From: domg472@gmail.com (Dominick Grift) Date: Mon, 20 Sep 2010 19:03:25 +0200 Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined In-Reply-To: <4C9770F4.9070602@tycho.ncsc.mil> References: <4C9770F4.9070602@tycho.ncsc.mil> Message-ID: <20100920170323.GA29060@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote: > I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge. Why did the init script domain not work for you? I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this. > > Signed-off-by: Paul Nuzzi > > --- > policy/modules/system/unconfined.if | 25 +++++++++++++++++++++++++ > 1 file changed, 25 insertions(+) > > diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if > index 416e668..3364eb3 100644 > --- a/policy/modules/system/unconfined.if > +++ b/policy/modules/system/unconfined.if > @@ -279,6 +279,31 @@ interface(`unconfined_domtrans_to',` > > ######################################## > ## > +## Allow a program to enter the specified domain through the > +## unconfined role. > +## > +## > +##

> +## Allow unconfined role to execute the specified program in > +## the specified domain. > +##

> +##
> +## > +## > +## Domain to execute in. > +## > +## > +# > +interface(`unconfined_roletrans',` > + gen_require(` > + role unconfined_r; > + ') > + > + role unconfined_r types $1; > +') > + > +######################################## > +## > ## Allow unconfined to execute the specified program in > ## the specified domain. Allow the specified domain the > ## unconfined role and use of unconfined user terminals. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/42b8d5ff/attachment.bin