From: domg472@gmail.com (Dominick Grift)
Date: Mon, 20 Sep 2010 19:03:25 +0200
Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined
In-Reply-To: <4C9770F4.9070602@tycho.ncsc.mil>
References: <4C9770F4.9070602@tycho.ncsc.mil>
Message-ID: <20100920170323.GA29060@localhost.localdomain>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
> I fixed the hadoop patch based on all of the feedback I received.  Added role support for sysadm_r to all of the services and programs.  Steve and I were not able to successfully use init_script_domain.  The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface.  It was also causing problems with sysadm_r.  I split up the patches since it was huge. 

Why did the init script domain not work for you?

I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.

> 
> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
> 
> ---
>  policy/modules/system/unconfined.if |   25 +++++++++++++++++++++++++
>  1 file changed, 25 insertions(+)
> 
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 416e668..3364eb3 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -279,6 +279,31 @@ interface(`unconfined_domtrans_to',`
>  
>  ########################################
>  ## <summary>
> +##	Allow a program to enter the specified domain through the
> +## 	unconfined role.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow unconfined role to execute the specified program in
> +##	the specified domain.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to execute in.
> +##	</summary>
> +## </param>
> +#
> +interface(`unconfined_roletrans',`
> +	gen_require(`
> +		role unconfined_r;
> +	')
> +
> +	role unconfined_r types $1;
> +')
> +
> +########################################
> +## <summary>
>  ##	Allow unconfined to execute the specified program in
>  ##	the specified domain.  Allow the specified domain the
>  ##	unconfined role and use of unconfined user terminals.
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/42b8d5ff/attachment.bin