)
>
> Let me know how you would like to handle associations and I could update the
> patch.
Lets go with putting the associations in corenetwork.
> Will the files_type error be cleared up when we re-engineer this?
I'm not sure what you mean. The incorrect rule was added in your patch.
>>> Signed-off-by: Paul Nuzzi <[email protected]>
>>>
>>> ---
>>>
>>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>>> index d07e172..c1ca3a6 100644
>>> --- a/policy/modules/services/hadoop.if
>>> +++ b/policy/modules/services/hadoop.if
>>> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
>>>
>>> files_read_etc_files(hadoop_$1_t)
>>>
>>> + hadoop_lan_polmatch(hadoop_$1_t)
>>> +
>>> init_read_utmp(hadoop_$1_t)
>>> init_use_fds(hadoop_$1_t)
>>> init_use_script_fds(hadoop_$1_t)
>>> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
>>> hadoop_read_config($1)
>>> allow $1 hadoop_etc_t:file exec_file_perms;
>>> ')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## polmatch on hadoop_lan_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing polmatch
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_lan_polmatch',`
>>> + gen_require(`
>>> + type hadoop_lan_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_lan_t:association polmatch;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## setcontext on hadoop_lan_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing setcontext
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_lan_setcontext',`
>>> + gen_require(`
>>> + type hadoop_lan_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_lan_t:association setcontext;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv hadoop_datanode_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_datanode_recv',`
>>> + gen_require(`
>>> + type hadoop_datanode_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_datanode_t:peer recv;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv hadoop_namenode_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_namenode_recv',`
>>> + gen_require(`
>>> + type hadoop_namenode_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_namenode_t:peer recv;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv hadoop_jobtracker_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_jobtracker_recv',`
>>> + gen_require(`
>>> + type hadoop_jobtracker_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_jobtracker_t:peer recv;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv hadoop_tasktracker_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_tasktracker_recv',`
>>> + gen_require(`
>>> + type hadoop_tasktracker_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_tasktracker_t:peer recv;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv hadoop_secondarynamenode_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_secondarynamenode_recv',`
>>> + gen_require(`
>>> + type hadoop_secondarynamenode_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_secondarynamenode_t:peer recv;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv hadoop_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`hadoop_recv',`
>>> + gen_require(`
>>> + type hadoop_t;
>>> + ')
>>> +
>>> + allow $1 hadoop_t:peer recv;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv zookeeper_server_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`zookeeper_server_recv',`
>>> + gen_require(`
>>> + type zookeeper_server_t;
>>> + ')
>>> +
>>> + allow $1 zookeeper_server_t:peer recv;
>>> +')
>>> +
>>> +########################################
>>> +## <summary>
>>> +## Give permission to a domain to
>>> +## recv zookeeper_t
>>> +## </summary>
>>> +## <param name="domain">
>>> +## <summary>
>>> +## Domain needing recv
>>> +## permission
>>> +## </summary>
>>> +## </param>
>>> +#
>>> +interface(`zookeeper_recv',`
>>> + gen_require(`
>>> + type zookeeper_t;
>>> + ')
>>> +
>>> + allow $1 zookeeper_t:peer recv;
>>> +')
>>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>>> index b103f89..e4bbe97 100644
>>> --- a/policy/modules/services/hadoop.te
>>> +++ b/policy/modules/services/hadoop.te
>>> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
>>> type hadoop_etc_t;
>>> files_config_file(hadoop_etc_t)
>>>
>>> +type hadoop_lan_t;
>>> +files_type(hadoop_lan_t)
>>> +
>>> type hadoop_log_t;
>>> logging_log_file(hadoop_log_t)
>>>
>>> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>>>
>>> allow hadoop_t hadoop_domain:process signull;
>>>
>>> +hadoop_lan_polmatch(hadoop_t)
>>> +allow hadoop_t self:peer recv;
>>> +hadoop_datanode_recv(hadoop_t)
>>> +hadoop_jobtracker_recv(hadoop_t)
>>> +hadoop_namenode_recv(hadoop_t)
>>> +hadoop_tasktracker_recv(hadoop_t)
>>> +
>>> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>>> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>>> can_exec(hadoop_t, hadoop_etc_t)
>>> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>>>
>>> fs_getattr_xattr_fs(hadoop_datanode_t)
>>>
>>> +allow hadoop_datanode_t self:peer recv;
>>> +hadoop_jobtracker_recv(hadoop_datanode_t)
>>> +hadoop_namenode_recv(hadoop_datanode_t)
>>> +hadoop_recv(hadoop_datanode_t)
>>> +hadoop_tasktracker_recv(hadoop_datanode_t)
>>> +
>>> ########################################
>>> #
>>> # Hadoop jobtracker policy.
>>> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
>>> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
>>> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>>>
>>> +allow hadoop_jobtracker_t self:peer recv;
>>> +hadoop_datanode_recv(hadoop_jobtracker_t)
>>> +hadoop_namenode_recv(hadoop_jobtracker_t)
>>> +hadoop_recv(hadoop_jobtracker_t)
>>> +hadoop_tasktracker_recv(hadoop_jobtracker_t)
>>> +
>>> ########################################
>>> #
>>> # Hadoop namenode policy.
>>> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
>>> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>>>
>>> +allow hadoop_namenode_t self:peer recv;
>>> +hadoop_datanode_recv(hadoop_namenode_t)
>>> +hadoop_jobtracker_recv(hadoop_namenode_t)
>>> +hadoop_recv(hadoop_namenode_t)
>>> +hadoop_secondarynamenode_recv(hadoop_namenode_t)
>>> +hadoop_tasktracker_recv(hadoop_namenode_t)
>>> +
>>> ########################################
>>> #
>>> # Hadoop secondary namenode policy.
>>> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>>>
>>> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>>>
>>> +allow hadoop_secondarynamenode_t self:peer recv;
>>> +hadoop_namenode_recv(hadoop_secondarynamenode_t)
>>> +
>>> ########################################
>>> #
>>> # Hadoop tasktracker policy.
>>> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>>
>>> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>>>
>>> +allow hadoop_tasktracker_t self:peer recv;
>>> +hadoop_datanode_recv(hadoop_tasktracker_t)
>>> +hadoop_jobtracker_recv(hadoop_tasktracker_t)
>>> +hadoop_recv(hadoop_tasktracker_t)
>>> +hadoop_namenode_recv(hadoop_tasktracker_t)
>>> +
>>> ########################################
>>> #
>>> # Hadoop zookeeper client policy.
>>> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
>>> allow zookeeper_t self:udp_socket create_socket_perms;
>>> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>>>
>>> +hadoop_lan_polmatch(zookeeper_t)
>>> +zookeeper_server_recv(zookeeper_t)
>>> +
>>> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>>> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>>>
>>> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
>>> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
>>> allow zookeeper_server_t self:udp_socket create_socket_perms;
>>>
>>> +hadoop_lan_polmatch(zookeeper_server_t)
>>> +allow zookeeper_server_t self:peer recv;
>>> +zookeeper_recv(zookeeper_server_t)
>>> +
>>> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
>>> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>>>
>>> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
>>> index d82ff45..be9e5f1 100644
>>> --- a/policy/modules/system/ipsec.te
>>> +++ b/policy/modules/system/ipsec.te
>>> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
>>>
>>> files_read_etc_files(setkey_t)
>>>
>>> +hadoop_lan_setcontext(setkey_t)
>>> +
>>> init_dontaudit_use_fds(setkey_t)
>>>
>>> # allow setkey to set the context for ipsec SAs and policy.
>>>
>>> _______________________________________________
>>> refpolicy mailing list
>>> refpolicy at oss.tresys.com
>>> http://oss.tresys.com/mailman/listinfo/refpolicy
>>
>>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
> On 12/16/10 12:32, Paul Nuzzi wrote:
>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
>>>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
>>>> the architecture of Hadoop without having to modify any of the code. This adds a level of
>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>
>>> A few things.
>>>
>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>> (a holdover from previous labeled networking implementations). So the
>>> interfaces are like hadoop_recvfrom_datanode().
>>
>> Easy change.
>>
>>> It seems like setkey should be able to setcontext any type used on ipsec
>>> associations. I think the best thing would be to add additional support
>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>> yet) for associations. So, say we have an interface called
>>> ipsec_spd_type() which adds the parameter type to the attribute
>>> ipsec_spd_types. Then we can have an allow setkey_t
>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>> every time more labeled network is added.
>>
>> That seems a lot less clunky than updating setkey every time we add a new association.
>>
>>> This is definitely wrong since its not a file:
>>> +files_type(hadoop_lan_t)
>>
>> Let me know how you would like to handle associations and I could update the
>> patch.
>
> Lets go with putting the associations in corenetwork.
>
>> Will the files_type error be cleared up when we re-engineer this?
>
> I'm not sure what you mean. The incorrect rule was added in your patch.
>
Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.
Signed-off-by: Paul Nuzzi <[email protected]>
---
policy/modules/kernel/corenetwork.if.in | 38 ++++++
policy/modules/kernel/corenetwork.te.in | 1
policy/modules/services/hadoop.if | 182 ++++++++++++++++++++++++++++++++
policy/modules/services/hadoop.te | 45 +++++++
policy/modules/system/ipsec.te | 2
5 files changed, 268 insertions(+)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index b06df19..3103644 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -3042,3 +3042,41 @@ interface(`corenet_unconfined',`
typeattribute $1 corenet_unconfined_type;
')
+
+########################################
+## <summary>
+## Make the specified type usable
+## for labeled ipsec.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used for labeled ipsec.
+## </summary>
+## </param>
+#
+interface(`ipsec_spd_type',`
+ gen_require(`
+ attribute ipsec_spd_types;
+ ')
+
+ typeattribute $1 ipsec_spd_types;
+')
+
+########################################
+## <summary>
+## Make the specified type usable
+## for labeled ipsec.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used for labeled ipsec.
+## </summary>
+## </param>
+#
+interface(`ipsec_spd_type_setcontext',`
+ gen_require(`
+ attribute ipsec_spd_types;
+ ')
+
+ allow $1 ipsec_spd_types:association setcontext;
+')
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index edefaf3..8ee5e51 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -6,6 +6,7 @@ policy_module(corenetwork, 1.15.0)
#
attribute client_packet_type;
+attribute ipsec_spd_types;
attribute netif_type;
attribute node_type;
attribute packet_type;
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index b5ab49e..3fc31f7 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -110,6 +110,8 @@ template(`hadoop_domain_template',`
auth_domtrans_chkpwd(hadoop_$1_t)
+ hadoop_lan_polmatch(hadoop_$1_t)
+
init_read_utmp(hadoop_$1_t)
init_use_fds(hadoop_$1_t)
init_use_script_fds(hadoop_$1_t)
@@ -350,3 +352,183 @@ interface(`hadoop_exec_config',`
hadoop_read_config($1)
allow $1 hadoop_etc_t:file exec_file_perms;
')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## polmatch on hadoop_lan_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing polmatch
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_lan_polmatch',`
+ gen_require(`
+ type hadoop_lan_t;
+ ')
+
+ allow $1 hadoop_lan_t:association polmatch;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom hadoop_datanode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recvfrom_datanode',`
+ gen_require(`
+ type hadoop_datanode_t;
+ ')
+
+ allow $1 hadoop_datanode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom hadoop_namenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recvfrom_namenode',`
+ gen_require(`
+ type hadoop_namenode_t;
+ ')
+
+ allow $1 hadoop_namenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom hadoop_jobtracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recvfrom_jobtracker',`
+ gen_require(`
+ type hadoop_jobtracker_t;
+ ')
+
+ allow $1 hadoop_jobtracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom hadoop_tasktracker_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recvfrom_tasktracker',`
+ gen_require(`
+ type hadoop_tasktracker_t;
+ ')
+
+ allow $1 hadoop_tasktracker_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom hadoop_secondarynamenode_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recvfrom_secondarynamenode',`
+ gen_require(`
+ type hadoop_secondarynamenode_t;
+ ')
+
+ allow $1 hadoop_secondarynamenode_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom hadoop_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`hadoop_recvfrom',`
+ gen_require(`
+ type hadoop_t;
+ ')
+
+ allow $1 hadoop_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom zookeeper_server_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_recvfrom_server',`
+ gen_require(`
+ type zookeeper_server_t;
+ ')
+
+ allow $1 zookeeper_server_t:peer recv;
+')
+
+########################################
+## <summary>
+## Give permission to a domain to
+## recvfrom zookeeper_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain needing recvfrom
+## permission
+## </summary>
+## </param>
+#
+interface(`zookeeper_recvfrom',`
+ gen_require(`
+ type zookeeper_t;
+ ')
+
+ allow $1 zookeeper_t:peer recv;
+')
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 9a9c206..b1427eb 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -18,6 +18,9 @@ files_config_file(hadoop_etc_t)
type hadoop_home_t;
userdom_user_home_content(hadoop_home_t)
+type hadoop_lan_t;
+ipsec_spd_type(hadoop_lan_t)
+
type hadoop_log_t;
logging_log_file(hadoop_log_t)
@@ -88,6 +91,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
allow hadoop_t hadoop_domain:process signull;
+hadoop_lan_polmatch(hadoop_t)
+allow hadoop_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_t)
+hadoop_recvfrom_jobtracker(hadoop_t)
+hadoop_recvfrom_namenode(hadoop_t)
+hadoop_recvfrom_tasktracker(hadoop_t)
+
read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
can_exec(hadoop_t, hadoop_etc_t)
@@ -184,6 +194,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
fs_getattr_xattr_fs(hadoop_datanode_t)
+allow hadoop_datanode_t self:peer recv;
+hadoop_recvfrom_jobtracker(hadoop_datanode_t)
+hadoop_recvfrom_namenode(hadoop_datanode_t)
+hadoop_recvfrom(hadoop_datanode_t)
+hadoop_recvfrom_tasktracker(hadoop_datanode_t)
+
########################################
#
# Hadoop jobtracker policy.
@@ -198,6 +214,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
+allow hadoop_jobtracker_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_jobtracker_t)
+hadoop_recvfrom_namenode(hadoop_jobtracker_t)
+hadoop_recvfrom(hadoop_jobtracker_t)
+hadoop_recvfrom_tasktracker(hadoop_jobtracker_t)
+
########################################
#
# Hadoop namenode policy.
@@ -209,6 +231,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
+allow hadoop_namenode_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_namenode_t)
+hadoop_recvfrom_jobtracker(hadoop_namenode_t)
+hadoop_recvfrom(hadoop_namenode_t)
+hadoop_recvfrom_secondarynamenode(hadoop_namenode_t)
+hadoop_recvfrom_tasktracker(hadoop_namenode_t)
+
########################################
#
# Hadoop secondary namenode policy.
@@ -218,6 +247,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
+allow hadoop_secondarynamenode_t self:peer recv;
+hadoop_recvfrom_namenode(hadoop_secondarynamenode_t)
+
########################################
#
# Hadoop tasktracker policy.
@@ -240,6 +272,12 @@ corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
fs_getattr_xattr_fs(hadoop_tasktracker_t)
+allow hadoop_tasktracker_t self:peer recv;
+hadoop_recvfrom_datanode(hadoop_tasktracker_t)
+hadoop_recvfrom_jobtracker(hadoop_tasktracker_t)
+hadoop_recvfrom(hadoop_tasktracker_t)
+hadoop_recvfrom_namenode(hadoop_tasktracker_t)
+
########################################
#
# Hadoop zookeeper client policy.
@@ -251,6 +289,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_t self:udp_socket create_socket_perms;
dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
+hadoop_lan_polmatch(zookeeper_t)
+zookeeper_recvfrom_server(zookeeper_t)
+
read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
@@ -325,6 +366,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
allow zookeeper_server_t self:udp_socket create_socket_perms;
+hadoop_lan_polmatch(zookeeper_server_t)
+allow zookeeper_server_t self:peer recv;
+zookeeper_recvfrom(zookeeper_server_t)
+
allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d82ff45..13f76a3 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -414,6 +414,7 @@ init_dontaudit_use_fds(setkey_t)
# allow setkey to set the context for ipsec SAs and policy.
ipsec_setcontext_default_spd(setkey_t)
+ipsec_spd_type_setcontext(setkey_t)
locallogin_use_fds(setkey_t)
@@ -422,3 +423,4 @@ miscfiles_read_localization(setkey_t)
seutil_read_config(setkey_t)
userdom_use_user_terminals(setkey_t)
+
On 01/06/11 11:33, Paul Nuzzi wrote:
> On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
>> On 12/16/10 12:32, Paul Nuzzi wrote:
>>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to
>>>>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces
>>>>> the architecture of Hadoop without having to modify any of the code. This adds a level of
>>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>>
>>>> A few things.
>>>>
>>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>>> (a holdover from previous labeled networking implementations). So the
>>>> interfaces are like hadoop_recvfrom_datanode().
>>>
>>> Easy change.
>>>
>>>> It seems like setkey should be able to setcontext any type used on ipsec
>>>> associations. I think the best thing would be to add additional support
>>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>>> yet) for associations. So, say we have an interface called
>>>> ipsec_spd_type() which adds the parameter type to the attribute
>>>> ipsec_spd_types. Then we can have an allow setkey_t
>>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>>> every time more labeled network is added.
>>>
>>> That seems a lot less clunky than updating setkey every time we add a new association.
>>>
>>>> This is definitely wrong since its not a file:
>>>> +files_type(hadoop_lan_t)
>>>
>>> Let me know how you would like to handle associations and I could update the
>>> patch.
>>
>> Lets go with putting the associations in corenetwork.
>>
>>> Will the files_type error be cleared up when we re-engineer this?
>>
>> I'm not sure what you mean. The incorrect rule was added in your patch.
>>
>
> Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.
Merged. I did some interface renaming and rearranging.
> Signed-off-by: Paul Nuzzi <[email protected]>
>
> ---
> policy/modules/kernel/corenetwork.if.in | 38 ++++++
> policy/modules/kernel/corenetwork.te.in | 1
> policy/modules/services/hadoop.if | 182 ++++++++++++++++++++++++++++++++
> policy/modules/services/hadoop.te | 45 +++++++
> policy/modules/system/ipsec.te | 2
> 5 files changed, 268 insertions(+)
>
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index b06df19..3103644 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -3042,3 +3042,41 @@ interface(`corenet_unconfined',`
>
> typeattribute $1 corenet_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Make the specified type usable
> +## for labeled ipsec.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for labeled ipsec.
> +## </summary>
> +## </param>
> +#
> +interface(`ipsec_spd_type',`
> + gen_require(`
> + attribute ipsec_spd_types;
> + ')
> +
> + typeattribute $1 ipsec_spd_types;
> +')
> +
> +########################################
> +## <summary>
> +## Make the specified type usable
> +## for labeled ipsec.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used for labeled ipsec.
> +## </summary>
> +## </param>
> +#
> +interface(`ipsec_spd_type_setcontext',`
> + gen_require(`
> + attribute ipsec_spd_types;
> + ')
> +
> + allow $1 ipsec_spd_types:association setcontext;
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index edefaf3..8ee5e51 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -6,6 +6,7 @@ policy_module(corenetwork, 1.15.0)
> #
>
> attribute client_packet_type;
> +attribute ipsec_spd_types;
> attribute netif_type;
> attribute node_type;
> attribute packet_type;
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index b5ab49e..3fc31f7 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -110,6 +110,8 @@ template(`hadoop_domain_template',`
>
> auth_domtrans_chkpwd(hadoop_$1_t)
>
> + hadoop_lan_polmatch(hadoop_$1_t)
> +
> init_read_utmp(hadoop_$1_t)
> init_use_fds(hadoop_$1_t)
> init_use_script_fds(hadoop_$1_t)
> @@ -350,3 +352,183 @@ interface(`hadoop_exec_config',`
> hadoop_read_config($1)
> allow $1 hadoop_etc_t:file exec_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## polmatch on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing polmatch
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_lan_polmatch',`
> + gen_require(`
> + type hadoop_lan_t;
> + ')
> +
> + allow $1 hadoop_lan_t:association polmatch;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_datanode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_datanode',`
> + gen_require(`
> + type hadoop_datanode_t;
> + ')
> +
> + allow $1 hadoop_datanode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_namenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_namenode',`
> + gen_require(`
> + type hadoop_namenode_t;
> + ')
> +
> + allow $1 hadoop_namenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_jobtracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_jobtracker',`
> + gen_require(`
> + type hadoop_jobtracker_t;
> + ')
> +
> + allow $1 hadoop_jobtracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_tasktracker_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_tasktracker',`
> + gen_require(`
> + type hadoop_tasktracker_t;
> + ')
> +
> + allow $1 hadoop_tasktracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_secondarynamenode_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_secondarynamenode',`
> + gen_require(`
> + type hadoop_secondarynamenode_t;
> + ')
> +
> + allow $1 hadoop_secondarynamenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom hadoop_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom',`
> + gen_require(`
> + type hadoop_t;
> + ')
> +
> + allow $1 hadoop_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom zookeeper_server_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_recvfrom_server',`
> + gen_require(`
> + type zookeeper_server_t;
> + ')
> +
> + allow $1 zookeeper_server_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +## Give permission to a domain to
> +## recvfrom zookeeper_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain needing recvfrom
> +## permission
> +## </summary>
> +## </param>
> +#
> +interface(`zookeeper_recvfrom',`
> + gen_require(`
> + type zookeeper_t;
> + ')
> +
> + allow $1 zookeeper_t:peer recv;
> +')
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 9a9c206..b1427eb 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -18,6 +18,9 @@ files_config_file(hadoop_etc_t)
> type hadoop_home_t;
> userdom_user_home_content(hadoop_home_t)
>
> +type hadoop_lan_t;
> +ipsec_spd_type(hadoop_lan_t)
> +
> type hadoop_log_t;
> logging_log_file(hadoop_log_t)
>
> @@ -88,6 +91,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>
> allow hadoop_t hadoop_domain:process signull;
>
> +hadoop_lan_polmatch(hadoop_t)
> +allow hadoop_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_t)
> +hadoop_recvfrom_jobtracker(hadoop_t)
> +hadoop_recvfrom_namenode(hadoop_t)
> +hadoop_recvfrom_tasktracker(hadoop_t)
> +
> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
> can_exec(hadoop_t, hadoop_etc_t)
> @@ -184,6 +194,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>
> fs_getattr_xattr_fs(hadoop_datanode_t)
>
> +allow hadoop_datanode_t self:peer recv;
> +hadoop_recvfrom_jobtracker(hadoop_datanode_t)
> +hadoop_recvfrom_namenode(hadoop_datanode_t)
> +hadoop_recvfrom(hadoop_datanode_t)
> +hadoop_recvfrom_tasktracker(hadoop_datanode_t)
> +
> ########################################
> #
> # Hadoop jobtracker policy.
> @@ -198,6 +214,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>
> +allow hadoop_jobtracker_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_jobtracker_t)
> +hadoop_recvfrom_namenode(hadoop_jobtracker_t)
> +hadoop_recvfrom(hadoop_jobtracker_t)
> +hadoop_recvfrom_tasktracker(hadoop_jobtracker_t)
> +
> ########################################
> #
> # Hadoop namenode policy.
> @@ -209,6 +231,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>
> +allow hadoop_namenode_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_namenode_t)
> +hadoop_recvfrom_jobtracker(hadoop_namenode_t)
> +hadoop_recvfrom(hadoop_namenode_t)
> +hadoop_recvfrom_secondarynamenode(hadoop_namenode_t)
> +hadoop_recvfrom_tasktracker(hadoop_namenode_t)
> +
> ########################################
> #
> # Hadoop secondary namenode policy.
> @@ -218,6 +247,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>
> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>
> +allow hadoop_secondarynamenode_t self:peer recv;
> +hadoop_recvfrom_namenode(hadoop_secondarynamenode_t)
> +
> ########################################
> #
> # Hadoop tasktracker policy.
> @@ -240,6 +272,12 @@ corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>
> +allow hadoop_tasktracker_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_tasktracker_t)
> +hadoop_recvfrom_jobtracker(hadoop_tasktracker_t)
> +hadoop_recvfrom(hadoop_tasktracker_t)
> +hadoop_recvfrom_namenode(hadoop_tasktracker_t)
> +
> ########################################
> #
> # Hadoop zookeeper client policy.
> @@ -251,6 +289,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_t self:udp_socket create_socket_perms;
> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_t)
> +zookeeper_recvfrom_server(zookeeper_t)
> +
> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>
> @@ -325,6 +366,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
> allow zookeeper_server_t self:udp_socket create_socket_perms;
>
> +hadoop_lan_polmatch(zookeeper_server_t)
> +allow zookeeper_server_t self:peer recv;
> +zookeeper_recvfrom(zookeeper_server_t)
> +
> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d82ff45..13f76a3 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -414,6 +414,7 @@ init_dontaudit_use_fds(setkey_t)
>
> # allow setkey to set the context for ipsec SAs and policy.
> ipsec_setcontext_default_spd(setkey_t)
> +ipsec_spd_type_setcontext(setkey_t)
>
> locallogin_use_fds(setkey_t)
>
> @@ -422,3 +423,4 @@ miscfiles_read_localization(setkey_t)
> seutil_read_config(setkey_t)
>
> userdom_use_user_terminals(setkey_t)
> +
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com