2010-12-10 23:22:32

by Paul Nuzzi

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3

Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
Fixed a bug where policy was preventing exporting files from the
distributed file system to the user's home directory.

Signed-off-by: Paul Nuzzi <[email protected]>

---

policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/hadoop.fc | 14 +++++++++-----
policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
policy/modules/services/hadoop.te | 14 ++++++++++++++
4 files changed, 51 insertions(+), 8 deletions(-)

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 606a257..7a48dad 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ hadoop_role(user_r, user_t)
+ ')
+
+ optional_policy(`
irc_role(user_r, user_t)
')

diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
index 3035be2..00a877d 100644
--- a/policy/modules/services/hadoop.fc
+++ b/policy/modules/services/hadoop.fc
@@ -1,10 +1,10 @@
/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)

-/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
-/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)

/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
@@ -24,10 +24,14 @@

/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)

/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 9e9bfe7..d1ff90d 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
# Shared hadoop_$1 policy.
#

- allow hadoop_$1_t self:process execmem;
+ allow hadoop_$1_t self:capability { chown kill setgid setuid };
+ allow hadoop_$1_t self:key search;
+ allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
+ allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
allow hadoop_$1_t self:udp_socket create_socket_perms;
dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;

@@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
files_search_var_lib(hadoop_$1_t)

- allow hadoop_$1_t hadoop_var_run_t:dir getattr;
- files_search_pids(hadoop_$1_t)
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+ files_search_pids(hadoop_$1_t)

allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
@@ -102,14 +106,29 @@ template(`hadoop_domain_template',`

files_read_etc_files(hadoop_$1_t)

+ init_read_utmp(hadoop_$1_t)
+ init_use_fds(hadoop_$1_t)
+ init_use_script_fds(hadoop_$1_t)
+ init_use_script_ptys(hadoop_$1_t)
+
+ kerberos_use(hadoop_$1_t)
+ kernel_read_kernel_sysctls(hadoop_$1_t)
+ kernel_read_sysctl(hadoop_$1_t)
+
+ logging_send_audit_msgs(hadoop_$1_t)
+ logging_send_syslog_msg(hadoop_$1_t)
+
miscfiles_read_localization(hadoop_$1_t)

+ su_exec(hadoop_$1_t)
sysnet_read_config(hadoop_$1_t)

hadoop_exec_config(hadoop_$1_t)

java_exec(hadoop_$1_t)

+ auth_domtrans_chkpwd(hadoop_$1_t)
+
optional_policy(`
nscd_socket_use(hadoop_$1_t)
')
@@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
consoletype_exec(hadoop_$1_initrc_t)

fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+ fs_search_cgroup_dirs(hadoop_$1_initrc_t)

term_use_generic_ptys(hadoop_$1_initrc_t)

hadoop_exec_config(hadoop_$1_initrc_t)

init_rw_utmp(hadoop_$1_initrc_t)
+ init_use_fds(hadoop_$1_initrc_t)
init_use_script_ptys(hadoop_$1_initrc_t)

logging_send_syslog_msg(hadoop_$1_initrc_t)
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 35a8131..b103f89 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
dev_read_rand(hadoop_t)
dev_read_sysfs(hadoop_t)
dev_read_urand(hadoop_t)
+domain_use_interactive_fds(hadoop_t)

files_dontaudit_search_spool(hadoop_t)
+files_read_etc_files(hadoop_t)
files_read_usr_files(hadoop_t)
+files_search_var_lib(hadoop_t)

fs_getattr_xattr_fs(hadoop_t)

+kerberos_use(hadoop_t)
+
miscfiles_read_localization(hadoop_t)

+sysnet_read_config(hadoop_t)
+
userdom_dontaudit_search_user_home_dirs(hadoop_t)
+userdom_list_user_home_content(hadoop_t)
+userdom_manage_user_home_content_files(hadoop_t)
userdom_use_user_terminals(hadoop_t)

java_exec(hadoop_t)
@@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
corenet_tcp_connect_zope_port(hadoop_tasktracker_t)

manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
+setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)

+filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
+manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
+
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)

fs_getattr_xattr_fs(hadoop_tasktracker_t)
@@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
dev_read_rand(zookeeper_t)
dev_read_sysfs(zookeeper_t)
dev_read_urand(zookeeper_t)
+domain_use_interactive_fds(zookeeper_t)

files_read_etc_files(zookeeper_t)
files_read_usr_files(zookeeper_t)


2010-12-11 09:01:42

by domg472

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
> Fixed a bug where policy was preventing exporting files from the
> distributed file system to the user's home directory.
>
> Signed-off-by: Paul Nuzzi <[email protected]>
>
> ---
>
> policy/modules/roles/unprivuser.te | 4 ++++
> policy/modules/services/hadoop.fc | 14 +++++++++-----
> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
> policy/modules/services/hadoop.te | 14 ++++++++++++++
> 4 files changed, 51 insertions(+), 8 deletions(-)
>
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 606a257..7a48dad 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + hadoop_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> irc_role(user_r, user_t)
> ')
>
> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
> index 3035be2..00a877d 100644
> --- a/policy/modules/services/hadoop.fc
> +++ b/policy/modules/services/hadoop.fc
> @@ -1,10 +1,10 @@
> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
>
> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>
> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> @@ -24,10 +24,14 @@
>
> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>
> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index 9e9bfe7..d1ff90d 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
> # Shared hadoop_$1 policy.
> #
>
> - allow hadoop_$1_t self:process execmem;
> + allow hadoop_$1_t self:capability { chown kill setgid setuid };
> + allow hadoop_$1_t self:key search;
> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
> allow hadoop_$1_t self:udp_socket create_socket_perms;
> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>
> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
> files_search_var_lib(hadoop_$1_t)
>
> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
> - files_search_pids(hadoop_$1_t)
> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
> + files_search_pids(hadoop_$1_t)
>
> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>
> files_read_etc_files(hadoop_$1_t)
>
> + init_read_utmp(hadoop_$1_t)
> + init_use_fds(hadoop_$1_t)
> + init_use_script_fds(hadoop_$1_t)
> + init_use_script_ptys(hadoop_$1_t)
> +
> + kerberos_use(hadoop_$1_t)

Does hadoop depend on kerberos? If no then kerberos_use should probably
be optional.

> + kernel_read_kernel_sysctls(hadoop_$1_t)
> + kernel_read_sysctl(hadoop_$1_t)
> +
> + logging_send_audit_msgs(hadoop_$1_t)
> + logging_send_syslog_msg(hadoop_$1_t)
> +
> miscfiles_read_localization(hadoop_$1_t)
>
> + su_exec(hadoop_$1_t)

Does hadoop depend on su? If not then su_exec should probably be optional.

(btw would sudo work?)

> sysnet_read_config(hadoop_$1_t)
>
> hadoop_exec_config(hadoop_$1_t)
>
> java_exec(hadoop_$1_t)
>
> + auth_domtrans_chkpwd(hadoop_$1_t)
> +
> optional_policy(`
> nscd_socket_use(hadoop_$1_t)
> ')
> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
> consoletype_exec(hadoop_$1_initrc_t)
>
> fs_getattr_xattr_fs(hadoop_$1_initrc_t)
> + fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>
> term_use_generic_ptys(hadoop_$1_initrc_t)
>
> hadoop_exec_config(hadoop_$1_initrc_t)
>
> init_rw_utmp(hadoop_$1_initrc_t)
> + init_use_fds(hadoop_$1_initrc_t)
> init_use_script_ptys(hadoop_$1_initrc_t)
>
> logging_send_syslog_msg(hadoop_$1_initrc_t)
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 35a8131..b103f89 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
> dev_read_rand(hadoop_t)
> dev_read_sysfs(hadoop_t)
> dev_read_urand(hadoop_t)
> +domain_use_interactive_fds(hadoop_t)
>
> files_dontaudit_search_spool(hadoop_t)
> +files_read_etc_files(hadoop_t)
> files_read_usr_files(hadoop_t)
> +files_search_var_lib(hadoop_t)
>
> fs_getattr_xattr_fs(hadoop_t)
>
> +kerberos_use(hadoop_t)
> +
> miscfiles_read_localization(hadoop_t)
>
> +sysnet_read_config(hadoop_t)
> +
> userdom_dontaudit_search_user_home_dirs(hadoop_t)
> +userdom_list_user_home_content(hadoop_t)
> +userdom_manage_user_home_content_files(hadoop_t)
> userdom_use_user_terminals(hadoop_t)
>
> java_exec(hadoop_t)
> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
> corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>
> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
> +
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
> dev_read_rand(zookeeper_t)
> dev_read_sysfs(zookeeper_t)
> dev_read_urand(zookeeper_t)
> +domain_use_interactive_fds(zookeeper_t)
>
> files_read_etc_files(zookeeper_t)
> files_read_usr_files(zookeeper_t)
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La
8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH
=qPch
-----END PGP SIGNATURE-----

2010-12-13 15:39:11

by Paul Nuzzi

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3

On 12/11/2010 04:01 AM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
>> Fixed a bug where policy was preventing exporting files from the
>> distributed file system to the user's home directory.
>>
>> Signed-off-by: Paul Nuzzi <[email protected]>
>>
>> ---
>>
>> policy/modules/roles/unprivuser.te | 4 ++++
>> policy/modules/services/hadoop.fc | 14 +++++++++-----
>> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
>> policy/modules/services/hadoop.te | 14 ++++++++++++++
>> 4 files changed, 51 insertions(+), 8 deletions(-)
>>
>> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
>> index 606a257..7a48dad 100644
>> --- a/policy/modules/roles/unprivuser.te
>> +++ b/policy/modules/roles/unprivuser.te
>> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
>> ')
>>
>> optional_policy(`
>> + hadoop_role(user_r, user_t)
>> + ')
>> +
>> + optional_policy(`
>> irc_role(user_r, user_t)
>> ')
>>
>> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
>> index 3035be2..00a877d 100644
>> --- a/policy/modules/services/hadoop.fc
>> +++ b/policy/modules/services/hadoop.fc
>> @@ -1,10 +1,10 @@
>> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
>>
>> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>>
>> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> @@ -24,10 +24,14 @@
>>
>> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
>> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
>> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>>
>> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>> index 9e9bfe7..d1ff90d 100644
>> --- a/policy/modules/services/hadoop.if
>> +++ b/policy/modules/services/hadoop.if
>> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
>> # Shared hadoop_$1 policy.
>> #
>>
>> - allow hadoop_$1_t self:process execmem;
>> + allow hadoop_$1_t self:capability { chown kill setgid setuid };
>> + allow hadoop_$1_t self:key search;
>> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
>> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
>> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
>> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
>> allow hadoop_$1_t self:udp_socket create_socket_perms;
>> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>>
>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
>> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
>> files_search_var_lib(hadoop_$1_t)
>>
>> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
>> - files_search_pids(hadoop_$1_t)
>> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
>> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
>> + files_search_pids(hadoop_$1_t)
>>
>> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
>> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>>
>> files_read_etc_files(hadoop_$1_t)
>>
>> + init_read_utmp(hadoop_$1_t)
>> + init_use_fds(hadoop_$1_t)
>> + init_use_script_fds(hadoop_$1_t)
>> + init_use_script_ptys(hadoop_$1_t)
>> +
>> + kerberos_use(hadoop_$1_t)
>
> Does hadoop depend on kerberos? If no then kerberos_use should probably
> be optional.
>

The new version of hadoop added Kerberos for authentication.

>> + kernel_read_kernel_sysctls(hadoop_$1_t)
>> + kernel_read_sysctl(hadoop_$1_t)
>> +
>> + logging_send_audit_msgs(hadoop_$1_t)
>> + logging_send_syslog_msg(hadoop_$1_t)
>> +
>> miscfiles_read_localization(hadoop_$1_t)
>>
>> + su_exec(hadoop_$1_t)
>
> Does hadoop depend on su? If not then su_exec should probably be optional.
>
> (btw would sudo work?)
>

The hadoop developers have been adding more security to the software stack. From what
I can tell, the services start out as root and then execute su to drop privileges.


>> sysnet_read_config(hadoop_$1_t)
>>
>> hadoop_exec_config(hadoop_$1_t)
>>
>> java_exec(hadoop_$1_t)
>>
>> + auth_domtrans_chkpwd(hadoop_$1_t)
>> +
>> optional_policy(`
>> nscd_socket_use(hadoop_$1_t)
>> ')
>> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
>> consoletype_exec(hadoop_$1_initrc_t)
>>
>> fs_getattr_xattr_fs(hadoop_$1_initrc_t)
>> + fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>>
>> term_use_generic_ptys(hadoop_$1_initrc_t)
>>
>> hadoop_exec_config(hadoop_$1_initrc_t)
>>
>> init_rw_utmp(hadoop_$1_initrc_t)
>> + init_use_fds(hadoop_$1_initrc_t)
>> init_use_script_ptys(hadoop_$1_initrc_t)
>>
>> logging_send_syslog_msg(hadoop_$1_initrc_t)
>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>> index 35a8131..b103f89 100644
>> --- a/policy/modules/services/hadoop.te
>> +++ b/policy/modules/services/hadoop.te
>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
>> dev_read_rand(hadoop_t)
>> dev_read_sysfs(hadoop_t)
>> dev_read_urand(hadoop_t)
>> +domain_use_interactive_fds(hadoop_t)
>>
>> files_dontaudit_search_spool(hadoop_t)
>> +files_read_etc_files(hadoop_t)
>> files_read_usr_files(hadoop_t)
>> +files_search_var_lib(hadoop_t)
>>
>> fs_getattr_xattr_fs(hadoop_t)
>>
>> +kerberos_use(hadoop_t)
>> +
>> miscfiles_read_localization(hadoop_t)
>>
>> +sysnet_read_config(hadoop_t)
>> +
>> userdom_dontaudit_search_user_home_dirs(hadoop_t)
>> +userdom_list_user_home_content(hadoop_t)
>> +userdom_manage_user_home_content_files(hadoop_t)
>> userdom_use_user_terminals(hadoop_t)
>>
>> java_exec(hadoop_t)
>> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
>> corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>>
>> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
>> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
>> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>>
>> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
>> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
>> +
>> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>
>> fs_getattr_xattr_fs(hadoop_tasktracker_t)
>> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
>> dev_read_rand(zookeeper_t)
>> dev_read_sysfs(zookeeper_t)
>> dev_read_urand(zookeeper_t)
>> +domain_use_interactive_fds(zookeeper_t)
>>
>> files_read_etc_files(zookeeper_t)
>> files_read_usr_files(zookeeper_t)
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La
> 8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH
> =qPch
> -----END PGP SIGNATURE-----
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>

2010-12-15 20:17:15

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3

On 12/13/10 10:39, Paul Nuzzi wrote:
> On 12/11/2010 04:01 AM, Dominick Grift wrote:
> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
>>>> Fixed a bug where policy was preventing exporting files from the
>>>> distributed file system to the user's home directory.
>>>>
>>>> Signed-off-by: Paul Nuzzi <[email protected]>
>>>>
>>>> ---
>>>>
>>>> policy/modules/roles/unprivuser.te | 4 ++++
>>>> policy/modules/services/hadoop.fc | 14 +++++++++-----
>>>> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
>>>> policy/modules/services/hadoop.te | 14 ++++++++++++++
>>>> 4 files changed, 51 insertions(+), 8 deletions(-)

>>>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>>>> index 9e9bfe7..d1ff90d 100644
>>>> --- a/policy/modules/services/hadoop.if

>>>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
>>>> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
>>>> files_search_var_lib(hadoop_$1_t)
>>>>
>>>> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
>>>> - files_search_pids(hadoop_$1_t)
>>>> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
>>>> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
>>>> + files_search_pids(hadoop_$1_t)
>>>>
>>>> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
>>>> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
>>>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>>>>
>>>> files_read_etc_files(hadoop_$1_t)
>>>>
>>>> + init_read_utmp(hadoop_$1_t)
>>>> + init_use_fds(hadoop_$1_t)
>>>> + init_use_script_fds(hadoop_$1_t)
>>>> + init_use_script_ptys(hadoop_$1_t)
>>>> +
>>>> + kerberos_use(hadoop_$1_t)
>
> Does hadoop depend on kerberos? If no then kerberos_use should probably
> be optional.
>
>
>> The new version of hadoop added Kerberos for authentication.

So, to be explicit, its an unconditional requirement?

>>>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>>>> index 35a8131..b103f89 100644
>>>> --- a/policy/modules/services/hadoop.te
>>>> +++ b/policy/modules/services/hadoop.te
>>>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
>>>> dev_read_rand(hadoop_t)
>>>> dev_read_sysfs(hadoop_t)
>>>> dev_read_urand(hadoop_t)
>>>> +domain_use_interactive_fds(hadoop_t)
>>>>
>>>> files_dontaudit_search_spool(hadoop_t)
>>>> +files_read_etc_files(hadoop_t)
>>>> files_read_usr_files(hadoop_t)
>>>> +files_search_var_lib(hadoop_t)
>>>>
>>>> fs_getattr_xattr_fs(hadoop_t)
>>>>
>>>> +kerberos_use(hadoop_t)
>>>> +
>>>> miscfiles_read_localization(hadoop_t)
>>>>
>>>> +sysnet_read_config(hadoop_t)
>>>> +
>>>> userdom_dontaudit_search_user_home_dirs(hadoop_t)
>>>> +userdom_list_user_home_content(hadoop_t)
>>>> +userdom_manage_user_home_content_files(hadoop_t)

It seems like there should be a hadoop_home_t that is
userdom_user_home_content()


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2010-12-16 17:33:07

by Paul Nuzzi

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3

On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
> On 12/13/10 10:39, Paul Nuzzi wrote:
>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>
>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>> be optional.
>>
>>
>>> The new version of hadoop added Kerberos for authentication.
>
> So, to be explicit, its an unconditional requirement?

Yes. I think all future versions of hadoop will be kerberos enabled.

> It seems like there should be a hadoop_home_t that is
> userdom_user_home_content()

Updated.


Signed-off-by: Paul Nuzzi <[email protected]>

---
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/services/hadoop.fc | 14 +++++++++-----
policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
policy/modules/services/hadoop.te | 24 +++++++++++++++++++++++-
4 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 606a257..7a48dad 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
')

optional_policy(`
+ hadoop_role(user_r, user_t)
+ ')
+
+ optional_policy(`
irc_role(user_r, user_t)
')

diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
index 3035be2..00a877d 100644
--- a/policy/modules/services/hadoop.fc
+++ b/policy/modules/services/hadoop.fc
@@ -1,10 +1,10 @@
/etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)

-/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
-/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
/etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)

/etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
@@ -24,10 +24,14 @@

/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)

/var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 9e9bfe7..d07e172 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
# Shared hadoop_$1 policy.
#

- allow hadoop_$1_t self:process execmem;
+ allow hadoop_$1_t self:capability { chown kill setgid setuid };
+ allow hadoop_$1_t self:key search;
+ allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
+ allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
allow hadoop_$1_t self:udp_socket create_socket_perms;
dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;

@@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
files_search_var_lib(hadoop_$1_t)

- allow hadoop_$1_t hadoop_var_run_t:dir getattr;
- files_search_pids(hadoop_$1_t)
+ manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+ filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+ files_search_pids(hadoop_$1_t)

allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
@@ -102,14 +106,29 @@ template(`hadoop_domain_template',`

files_read_etc_files(hadoop_$1_t)

+ init_read_utmp(hadoop_$1_t)
+ init_use_fds(hadoop_$1_t)
+ init_use_script_fds(hadoop_$1_t)
+ init_use_script_ptys(hadoop_$1_t)
+
+ kerberos_use(hadoop_$1_t)
+ kernel_read_kernel_sysctls(hadoop_$1_t)
+ kernel_read_sysctl(hadoop_$1_t)
+
+ logging_send_audit_msgs(hadoop_$1_t)
+ logging_send_syslog_msg(hadoop_$1_t)
+
miscfiles_read_localization(hadoop_$1_t)

+ su_exec(hadoop_$1_t)
sysnet_read_config(hadoop_$1_t)

hadoop_exec_config(hadoop_$1_t)

java_exec(hadoop_$1_t)

+ auth_domtrans_chkpwd(hadoop_$1_t)
+
optional_policy(`
nscd_socket_use(hadoop_$1_t)
')
@@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
consoletype_exec(hadoop_$1_initrc_t)

fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+ fs_search_cgroup_dirs(hadoop_$1_initrc_t)

term_use_generic_ptys(hadoop_$1_initrc_t)

hadoop_exec_config(hadoop_$1_initrc_t)

init_rw_utmp(hadoop_$1_initrc_t)
+ init_use_fds(hadoop_$1_initrc_t)
init_use_script_ptys(hadoop_$1_initrc_t)

logging_send_syslog_msg(hadoop_$1_initrc_t)
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 35a8131..ddf9ef7 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -15,6 +15,11 @@ ubac_constrained(hadoop_t)
type hadoop_etc_t;
files_config_file(hadoop_etc_t)

+type hadoop_home_t;
+typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t };
+typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t };
+userdom_user_home_content(hadoop_home_t)
+
type hadoop_log_t;
logging_log_file(hadoop_log_t)

@@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t)
dev_read_rand(hadoop_t)
dev_read_sysfs(hadoop_t)
dev_read_urand(hadoop_t)
+domain_use_interactive_fds(hadoop_t)

files_dontaudit_search_spool(hadoop_t)
+files_read_etc_files(hadoop_t)
files_read_usr_files(hadoop_t)
+files_search_var_lib(hadoop_t)

fs_getattr_xattr_fs(hadoop_t)

+kerberos_use(hadoop_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+userdom_search_user_home_dirs(hadoop_t)
+userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
+
miscfiles_read_localization(hadoop_t)

-userdom_dontaudit_search_user_home_dirs(hadoop_t)
+sysnet_read_config(hadoop_t)
+
userdom_use_user_terminals(hadoop_t)

java_exec(hadoop_t)
@@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
corenet_tcp_connect_zope_port(hadoop_tasktracker_t)

manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
+setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)

+filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
+manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
+
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)

fs_getattr_xattr_fs(hadoop_tasktracker_t)
@@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
dev_read_rand(zookeeper_t)
dev_read_sysfs(zookeeper_t)
dev_read_urand(zookeeper_t)
+domain_use_interactive_fds(zookeeper_t)

files_read_etc_files(zookeeper_t)
files_read_usr_files(zookeeper_t)

2011-01-05 15:23:51

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3

On 12/16/10 12:33, Paul Nuzzi wrote:
> On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
>> On 12/13/10 10:39, Paul Nuzzi wrote:
>>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>>
>>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>>> be optional.
>>>
>>>
>>>> The new version of hadoop added Kerberos for authentication.
>>
>> So, to be explicit, its an unconditional requirement?
>
> Yes. I think all future versions of hadoop will be kerberos enabled.
>
>> It seems like there should be a hadoop_home_t that is
>> userdom_user_home_content()
>
> Updated.

Merged. I did some rule rearranging and whitespace cleanup.

> Signed-off-by: Paul Nuzzi <[email protected]>
>
> ---
> policy/modules/roles/unprivuser.te | 4 ++++
> policy/modules/services/hadoop.fc | 14 +++++++++-----
> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++---
> policy/modules/services/hadoop.te | 24 +++++++++++++++++++++++-
> 4 files changed, 60 insertions(+), 9 deletions(-)
>
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 606a257..7a48dad 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> + hadoop_role(user_r, user_t)
> + ')
> +
> + optional_policy(`
> irc_role(user_r, user_t)
> ')
>
> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
> index 3035be2..00a877d 100644
> --- a/policy/modules/services/hadoop.fc
> +++ b/policy/modules/services/hadoop.fc
> @@ -1,10 +1,10 @@
> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0)
>
> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>
> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> @@ -24,10 +24,14 @@
>
> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>
> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index 9e9bfe7..d07e172 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
> # Shared hadoop_$1 policy.
> #
>
> - allow hadoop_$1_t self:process execmem;
> + allow hadoop_$1_t self:capability { chown kill setgid setuid };
> + allow hadoop_$1_t self:key search;
> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
> allow hadoop_$1_t self:udp_socket create_socket_perms;
> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>
> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
> files_search_var_lib(hadoop_$1_t)
>
> - allow hadoop_$1_t hadoop_var_run_t:dir getattr;
> - files_search_pids(hadoop_$1_t)
> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
> + files_search_pids(hadoop_$1_t)
>
> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>
> files_read_etc_files(hadoop_$1_t)
>
> + init_read_utmp(hadoop_$1_t)
> + init_use_fds(hadoop_$1_t)
> + init_use_script_fds(hadoop_$1_t)
> + init_use_script_ptys(hadoop_$1_t)
> +
> + kerberos_use(hadoop_$1_t)
> + kernel_read_kernel_sysctls(hadoop_$1_t)
> + kernel_read_sysctl(hadoop_$1_t)
> +
> + logging_send_audit_msgs(hadoop_$1_t)
> + logging_send_syslog_msg(hadoop_$1_t)
> +
> miscfiles_read_localization(hadoop_$1_t)
>
> + su_exec(hadoop_$1_t)
> sysnet_read_config(hadoop_$1_t)
>
> hadoop_exec_config(hadoop_$1_t)
>
> java_exec(hadoop_$1_t)
>
> + auth_domtrans_chkpwd(hadoop_$1_t)
> +
> optional_policy(`
> nscd_socket_use(hadoop_$1_t)
> ')
> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
> consoletype_exec(hadoop_$1_initrc_t)
>
> fs_getattr_xattr_fs(hadoop_$1_initrc_t)
> + fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>
> term_use_generic_ptys(hadoop_$1_initrc_t)
>
> hadoop_exec_config(hadoop_$1_initrc_t)
>
> init_rw_utmp(hadoop_$1_initrc_t)
> + init_use_fds(hadoop_$1_initrc_t)
> init_use_script_ptys(hadoop_$1_initrc_t)
>
> logging_send_syslog_msg(hadoop_$1_initrc_t)
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 35a8131..ddf9ef7 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -15,6 +15,11 @@ ubac_constrained(hadoop_t)
> type hadoop_etc_t;
> files_config_file(hadoop_etc_t)
>
> +type hadoop_home_t;
> +typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t };
> +typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t };
> +userdom_user_home_content(hadoop_home_t)
> +
> type hadoop_log_t;
> logging_log_file(hadoop_log_t)
>
> @@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t)
> dev_read_rand(hadoop_t)
> dev_read_sysfs(hadoop_t)
> dev_read_urand(hadoop_t)
> +domain_use_interactive_fds(hadoop_t)
>
> files_dontaudit_search_spool(hadoop_t)
> +files_read_etc_files(hadoop_t)
> files_read_usr_files(hadoop_t)
> +files_search_var_lib(hadoop_t)
>
> fs_getattr_xattr_fs(hadoop_t)
>
> +kerberos_use(hadoop_t)
> +
> +manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
> +manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
> +manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
> +userdom_search_user_home_dirs(hadoop_t)
> +userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
> +
> miscfiles_read_localization(hadoop_t)
>
> -userdom_dontaudit_search_user_home_dirs(hadoop_t)
> +sysnet_read_config(hadoop_t)
> +
> userdom_use_user_terminals(hadoop_t)
>
> java_exec(hadoop_t)
> @@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
> corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>
> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
> +
> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>
> fs_getattr_xattr_fs(hadoop_tasktracker_t)
> @@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
> dev_read_rand(zookeeper_t)
> dev_read_sysfs(zookeeper_t)
> dev_read_urand(zookeeper_t)
> +domain_use_interactive_fds(zookeeper_t)
>
> files_read_etc_files(zookeeper_t)
> files_read_usr_files(zookeeper_t)


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com