From: domg472@gmail.com (Dominick Grift) Date: Fri, 10 Sep 2010 22:25:31 +0200 Subject: [refpolicy] [patch] hadoop In-Reply-To: <4C8A8D5B.7050307@tycho.ncsc.mil> References: <4C8926CD.5080401@tycho.ncsc.mil> <4C8A8D5B.7050307@tycho.ncsc.mil> Message-ID: <20100910202530.GA8852@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Sep 10, 2010 at 03:56:11PM -0400, Paul Nuzzi wrote: > Dominick Grif wrote: > > > Was this policy developed on and for the EL5 system? I am wondering why > > unconfined_t is in the mix here. Remember that strict and mls policy do > > not ship with the unconfined domain, and that in recent refpolicy, the > > interaction with the unconfined domain should be optional, so that it > > can be de-installed. > > This policy was developed on a Fedora machine. I can see where problems > would happen with unconfined_t. I wrapped them with an optional_policy block > so it can be run under strict or mls. > > > I am wondering why it is unconfined_t that is domain transitioning to > > the rc script domains and not init. I guess the transition from > > unconfined_t to initrc_t is not happening automatically. In that case i > > would use the run_init command to domain transition to initrc first and > > then let that domain transition to your rc script domain, probably using > > the init_script_domain() interface. > > The unconfined_t is domain transitioning to the script domain so admins > can restart the daemon. I don't think run_init would help because we don't > want to transition into init_t. The policy is a little different because we have > one executable for multiple domains. We had to a create pseudo-init domain > like hadoop_datanode_initrc_t so init_daemon_domain(hadoop_datanode_initrc_t, > hadoop_datanode_initrc_exec_t) could be used. I think i know what you mean but i also believe what you want can be accomplished with for example: init_script_domain(hadoop_datanode_initrc_t) I must admit that i never tried it though. But anyhow, wrapping the unconfined policy calls into optional block does not solve the problem. Even though the policy may build, it is still not usable since nothing else can transition to the domains if the unconfined domain is gone. unconfined_t -+-> initrc_t -+-> hadoop_domain1_initrc_t --> hadoop_domain1_t sysadm_t -/ \-> hadoop_domain2_initrc_t --> hadoop_domain2_t \-> hadoop_domain3_initrc_t --> hadoop_domain3_t This issue should be solved (if possible) first in my opinion. > I changed the patch based on your feedback. Any input is appreciated. > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100910/cfd8a0e8/attachment.bin