From: domg472@gmail.com (Dominick Grift) Date: Tue, 21 Sep 2010 18:14:52 +0200 Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined In-Reply-To: <4C98D248.9000803@tycho.ncsc.mil> References: <20100921090159.GA11192@localhost.localdomain> <4C98D248.9000803@tycho.ncsc.mil> Message-ID: <4C98D9FC.50002@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/21/2010 05:42 PM, Paul Nuzzi wrote: > On 09/21/2010 05:02 AM, Dominick Grift wrote: >> Well ive rewritten the policy as much as i ca with the information that i currently have. >> Because of the use of the hadoop domain attributes i cannot determine whether it is the initrc script doing something or the application, and so i cannot currently finish the hadoop_domain_template policy. > > The hadoop_domain policy is basic stuff that most programs share, plus a few hadoop specific things. I initially had separate functions for initrc and hadoop type policy. > Since we are not exporting hadoop specific functionality to other modules I removed them from the .if file. With that in mind, it looks like the policy has some duplicate rules. >> Also i have no clue what transitions to the hadoop_t domain. It does not own an initrc script so i gather it is no init daemon domain. Must be an application domain then? >> A lot of other things that arent, clear and/ or make no sense. >> I have also left out things that i think, should be handled differently. > > hadoop_t is for the hadoop executable which is /usr/bin/hadoop. It does basic file system stuff, submits jobs and administers the cluster. And who what runs it? who or/and what transitions to the hadoop_t domain? >> It would be cool if someone could test this policy and provide feedback in the shape of avc denials. > > I was able to get zookeeper server and client to run. Here is the audit2allow in permissive mode. Ignore the networking avcs. I didn't port the networking functions since it was built as a module. > Zookeeper client doesn't domtrans into a domain. There is an semodule insert error. hadoop_tasktracker_data_t needs to be modified. Thanks i fixed that file context specification now. Were you able to run the init script domains in permissive mode? Does it work when you use run_init? Do the initrc domains properly transition to the main domains in permissive mode? Could you provides some avc denials of that? You should also specify file contexts for the pid files and lock files. > > #============= zookeeper_server_t ============== > allow zookeeper_server_t java_exec_t:file { read getattr open execute execute_no_trans }; > allow zookeeper_server_t net_conf_t:file { read getattr open }; > allow zookeeper_server_t port_t:tcp_socket { name_bind name_connect }; What port is it connecting and binding sockets to? Why are they not labelled? > allow zookeeper_server_t self:process execmem; > allow zookeeper_server_t self:tcp_socket { setopt read bind create accept write getattr connect shutdown listen }; > I will add the above rules to the policy that i have, except for the bind/connect to generic port types as this seems like a bad idea to me. Were there no denials left for the zookeeper client? Did you use zookeeper_run_client() to transition to the zookeeper_t domain? >> Some properties of this policy: >> >> The hadoop init script domains must be started by the system, or by unconfined or sysadm_t by using run_init server >> To use the zookeeper client domain, the zookeeper_run_client domain must be called for a domain. (for example if you wish to run it as unconfined_t, you would call zookeeper_run_client(unconfined_t, unconfined_r) >> The zookeeper server seems to be an ordinary init daemon domain. >> Since i do not know what kind of dommain hadoop_t is, it is currently pretty much unreachable. I have created an hadoop_domtrans interface that can be called but currently no role is allowed the hadoop_t domain. >> >> Signed-off-by: Dominick Grift >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100921/d41757b3/attachment.bin