From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Mon, 20 Sep 2010 10:36:35 -0400 Subject: [refpolicy] [PATCH] hadoop 2/10 -- hadoop Message-ID: <4C977173.3020302@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Paul Nuzzi --- policy/modules/apps/hadoop.fc | 10 + policy/modules/apps/hadoop.if | 236 ++++++++++++++++++++++++++++++++++++++++++ policy/modules/apps/hadoop.te | 93 ++++++++++++++++ 3 files changed, 339 insertions(+) diff --git a/policy/modules/apps/hadoop.fc b/policy/modules/apps/hadoop.fc new file mode 100644 index 0000000..aa2012e --- /dev/null +++ b/policy/modules/apps/hadoop.fc @@ -0,0 +1,10 @@ +/usr/lib/hadoop(.*)?/bin/hadoop -- gen_context(system_u:object_r:hadoop_exec_t,s0) + +/etc/hadoop(/.*)? gen_context(system_u:object_r:hadoop_etc_t,s0) +/etc/hadoop-0.20(/.*)? gen_context(system_u:object_r:hadoop_etc_t,s0) + +/var/lib/hadoop(.*)? gen_context(system_u:object_r:hadoop_data_t,s0) + +/var/log/hadoop(.*)? gen_context(system_u:object_r:hadoop_log_t,s0) + +/var/run/hadoop(.*)? gen_context(system_u:object_r:hadoop_run_t,s0) diff --git a/policy/modules/apps/hadoop.if b/policy/modules/apps/hadoop.if new file mode 100644 index 0000000..b1513f0 --- /dev/null +++ b/policy/modules/apps/hadoop.if @@ -0,0 +1,236 @@ +## Hadoop client + +######################################## +## +## Create a domain that can transition with hadoop_exec_t +## +## +## +## Initial domain +## +## +## +## +## Domain to transfer to with hadoop_exec_t +## +## +# +interface(`hadoop_runas', ` + gen_require(` + type hadoop_exec_t; + ') + + domtrans_pattern($1, hadoop_exec_t, $2) + domain_entry_file($2, hadoop_exec_t) +') + +######################################## +## +## Give permission to a domain to access hadoop_etc_t +## +## +## +## Domain needing read and execute permission +## +## +# +interface(`hadoop_rx_etc', ` + gen_require(` + type hadoop_etc_t; + ') + + allow $1 hadoop_etc_t:dir search_dir_perms; + allow $1 hadoop_etc_t:lnk_file { read getattr }; + allow $1 hadoop_etc_t:file { read_file_perms execute execute_no_trans}; +') + +######################################## +## +## Transition from hadoop_log_t to desired log file type +## +## +## +## Domain that transfers file domains +## +## +## +## +## Log file type +## +## +# +interface(`hadoop_transition_log_file', ` + gen_require(` + type hadoop_log_t; + ') + + type_transition $1 hadoop_log_t:{ dir file } $2; +') + +######################################## +## +## Transition from hadoop_tmp_t to desired log file type +## +## +## +## Domain that transfers file domains +## +## +## +## +## Log file type +## +## +# +interface(`hadoop_transition_tmp_file', ` + gen_require(` + type hadoop_tmp_t; + ') + + type_transition $1 hadoop_tmp_t:file $2; +') + +######################################## +## +## Transition from hadoop_run_t to desired log file type +## +## +## +## Domain that transfers file domains +## +## +## +## +## Run file type +## +## +# +interface(`hadoop_transition_run_file', ` + gen_require(` + type hadoop_run_t; + ') + + type_transition $1 hadoop_run_t:file $2; +') + +######################################## +## +## Transition from hadoop_data_t to desired data file type +## +## +## +## Domain that transfers file domains +## +## +## +## +## Run file type +## +## +# +interface(`hadoop_transition_data_file', ` + gen_require(` + type hadoop_data_t; + ') + + type_transition $1 hadoop_data_t:{ dir file } $2; +') + +######################################## +## +## Give permission to a domain to access hadoop_data_t +## +## +## +## Domain needing permission +## +## +# +interface(`hadoop_manage_data_dir', ` + gen_require(` + type hadoop_data_t; + ') + + manage_dirs_pattern($1, hadoop_data_t, hadoop_data_t) +') + +######################################## +## +## Give permission to a domain to access hadoop_log_t +## +## +## +## Domain needing permission +## +## +# +interface(`hadoop_manage_log_dir', ` + gen_require(` + type hadoop_log_t; + ') + + manage_dirs_pattern($1, hadoop_log_t, hadoop_log_t) +') + +######################################## +## +## Give permission to a domain to manage hadoop_run_t +## +## +## +## Domain needing permission +## +## +# +interface(`hadoop_manage_run', ` + gen_require(` + type hadoop_run_t; + ') + + manage_dirs_pattern($1, hadoop_run_t, hadoop_run_t) + manage_files_pattern($1, hadoop_run_t, hadoop_run_t) +') + +######################################## +## +## Give permission to a domain to getattr hadoop_run_t +## +## +## +## Domain needing permission +## +## +# +interface(`hadoop_getattr_run_dir', ` + gen_require(` + type hadoop_run_t; + ') + + allow $1 hadoop_run_t:dir getattr; +') + +######################################## +## +## Role access for hadoop +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`hadoop_role',` + gen_require(` + type hadoop_exec_t; + type hadoop_t; + ') + + role $1 types hadoop_t; + allow $2 hadoop_exec_t:file { execute execute_no_trans }; + domtrans_pattern($2, hadoop_exec_t, hadoop_t) +') diff --git a/policy/modules/apps/hadoop.te b/policy/modules/apps/hadoop.te new file mode 100644 index 0000000..85d1690 --- /dev/null +++ b/policy/modules/apps/hadoop.te @@ -0,0 +1,93 @@ +policy_module(hadoop,1.0.0) + +type hadoop_t; +domain_type(hadoop_t) + +type hadoop_exec_t; +files_type(hadoop_exec_t) +allow hadoop_t hadoop_exec_t:file { read_file_perms entrypoint execute execute_no_trans }; +allow hadoop_t hadoop_exec_t:lnk_file { read }; +optional_policy(` + unconfined_run_to(hadoop_t, hadoop_exec_t) +') + +type hadoop_etc_t; +files_type(hadoop_etc_t) + +type hadoop_data_t; +files_type(hadoop_data_t) +manage_files_pattern(hadoop_t, hadoop_data_t, hadoop_data_t) +hadoop_manage_data_dir(hadoop_t) + +type hadoop_log_t; +files_type(hadoop_log_t) + +type hadoop_run_t; +files_type(hadoop_run_t) + +type hadoop_tmp_t; +files_tmp_file(hadoop_tmp_t) +allow hadoop_t hadoop_tmp_t:dir manage_dir_perms; +allow hadoop_t hadoop_tmp_t:file manage_file_perms; + +libs_use_ld_so(hadoop_t) +libs_use_shared_libs(hadoop_t) +corecmd_exec_bin(hadoop_t) +corecmd_exec_shell(hadoop_t) +miscfiles_read_localization(hadoop_t) +dev_read_urand(hadoop_t) +kernel_read_network_state(hadoop_t) +kernel_read_system_state(hadoop_t) +files_read_etc_files(hadoop_t) +files_manage_generic_tmp_files(hadoop_t) +files_manage_generic_tmp_dirs(hadoop_t) +fs_getattr_xattr_fs(hadoop_t) +allow hadoop_t self:process { execmem getsched setsched signal setrlimit }; +allow hadoop_t self:fifo_file { read write getattr ioctl }; +allow hadoop_t self:capability sys_resource; +allow hadoop_t self:key write; +nis_use_ypbind(hadoop_t) +nscd_socket_use(hadoop_t) +corenet_tcp_connect_portmap_port(hadoop_t) +userdom_dontaudit_search_user_home_dirs(hadoop_t) +files_dontaudit_search_spool(hadoop_t) +java_exec(hadoop_t) +hadoop_rx_etc(hadoop_t) +hadoop_manage_log_dir(hadoop_t) + +dev_read_rand(hadoop_t) +dev_read_sysfs(hadoop_t) +files_read_var_lib_files(hadoop_t) +hadoop_manage_data_dir(hadoop_t) +hadoop_getattr_run_dir(hadoop_t) +dontaudit hadoop_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write }; + +allow hadoop_t self:tcp_socket create_stream_socket_perms; +corenet_tcp_sendrecv_generic_if(hadoop_t) +corenet_tcp_sendrecv_all_nodes(hadoop_t) +corenet_all_recvfrom_unlabeled(hadoop_t) +corenet_tcp_bind_all_nodes(hadoop_t) +sysnet_read_config(hadoop_t) +corenet_tcp_sendrecv_all_ports(hadoop_t) +corenet_tcp_bind_all_ports(hadoop_t) +corenet_tcp_connect_generic_port(hadoop_t) + +allow hadoop_t self:udp_socket create_socket_perms; +allow hadoop_t self:process signull; +corenet_udp_sendrecv_generic_if(hadoop_t) +corenet_udp_sendrecv_all_nodes(hadoop_t) +corenet_udp_bind_all_nodes(hadoop_t) +corenet_udp_bind_all_ports(hadoop_t) + +files_read_usr_files(hadoop_t) +files_read_all_files(hadoop_t) + +corenet_tcp_connect_zope_port(hadoop_t) +corenet_tcp_connect_hadoop_namenode_port(hadoop_t) + +hadoop_namenode_signull(hadoop_t) +hadoop_datanode_signull(hadoop_t) +hadoop_jobtracker_signull(hadoop_t) +hadoop_secondarynamenode_signull(hadoop_t) +hadoop_tasktracker_signull(hadoop_t) +