From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Fri, 01 Oct 2010 13:56:00 -0400 Subject: [refpolicy] [PATCH] hadoop 1/10 -- unconfined In-Reply-To: <4CA5FB87.9080909@tycho.ncsc.mil> References: <20100921195753.GA5706@localhost.localdomain> <1285099440.1806.13.camel@jeremy-ubuntu> <4C9B5262.7080405@tycho.ncsc.mil> <1285338053.1772.90.camel@jeremy-ubuntu> <4CA0E75A.4080406@tycho.ncsc.mil> <4CA4E77C.9040907@tycho.ncsc.mil> <20101001120217.GA14548@localhost.localdomain> <4CA5FB87.9080909@tycho.ncsc.mil> Message-ID: <4CA620B0.8040901@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 10/01/10 11:17, Paul Nuzzi wrote: > On 10/01/2010 08:02 AM, Dominick Grift wrote: >> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote: >>> I updated the patch based on recommendations from the mailing list. >>> All of hadoop's services are included in one module instead of >>> individual ones. Unconfined and sysadm roles are given access to >>> hadoop and zookeeper client domain transitions. The services are started >>> using run_init. Let me know what you think. >> >> Why do some hadoop domain need to manage generic tmp? >> >> files_manage_generic_tmp_dirs(zookeeper_t) >> files_manage_generic_tmp_dirs(hadoop_t) >> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t) >> files_manage_generic_tmp_files(hadoop_$1_initrc_t) >> files_manage_generic_tmp_files(hadoop_$1_t) >> files_manage_generic_tmp_dirs(hadoop_$1_t) > > This has to be done for Java JMX to work. All of the files are written to > /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while > all the files for each service are labeled with hadoop_*_tmp_t. The first service > will end up owning the directory if it is not labeled tmp_t. The hsperfdata dir in /tmp certainly the bane of policy writers. Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir. I suggest you do something like files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir) files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir) filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file) filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com