From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi)
Date: Mon, 20 Sep 2010 10:37:35 -0400
Subject: [refpolicy] [PATCH] hadoop 3/10 -- hadoop_namenode
Message-ID: <4C9771AF.1090900@tycho.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>

---
 policy/modules/kernel/corenetwork.te.in    |    1 
 policy/modules/services/hadoop_namenode.fc |    6 +
 policy/modules/services/hadoop_namenode.if |   46 +++++++++++
 policy/modules/services/hadoop_namenode.te |  118 +++++++++++++++++++++++++++++
 4 files changed, 171 insertions(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 2ecdde8..549763c 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -105,6 +105,7 @@ network_port(giftd, tcp,1213,s0)
 network_port(git, tcp,9418,s0, udp,9418,s0)
 network_port(gopher, tcp,70,s0, udp,70,s0)
 network_port(gpsd, tcp,2947,s0)
+network_port(hadoop_namenode, tcp, 8020,s0)
 network_port(hddtemp, tcp,7634,s0)
 network_port(howl, tcp,5335,s0, udp,5353,s0)
 network_port(hplip, tcp,1782,s0, tcp,2207,s0, tcp,2208,s0, tcp, 8290,s0, tcp,50000,s0, tcp,50002,s0, tcp,8292,s0, tcp,9100,s0, tcp,9101,s0, tcp,9102,s0, tcp,9220,s0, tcp,9221,s0, tcp,9222,s0, tcp,9280,s0, tcp,9281,s0, tcp,9282,s0, tcp,9290,s0, tcp,9291,s0, tcp,9292,s0)
diff --git a/policy/modules/services/hadoop_namenode.fc b/policy/modules/services/hadoop_namenode.fc
new file mode 100644
index 0000000..e1f9174
--- /dev/null
+++ b/policy/modules/services/hadoop_namenode.fc
@@ -0,0 +1,6 @@
+/etc/rc\.d/init\.d/hadoop-(.*)?-namenode	--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t, s0)
+
+/var/log/hadoop(.*)?/hadoop-hadoop-namenode-(.*)?	gen_context(system_u:object_r:hadoop_namenode_log_t, s0)
+
+/var/lib/hadoop(.*)?/cache/hadoop/dfs/name(/.*)?	gen_context(system_u:object_r:hadoop_namenode_data_t, s0)
+
diff --git a/policy/modules/services/hadoop_namenode.if b/policy/modules/services/hadoop_namenode.if
new file mode 100644
index 0000000..d3fd862
--- /dev/null
+++ b/policy/modules/services/hadoop_namenode.if
@@ -0,0 +1,46 @@
+## <summary>Hadoop Namenode Policy</summary>
+########################################
+## <summary>
+##  Give permission to a domain to signull hadoop_namenode_t
+## </summary>
+## <param name="domain">
+##  <summary>
+##  Domain needing permission
+##  </summary>
+## </param>
+#
+interface(`hadoop_namenode_signull', `
+    gen_require(`
+        type hadoop_namenode_t;
+    ')
+
+    allow $1 hadoop_namenode_t:process { signull };
+')
+
+########################################
+## <summary>
+##      Role access for hadoop_namenode
+## </summary>
+## <param name="role">
+##      <summary>
+##      Role allowed access
+##      </summary>
+## </param>
+## <param name="domain">
+##      <summary>
+##      User domain for the role
+##      </summary>
+## </param>
+#
+interface(`hadoop_namenode_role',`
+        gen_require(`
+                type hadoop_namenode_initrc_t;
+                type hadoop_namenode_initrc_exec_t;
+                type hadoop_namenode_t;
+        ')
+
+        role $1 types { hadoop_namenode_initrc_t hadoop_namenode_t };
+        allow $2 hadoop_namenode_initrc_exec_t:file { execute execute_no_trans };
+        domtrans_pattern($2, hadoop_namenode_initrc_exec_t, hadoop_namenode_initrc_t)
+        allow $2 hadoop_namenode_t:process signal;
+')
diff --git a/policy/modules/services/hadoop_namenode.te b/policy/modules/services/hadoop_namenode.te
new file mode 100644
index 0000000..c4bcbbc
--- /dev/null
+++ b/policy/modules/services/hadoop_namenode.te
@@ -0,0 +1,118 @@
+policy_module(hadoop_namenode,1.0.0)
+
+attribute hadoop_namenode_domain;
+
+type hadoop_namenode_initrc_t;
+domain_type(hadoop_namenode_initrc_t)
+typeattribute hadoop_namenode_initrc_t hadoop_namenode_domain;
+
+type hadoop_namenode_initrc_exec_t;
+files_type(hadoop_namenode_initrc_exec_t)
+
+init_daemon_domain(hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+allow hadoop_namenode_initrc_t self:capability { setuid setgid sys_tty_config};
+corecmd_exec_all_executables(hadoop_namenode_initrc_t)
+files_manage_generic_locks(hadoop_namenode_initrc_t)
+init_read_utmp(hadoop_namenode_initrc_t)
+init_write_utmp(hadoop_namenode_initrc_t)
+kernel_read_kernel_sysctls(hadoop_namenode_initrc_t)
+kernel_read_sysctl(hadoop_namenode_initrc_t)
+logging_send_syslog_msg(hadoop_namenode_initrc_t)
+logging_send_audit_msgs(hadoop_namenode_initrc_t)
+hadoop_manage_run(hadoop_namenode_initrc_t)
+allow hadoop_namenode_initrc_t hadoop_namenode_t:process { signull signal };
+
+type hadoop_namenode_t;
+typeattribute hadoop_namenode_t hadoop_namenode_domain;
+hadoop_runas(hadoop_namenode_initrc_t, hadoop_namenode_t)
+role system_r types hadoop_namenode_t;
+domain_type(hadoop_namenode_t)
+
+optional_policy(`
+	unconfined_run_to(hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+	unconfined_roletrans(hadoop_namenode_t)
+')
+
+libs_use_ld_so(hadoop_namenode_domain)
+libs_use_shared_libs(hadoop_namenode_domain)
+miscfiles_read_localization(hadoop_namenode_domain)
+dev_read_urand(hadoop_namenode_domain)
+kernel_read_network_state(hadoop_namenode_domain)
+files_read_etc_files(hadoop_namenode_domain)
+files_read_usr_files(hadoop_namenode_domain)
+kernel_read_system_state(hadoop_namenode_domain)
+nscd_socket_use(hadoop_namenode_domain)
+java_exec(hadoop_namenode_domain)
+hadoop_rx_etc(hadoop_namenode_domain)
+hadoop_manage_log_dir(hadoop_namenode_domain)
+files_manage_generic_tmp_files(hadoop_namenode_domain)
+files_manage_generic_tmp_dirs(hadoop_namenode_domain)
+fs_getattr_xattr_fs(hadoop_namenode_domain)
+allow hadoop_namenode_domain self:process { execmem getsched setsched signal setrlimit };
+allow hadoop_namenode_domain self:fifo_file { read write getattr ioctl };
+allow hadoop_namenode_domain self:capability sys_resource;
+allow hadoop_namenode_domain self:key write;
+nis_use_ypbind(hadoop_namenode_domain)
+corenet_tcp_connect_portmap_port(hadoop_namenode_domain)
+userdom_dontaudit_search_user_home_dirs(hadoop_namenode_domain)
+files_dontaudit_search_spool(hadoop_namenode_domain)
+
+
+type hadoop_namenode_pid_t;
+files_pid_file(hadoop_namenode_pid_t)
+allow hadoop_namenode_domain hadoop_namenode_pid_t:file manage_file_perms;
+allow hadoop_namenode_domain hadoop_namenode_pid_t:dir rw_dir_perms;
+files_pid_filetrans(hadoop_namenode_domain,hadoop_namenode_pid_t,file)
+hadoop_transition_run_file(hadoop_namenode_initrc_t, hadoop_namenode_pid_t)
+
+type hadoop_namenode_log_t;
+logging_log_file(hadoop_namenode_log_t)
+allow hadoop_namenode_domain hadoop_namenode_log_t:file manage_file_perms;
+allow hadoop_namenode_domain hadoop_namenode_log_t:dir { setattr rw_dir_perms };
+logging_log_filetrans(hadoop_namenode_domain,hadoop_namenode_log_t,{file dir})
+hadoop_transition_log_file(hadoop_namenode_t, hadoop_namenode_log_t)
+hadoop_transition_log_file(hadoop_namenode_initrc_t, hadoop_namenode_log_t)
+
+type hadoop_namenode_data_t;
+files_type(hadoop_namenode_data_t)
+allow hadoop_namenode_t hadoop_namenode_data_t:file manage_file_perms;
+allow hadoop_namenode_t hadoop_namenode_data_t:dir manage_dir_perms;
+hadoop_transition_data_file(hadoop_namenode_t, hadoop_namenode_data_t)
+
+type hadoop_namenode_tmp_t;
+files_tmp_file(hadoop_namenode_tmp_t)
+allow hadoop_namenode_t hadoop_namenode_tmp_t:file manage_file_perms;
+files_tmp_filetrans(hadoop_namenode_t, hadoop_namenode_tmp_t, file)
+
+corecmd_exec_bin(hadoop_namenode_t)
+corecmd_exec_shell(hadoop_namenode_t)
+dev_read_rand(hadoop_namenode_t)
+dev_read_sysfs(hadoop_namenode_t)
+files_read_var_lib_files(hadoop_namenode_t)
+hadoop_manage_data_dir(hadoop_namenode_t)
+hadoop_getattr_run_dir(hadoop_namenode_t)
+dontaudit hadoop_namenode_t self:netlink_route_socket { create ioctl read getattr write setattr append bind connect getopt setopt shutdown nlmsg_read nlmsg_write };
+
+allow hadoop_namenode_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_generic_if(hadoop_namenode_t)
+corenet_tcp_sendrecv_all_nodes(hadoop_namenode_t)
+corenet_all_recvfrom_unlabeled(hadoop_namenode_t)
+corenet_tcp_bind_all_nodes(hadoop_namenode_t)
+sysnet_read_config(hadoop_namenode_t)
+corenet_tcp_sendrecv_all_ports(hadoop_namenode_t)
+corenet_tcp_bind_all_ports(hadoop_namenode_t)
+corenet_tcp_connect_generic_port(hadoop_namenode_t)
+
+allow hadoop_namenode_t self:udp_socket create_socket_perms;
+corenet_udp_sendrecv_generic_if(hadoop_namenode_t)
+corenet_udp_sendrecv_all_nodes(hadoop_namenode_t)
+corenet_udp_bind_all_nodes(hadoop_namenode_t)
+corenet_udp_bind_all_ports(hadoop_namenode_t)
+
+corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
+corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
+
+hadoop_datanode_signull(hadoop_namenode_t)
+hadoop_jobtracker_signull(hadoop_namenode_t)
+hadoop_secondarynamenode_signull(hadoop_namenode_t)
+hadoop_tasktracker_signull(hadoop_namenode_t)