From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Mon, 20 Sep 2010 10:42:18 -0400 Subject: [refpolicy] [PATCH] hadoop 9/10 -- zookeeper_server Message-ID: <4C9772CA.30105@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Signed-off-by: Paul Nuzzi --- policy/modules/kernel/corenetwork.te.in | 3 + policy/modules/services/hadoop_zookeeper.fc | 5 + policy/modules/services/hadoop_zookeeper.if | 47 +++++++++++++++ policy/modules/services/hadoop_zookeeper.te | 83 ++++++++++++++++++++++++++++ 4 files changed, 138 insertions(+) diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index 549763c..da504dd 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -213,6 +213,9 @@ network_port(xen, tcp,8002,s0) network_port(xfs, tcp,7100,s0) network_port(xserver, tcp,6000-6020,s0) network_port(zebra, tcp,2600-2604,s0, tcp,2606,s0, udp,2600-2604,s0, udp,2606,s0) +network_port(zookeeper_client, tcp, 2181,s0) +network_port(zookeeper_election, tcp, 3888,s0) +network_port(zookeeper_leader, tcp, 2888,s0) network_port(zope, tcp,8021,s0) # Defaults for reserved ports. Earlier portcon entries take precedence; diff --git a/policy/modules/services/hadoop_zookeeper.fc b/policy/modules/services/hadoop_zookeeper.fc new file mode 100644 index 0000000..c3677bf --- /dev/null +++ b/policy/modules/services/hadoop_zookeeper.fc @@ -0,0 +1,5 @@ +/usr/bin/zookeeper-server -- gen_context(system_u:object_r:zookeeper_server_exec_t, s0) + +/etc/rc\.d/init\.d/hadoop-zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t, s0) + +/var/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_data_t, s0) diff --git a/policy/modules/services/hadoop_zookeeper.if b/policy/modules/services/hadoop_zookeeper.if new file mode 100644 index 0000000..46d18e5 --- /dev/null +++ b/policy/modules/services/hadoop_zookeeper.if @@ -0,0 +1,47 @@ +## Hadoop Zookeeper Server + +######################################## +## +## Give permission to a domain to signull zookeeper_server_t +## +## +## +## Domain needing permission +## +## +# +interface(`zookeeper_server_signull', ` + gen_require(` + type zookeeper_server_t; + ') + + allow $1 zookeeper_server_t:process signull; +') + +######################################## +## +## Role access for zookeeper server +## +## +## +## Role allowed access +## +## +## +## +## User domain for the role +## +## +# +interface(`zookeeper_server_role',` + gen_require(` + type zookeeper_server_initrc_exec_t; + type zookeeper_server_exec_t; + type zookeeper_server_t; + ') + + role $1 types zookeeper_server_t; + allow $2 zookeeper_server_initrc_exec_t:file { execute execute_no_trans }; + allow $2 zookeeper_server_exec_t:file { execute execute_no_trans }; + domtrans_pattern($2, zookeeper_server_exec_t, zookeeper_server_t) +') diff --git a/policy/modules/services/hadoop_zookeeper.te b/policy/modules/services/hadoop_zookeeper.te new file mode 100644 index 0000000..56041ff --- /dev/null +++ b/policy/modules/services/hadoop_zookeeper.te @@ -0,0 +1,83 @@ +policy_module(zookeeper_server,1.0.0) + +type zookeeper_server_t; +domain_type(zookeeper_server_t) + +type zookeeper_server_exec_t; +files_type(zookeeper_server_exec_t) +domain_entry_file(zookeeper_server_t, zookeeper_server_exec_t) + +optional_policy(` + unconfined_run_to(zookeeper_server_t, zookeeper_server_exec_t) +') + +type zookeeper_server_initrc_exec_t; +files_type(zookeeper_server_initrc_exec_t) +allow zookeeper_server_t zookeeper_server_exec_t:file execute_no_trans; + +type zookeeper_server_pid_t; +files_pid_file(zookeeper_server_pid_t) +allow zookeeper_server_t zookeeper_server_pid_t:file manage_file_perms; +allow zookeeper_server_t zookeeper_server_pid_t:dir rw_dir_perms; +files_pid_filetrans(zookeeper_server_t,zookeeper_server_pid_t,file) + +files_manage_generic_tmp_files(zookeeper_server_t) +files_manage_generic_tmp_dirs(zookeeper_server_t) + +type zookeeper_server_tmp_t; +files_tmp_file(zookeeper_server_tmp_t) +allow zookeeper_server_t zookeeper_server_tmp_t:file manage_file_perms; +files_tmp_filetrans(zookeeper_server_t, zookeeper_server_tmp_t, file) + +type zookeeper_server_data_t; +files_type(zookeeper_server_data_t) +allow zookeeper_server_t zookeeper_server_data_t:file manage_file_perms; +allow zookeeper_server_t zookeeper_server_data_t:dir manage_dir_perms; +files_var_filetrans(zookeeper_server_t, zookeeper_server_data_t, dir) + +allow zookeeper_server_t self:tcp_socket create_stream_socket_perms; +corenet_tcp_sendrecv_generic_if(zookeeper_server_t) +corenet_tcp_sendrecv_all_nodes(zookeeper_server_t) +corenet_tcp_sendrecv_all_ports(zookeeper_server_t) +corenet_all_recvfrom_unlabeled(zookeeper_server_t) +sysnet_read_config(zookeeper_server_t) +corenet_tcp_connect_generic_port(zookeeper_server_t) +corenet_tcp_bind_all_nodes(zookeeper_server_t) + +allow zookeeper_server_t self:udp_socket create_socket_perms; +corenet_udp_sendrecv_generic_if(zookeeper_server_t) +corenet_udp_sendrecv_all_nodes(zookeeper_server_t) +corenet_udp_sendrecv_all_ports(zookeeper_server_t) +corenet_udp_bind_all_nodes(zookeeper_server_t) +corenet_udp_bind_all_ports(zookeeper_server_t) + +libs_use_ld_so(zookeeper_server_t) +libs_use_shared_libs(zookeeper_server_t) +miscfiles_read_localization(zookeeper_server_t) +dev_read_urand(zookeeper_server_t) +dev_read_rand(zookeeper_server_t) +corecmd_exec_bin(zookeeper_server_t) +corecmd_exec_shell(zookeeper_server_t) +kernel_read_system_state(zookeeper_server_t) +kernel_read_network_state(zookeeper_server_t) +files_read_etc_files(zookeeper_server_t) +files_read_usr_files(zookeeper_server_t) +dev_read_sysfs(zookeeper_server_t) +java_exec(zookeeper_server_t) +allow zookeeper_server_t self:fifo_file rw_file_perms; +allow zookeeper_server_t self:process { getsched execmem sigkill signal signull }; +zookeeper_write_log(zookeeper_server_t) +zookeeper_read_etc(zookeeper_server_t) + +logging_send_syslog_msg(zookeeper_server_t) +init_daemon_domain(zookeeper_server_t, zookeeper_server_exec_t) +files_read_usr_files(zookeeper_server_t) +fs_getattr_xattr_fs(zookeeper_server_t) +allow zookeeper_server_t self:netlink_route_socket { rw_netlink_socket_perms }; +corenet_tcp_bind_zookeeper_client_port(zookeeper_server_t) +corenet_tcp_bind_zookeeper_election_port(zookeeper_server_t) +corenet_tcp_bind_zookeeper_leader_port(zookeeper_server_t) +corenet_tcp_connect_zookeeper_election_port(zookeeper_server_t) +corenet_tcp_connect_zookeeper_leader_port(zookeeper_server_t) +allow zookeeper_server_t self:capability kill; +