From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Mon, 20 Sep 2010 10:34:28 -0400 Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined Message-ID: <4C9770F4.9070602@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge. Signed-off-by: Paul Nuzzi --- policy/modules/system/unconfined.if | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if index 416e668..3364eb3 100644 --- a/policy/modules/system/unconfined.if +++ b/policy/modules/system/unconfined.if @@ -279,6 +279,31 @@ interface(`unconfined_domtrans_to',` ######################################## ## +## Allow a program to enter the specified domain through the +## unconfined role. +## +## +##

+## Allow unconfined role to execute the specified program in +## the specified domain. +##

+##
+## +## +## Domain to execute in. +## +## +# +interface(`unconfined_roletrans',` + gen_require(` + role unconfined_r; + ') + + role unconfined_r types $1; +') + +######################################## +## ## Allow unconfined to execute the specified program in ## the specified domain. Allow the specified domain the ## unconfined role and use of unconfined user terminals.