From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Fri, 10 Dec 2010 18:22:32 -0500 Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3 Message-ID: <4D02B638.1000503@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Updated the hadoop policy to work with the latest Cloudera version (CDHb3). Fixed a bug where policy was preventing exporting files from the distributed file system to the user's home directory. Signed-off-by: Paul Nuzzi --- policy/modules/roles/unprivuser.te | 4 ++++ policy/modules/services/hadoop.fc | 14 +++++++++----- policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- policy/modules/services/hadoop.te | 14 ++++++++++++++ 4 files changed, 51 insertions(+), 8 deletions(-) diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 606a257..7a48dad 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` ') optional_policy(` + hadoop_role(user_r, user_t) + ') + + optional_policy(` irc_role(user_r, user_t) ') diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc index 3035be2..00a877d 100644 --- a/policy/modules/services/hadoop.fc +++ b/policy/modules/services/hadoop.fc @@ -1,10 +1,10 @@ /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) @@ -24,10 +24,14 @@ /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if index 9e9bfe7..d1ff90d 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` # Shared hadoop_$1 policy. # - allow hadoop_$1_t self:process execmem; + allow hadoop_$1_t self:capability { chown kill setgid setuid }; + allow hadoop_$1_t self:key search; + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; allow hadoop_$1_t self:udp_socket create_socket_perms; dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) files_search_var_lib(hadoop_$1_t) - allow hadoop_$1_t hadoop_var_run_t:dir getattr; - files_search_pids(hadoop_$1_t) + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) + files_search_pids(hadoop_$1_t) allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` files_read_etc_files(hadoop_$1_t) + init_read_utmp(hadoop_$1_t) + init_use_fds(hadoop_$1_t) + init_use_script_fds(hadoop_$1_t) + init_use_script_ptys(hadoop_$1_t) + + kerberos_use(hadoop_$1_t) + kernel_read_kernel_sysctls(hadoop_$1_t) + kernel_read_sysctl(hadoop_$1_t) + + logging_send_audit_msgs(hadoop_$1_t) + logging_send_syslog_msg(hadoop_$1_t) + miscfiles_read_localization(hadoop_$1_t) + su_exec(hadoop_$1_t) sysnet_read_config(hadoop_$1_t) hadoop_exec_config(hadoop_$1_t) java_exec(hadoop_$1_t) + auth_domtrans_chkpwd(hadoop_$1_t) + optional_policy(` nscd_socket_use(hadoop_$1_t) ') @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` consoletype_exec(hadoop_$1_initrc_t) fs_getattr_xattr_fs(hadoop_$1_initrc_t) + fs_search_cgroup_dirs(hadoop_$1_initrc_t) term_use_generic_ptys(hadoop_$1_initrc_t) hadoop_exec_config(hadoop_$1_initrc_t) init_rw_utmp(hadoop_$1_initrc_t) + init_use_fds(hadoop_$1_initrc_t) init_use_script_ptys(hadoop_$1_initrc_t) logging_send_syslog_msg(hadoop_$1_initrc_t) diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te index 35a8131..b103f89 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t) dev_read_rand(hadoop_t) dev_read_sysfs(hadoop_t) dev_read_urand(hadoop_t) +domain_use_interactive_fds(hadoop_t) files_dontaudit_search_spool(hadoop_t) +files_read_etc_files(hadoop_t) files_read_usr_files(hadoop_t) +files_search_var_lib(hadoop_t) fs_getattr_xattr_fs(hadoop_t) +kerberos_use(hadoop_t) + miscfiles_read_localization(hadoop_t) +sysnet_read_config(hadoop_t) + userdom_dontaudit_search_user_home_dirs(hadoop_t) +userdom_list_user_home_content(hadoop_t) +userdom_manage_user_home_content_files(hadoop_t) userdom_use_user_terminals(hadoop_t) java_exec(hadoop_t) @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) corenet_tcp_connect_zope_port(hadoop_tasktracker_t) manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) + manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) fs_getattr_xattr_fs(hadoop_tasktracker_t) @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) dev_read_rand(zookeeper_t) dev_read_sysfs(zookeeper_t) dev_read_urand(zookeeper_t) +domain_use_interactive_fds(zookeeper_t) files_read_etc_files(zookeeper_t) files_read_usr_files(zookeeper_t)