From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi)
Date: Fri, 10 Sep 2010 15:56:11 -0400
Subject: [refpolicy] [patch] hadoop
In-Reply-To: <4C8926CD.5080401@tycho.ncsc.mil>
References: <4C8926CD.5080401@tycho.ncsc.mil>
Message-ID: <4C8A8D5B.7050307@tycho.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Dominick Grif wrote:

> Was this policy developed on and for the EL5 system? I am wondering why
> unconfined_t is in the mix here. Remember that strict and mls policy do
> not ship with the unconfined domain, and that in recent refpolicy, the
> interaction with the unconfined domain should be optional, so that it
> can be de-installed.

This policy was developed on a Fedora machine.  I can see where problems
would happen with unconfined_t.  I wrapped them with an optional_policy block
so it can be run under strict or mls.

> I am wondering why it is unconfined_t that is domain transitioning to
> the rc script domains and not init. I guess the transition from
> unconfined_t to initrc_t is not happening automatically. In that case i
> would use the run_init command to domain transition to initrc first and
> then let that domain transition to your rc script domain, probably using
> the init_script_domain() interface.

The unconfined_t is domain transitioning to the script domain so admins
can restart the daemon. I don't think run_init would help because we don't
want to transition into init_t.  The policy is a little different because we have
one executable for multiple domains.  We had to a create pseudo-init domain 
like hadoop_datanode_initrc_t so init_daemon_domain(hadoop_datanode_initrc_t,
hadoop_datanode_initrc_exec_t) could be used.

I changed the patch based on your feedback.  Any input is appreciated.