From: domg472@gmail.com (Dominick Grift) Date: Mon, 20 Sep 2010 21:33:23 +0200 Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined In-Reply-To: <4C97A1A4.80006@tycho.ncsc.mil> References: <4C9770F4.9070602@tycho.ncsc.mil> <20100920170323.GA29060@localhost.localdomain> <4C97A1A4.80006@tycho.ncsc.mil> Message-ID: <20100920193322.GA31431@localhost.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, Sep 20, 2010 at 02:02:12PM -0400, Paul Nuzzi wrote: > On 09/20/2010 01:03 PM, Dominick Grift wrote: > > On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote: > >> I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge. > > > > Why did the init script domain not work for you? > > > > I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this. > > > > I wasn't able to transfer into the pseudo initrc domain with init_script_domain. Using > init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t. Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t. Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has. I just test it and it works provided that you use run_init to start the daemon. I suspect Fedora broken the functionality to make it work by default: These seem to be the culprits: init_exec_script_files(sysadm_t) init_domtrans_script(unconfined_t) Here is how to reproduce how i got it to work: policy_module(test, 1.0.0) type test_t; type test_exec_t; init_script_domain(test_t, test_exec_t) role system_r types test_t; chcon -t test_exec_t /etc/rc.d/init.d/httpd sudo -r sysadm_r -t sysadm_t run_init service httpd start sudo -r unconfined_r -t unconfined_t run_init service httpd start > > Searching through refpolicy I don't see any references to init_script_domain. Lets see what everyone else thinks. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100920/2e8bf76c/attachment.bin