From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Tue, 21 Sep 2010 11:42:00 -0400 Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined In-Reply-To: <20100921090159.GA11192@localhost.localdomain> References: <20100921090159.GA11192@localhost.localdomain> Message-ID: <4C98D248.9000803@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/21/2010 05:02 AM, Dominick Grift wrote: > Well ive rewritten the policy as much as i ca with the information that i currently have. > Because of the use of the hadoop domain attributes i cannot determine whether it is the initrc script doing something or the application, and so i cannot currently finish the hadoop_domain_template policy. The hadoop_domain policy is basic stuff that most programs share, plus a few hadoop specific things. I initially had separate functions for initrc and hadoop type policy. Since we are not exporting hadoop specific functionality to other modules I removed them from the .if file. > Also i have no clue what transitions to the hadoop_t domain. It does not own an initrc script so i gather it is no init daemon domain. Must be an application domain then? > A lot of other things that arent, clear and/ or make no sense. > I have also left out things that i think, should be handled differently. hadoop_t is for the hadoop executable which is /usr/bin/hadoop. It does basic file system stuff, submits jobs and administers the cluster. > It would be cool if someone could test this policy and provide feedback in the shape of avc denials. I was able to get zookeeper server and client to run. Here is the audit2allow in permissive mode. Ignore the networking avcs. I didn't port the networking functions since it was built as a module. Zookeeper client doesn't domtrans into a domain. There is an semodule insert error. hadoop_tasktracker_data_t needs to be modified. #============= zookeeper_server_t ============== allow zookeeper_server_t java_exec_t:file { read getattr open execute execute_no_trans }; allow zookeeper_server_t net_conf_t:file { read getattr open }; allow zookeeper_server_t port_t:tcp_socket { name_bind name_connect }; allow zookeeper_server_t self:process execmem; allow zookeeper_server_t self:tcp_socket { setopt read bind create accept write getattr connect shutdown listen }; > Some properties of this policy: > > The hadoop init script domains must be started by the system, or by unconfined or sysadm_t by using run_init server > To use the zookeeper client domain, the zookeeper_run_client domain must be called for a domain. (for example if you wish to run it as unconfined_t, you would call zookeeper_run_client(unconfined_t, unconfined_r) > The zookeeper server seems to be an ordinary init daemon domain. > Since i do not know what kind of dommain hadoop_t is, it is currently pretty much unreachable. I have created an hadoop_domtrans interface that can be called but currently no role is allowed the hadoop_t domain. > > Signed-off-by: Dominick Grift > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy