From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Mon, 20 Sep 2010 10:41:12 -0400 Subject: [refpolicy] [PATCH] hadoop 8/10 -- zookeeper Message-ID: <4C977288.2010508@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Paul Nuzzi --- policy/modules/apps/zookeeper.fc | 6 +++ policy/modules/apps/zookeeper.if | 68 ++++++++++++++++++++++++++++++++++++ policy/modules/apps/zookeeper.te | 73 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 147 insertions(+) diff --git a/policy/modules/apps/zookeeper.fc b/policy/modules/apps/zookeeper.fc new file mode 100644 index 0000000..c7c0ae4 --- /dev/null +++ b/policy/modules/apps/zookeeper.fc @@ -0,0 +1,6 @@ +/usr/bin/zookeeper-client -- gen_context(system_u:object_r:zookeeper_exec_t, s0) + +/var/log/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_log_t, s0) + +/etc/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_etc_t, s0) +/etc/zookeeper.dist(/.*)? gen_context(system_u:object_r:zookeeper_etc_t, s0) diff --git a/policy/modules/apps/zookeeper.if b/policy/modules/apps/zookeeper.if new file mode 100644 index 0000000..e8df9bf --- /dev/null +++ b/policy/modules/apps/zookeeper.if @@ -0,0 +1,68 @@ +## Hadoop Zookeeper + +######################################## +## +## Role access for zookeeper +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`zookeeper_role',` + gen_require(` + type zookeeper_exec_t; + type zookeeper_t; + ') + + role $1 types zookeeper_t; + allow $2 zookeeper_exec_t:file { execute }; + domtrans_pattern($2, zookeeper_exec_t, zookeeper_t) +') + +######################################## +## +## Give permission to a domain to access zookeeper_etc_t +## +## +## +## Domain needing read permission +## +## +# +interface(`zookeeper_read_etc',` + gen_require(` + type zookeeper_etc_t; + ') + + allow $1 zookeeper_etc_t:file { getattr read_file_perms }; + allow $1 zookeeper_etc_t:dir search_dir_perms; + allow $1 zookeeper_etc_t:lnk_file { read getattr }; + +') + +######################################## +## +## Give permission to a domain to write zookeeper_log_t +## +## +## +## Domain needing write permission +## +## +# +interface(`zookeeper_write_log',` + gen_require(` + type zookeeper_log_t; + ') + + allow $1 zookeeper_log_t:file { create manage_file_perms }; + allow $1 zookeeper_log_t:dir { setattr rw_dir_perms }; + logging_log_filetrans($1, zookeeper_log_t, { file dir }) +') diff --git a/policy/modules/apps/zookeeper.te b/policy/modules/apps/zookeeper.te new file mode 100644 index 0000000..9f0a4e5 --- /dev/null +++ b/policy/modules/apps/zookeeper.te @@ -0,0 +1,73 @@ +policy_module(zookeeper,1.0.0) + +type zookeeper_t; +domain_type(zookeeper_t) + +type zookeeper_exec_t; +files_type(zookeeper_exec_t) +domain_entry_file(zookeeper_t, zookeeper_exec_t) + +optional_policy(` + unconfined_run_to(zookeeper_t, zookeeper_exec_t) +') + +type zookeeper_etc_t; +files_config_file(zookeeper_etc_t) +allow zookeeper_t zookeeper_etc_t:file { getattr read_file_perms }; +allow zookeeper_t zookeeper_etc_t:dir search_dir_perms; +allow zookeeper_t zookeeper_etc_t:lnk_file { read getattr }; + +files_manage_generic_tmp_files(zookeeper_t) +files_manage_generic_tmp_dirs(zookeeper_t) + +type zookeeper_tmp_t; +files_tmp_file(zookeeper_tmp_t) +allow zookeeper_t zookeeper_tmp_t:file manage_file_perms; +files_tmp_filetrans(zookeeper_t, zookeeper_tmp_t, file) + +type zookeeper_log_t; +logging_log_file(zookeeper_log_t) +allow zookeeper_t zookeeper_log_t:file {create manage_file_perms}; +allow zookeeper_t zookeeper_log_t:dir {setattr rw_dir_perms}; +logging_log_filetrans(zookeeper_t,zookeeper_log_t,{file dir}) + +allow zookeeper_t self:tcp_socket create_stream_socket_perms; +corenet_tcp_sendrecv_generic_if(zookeeper_t) +corenet_tcp_sendrecv_all_nodes(zookeeper_t) +corenet_tcp_sendrecv_all_ports(zookeeper_t) +corenet_all_recvfrom_unlabeled(zookeeper_t) +sysnet_read_config(zookeeper_t) +corenet_tcp_connect_generic_port(zookeeper_t) +corenet_tcp_bind_all_nodes(zookeeper_t) + +allow zookeeper_t self:udp_socket create_socket_perms; +corenet_udp_sendrecv_generic_if(zookeeper_t) +corenet_udp_sendrecv_all_nodes(zookeeper_t) +corenet_udp_sendrecv_all_ports(zookeeper_t) +corenet_udp_bind_all_nodes(zookeeper_t) +corenet_udp_bind_all_ports(zookeeper_t) + +libs_use_ld_so(zookeeper_t) +libs_use_shared_libs(zookeeper_t) +miscfiles_read_localization(zookeeper_t) +dev_read_urand(zookeeper_t) +dev_read_rand(zookeeper_t) +corecmd_exec_bin(zookeeper_t) +corecmd_exec_shell(zookeeper_t) +kernel_read_system_state(zookeeper_t) +kernel_read_network_state(zookeeper_t) +files_read_etc_files(zookeeper_t) +files_read_usr_files(zookeeper_t) +dev_read_sysfs(zookeeper_t) +java_exec(zookeeper_t) +allow zookeeper_t self:fifo_file rw_file_perms; +allow zookeeper_t self:process { getsched execmem sigkill signal signull }; + +nscd_socket_use(zookeeper_t) +term_use_all_terms(zookeeper_t) +logging_search_logs(zookeeper_t) +userdom_dontaudit_search_user_home_dirs(zookeeper_t) +allow zookeeper_t zookeeper_exec_t:file execute_no_trans; +zookeeper_server_signull(zookeeper_t) +corenet_tcp_connect_zookeeper_client_port(zookeeper_t) +