From: domg472@gmail.com (Dominick Grift) Date: Sat, 11 Dec 2010 09:56:30 +0100 Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec In-Reply-To: <4D02B63A.90808@tycho.ncsc.mil> References: <4D02B63A.90808@tycho.ncsc.mil> Message-ID: <4D033CBE.9020000@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/11/2010 12:22 AM, Paul Nuzzi wrote: > Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to > connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces > the architecture of Hadoop without having to modify any of the code. This adds a level of > confidentiality, integrity, and authentication provided outside the software stack. > > Signed-off-by: Paul Nuzzi > > --- > > diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if > index d07e172..c1ca3a6 100644 > --- a/policy/modules/services/hadoop.if > +++ b/policy/modules/services/hadoop.if > @@ -106,6 +106,8 @@ template(`hadoop_domain_template',` > > files_read_etc_files(hadoop_$1_t) > > + hadoop_lan_polmatch(hadoop_$1_t) > + > init_read_utmp(hadoop_$1_t) > init_use_fds(hadoop_$1_t) > init_use_script_fds(hadoop_$1_t) > @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',` > hadoop_read_config($1) > allow $1 hadoop_etc_t:file exec_file_perms; > ') > + > +######################################## > +## > +## Give permission to a domain to > +## polmatch on hadoop_lan_t > +## > +## > +## > +## Domain needing polmatch > +## permission > +## > +## > +# > +interface(`hadoop_lan_polmatch',` > + gen_require(` > + type hadoop_lan_t; > + ') > + > + allow $1 hadoop_lan_t:association polmatch; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## setcontext on hadoop_lan_t > +## > +## > +## > +## Domain needing setcontext > +## permission > +## > +## > +# > +interface(`hadoop_lan_setcontext',` > + gen_require(` > + type hadoop_lan_t; > + ') > + > + allow $1 hadoop_lan_t:association setcontext; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv hadoop_datanode_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`hadoop_datanode_recv',` > + gen_require(` > + type hadoop_datanode_t; > + ') > + > + allow $1 hadoop_datanode_t:peer recv; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv hadoop_namenode_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`hadoop_namenode_recv',` > + gen_require(` > + type hadoop_namenode_t; > + ') > + > + allow $1 hadoop_namenode_t:peer recv; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv hadoop_jobtracker_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`hadoop_jobtracker_recv',` > + gen_require(` > + type hadoop_jobtracker_t; > + ') > + > + allow $1 hadoop_jobtracker_t:peer recv; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv hadoop_tasktracker_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`hadoop_tasktracker_recv',` > + gen_require(` > + type hadoop_tasktracker_t; > + ') > + > + allow $1 hadoop_tasktracker_t:peer recv; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv hadoop_secondarynamenode_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`hadoop_secondarynamenode_recv',` > + gen_require(` > + type hadoop_secondarynamenode_t; > + ') > + > + allow $1 hadoop_secondarynamenode_t:peer recv; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv hadoop_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`hadoop_recv',` > + gen_require(` > + type hadoop_t; > + ') > + > + allow $1 hadoop_t:peer recv; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv zookeeper_server_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`zookeeper_server_recv',` > + gen_require(` > + type zookeeper_server_t; > + ') > + > + allow $1 zookeeper_server_t:peer recv; > +') > + > +######################################## > +## > +## Give permission to a domain to > +## recv zookeeper_t > +## > +## > +## > +## Domain needing recv > +## permission > +## > +## > +# > +interface(`zookeeper_recv',` > + gen_require(` > + type zookeeper_t; > + ') > + > + allow $1 zookeeper_t:peer recv; > +') > diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te > index b103f89..e4bbe97 100644 > --- a/policy/modules/services/hadoop.te > +++ b/policy/modules/services/hadoop.te > @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t) > type hadoop_etc_t; > files_config_file(hadoop_etc_t) > > +type hadoop_lan_t; > +files_type(hadoop_lan_t) > + > type hadoop_log_t; > logging_log_file(hadoop_log_t) > > @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms; > > allow hadoop_t hadoop_domain:process signull; > > +hadoop_lan_polmatch(hadoop_t) > +allow hadoop_t self:peer recv; > +hadoop_datanode_recv(hadoop_t) > +hadoop_jobtracker_recv(hadoop_t) > +hadoop_namenode_recv(hadoop_t) > +hadoop_tasktracker_recv(hadoop_t) > + > read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) > read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) > can_exec(hadoop_t, hadoop_etc_t) > @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t) > > fs_getattr_xattr_fs(hadoop_datanode_t) > > +allow hadoop_datanode_t self:peer recv; > +hadoop_jobtracker_recv(hadoop_datanode_t) > +hadoop_namenode_recv(hadoop_datanode_t) > +hadoop_recv(hadoop_datanode_t) > +hadoop_tasktracker_recv(hadoop_datanode_t) > + > ######################################## > # > # Hadoop jobtracker policy. > @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t) > corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t) > corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t) > > +allow hadoop_jobtracker_t self:peer recv; > +hadoop_datanode_recv(hadoop_jobtracker_t) > +hadoop_namenode_recv(hadoop_jobtracker_t) > +hadoop_recv(hadoop_jobtracker_t) > +hadoop_tasktracker_recv(hadoop_jobtracker_t) > + > ######################################## > # > # Hadoop namenode policy. > @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) > corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t) > corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t) > > +allow hadoop_namenode_t self:peer recv; > +hadoop_datanode_recv(hadoop_namenode_t) > +hadoop_jobtracker_recv(hadoop_namenode_t) > +hadoop_recv(hadoop_namenode_t) > +hadoop_secondarynamenode_recv(hadoop_namenode_t) > +hadoop_tasktracker_recv(hadoop_namenode_t) > + > ######################################## > # > # Hadoop secondary namenode policy. > @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib > > corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t) > > +allow hadoop_secondarynamenode_t self:peer recv; > +hadoop_namenode_recv(hadoop_secondarynamenode_t) > + > ######################################## > # > # Hadoop tasktracker policy. > @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) > > fs_getattr_xattr_fs(hadoop_tasktracker_t) > > +allow hadoop_tasktracker_t self:peer recv; > +hadoop_datanode_recv(hadoop_tasktracker_t) > +hadoop_jobtracker_recv(hadoop_tasktracker_t) > +hadoop_recv(hadoop_tasktracker_t) > +hadoop_namenode_recv(hadoop_tasktracker_t) > + > ######################################## > # > # Hadoop zookeeper client policy. > @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms; > allow zookeeper_t self:udp_socket create_socket_perms; > dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms; > > +hadoop_lan_polmatch(zookeeper_t) > +zookeeper_server_recv(zookeeper_t) > + > read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) > read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) > > @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms; > allow zookeeper_server_t self:tcp_socket create_stream_socket_perms; > allow zookeeper_server_t self:udp_socket create_socket_perms; > > +hadoop_lan_polmatch(zookeeper_server_t) > +allow zookeeper_server_t self:peer recv; > +zookeeper_recv(zookeeper_server_t) > + > allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms; > files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir) > > diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te > index d82ff45..be9e5f1 100644 > --- a/policy/modules/system/ipsec.te > +++ b/policy/modules/system/ipsec.te > @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t) > > files_read_etc_files(setkey_t) > > +hadoop_lan_setcontext(setkey_t) > + ^ I think this should probably be optional as i believe there is no need for the ipsec module to depend in the hadoop module. optional_policy(` hadoop_lan_setcontext(setkey_t) ') > init_dontaudit_use_fds(setkey_t) > > # allow setkey to set the context for ipsec SAs and policy. > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0DPL4ACgkQMlxVo39jgT80aACgkMpaimtdti5UU4/7g77uoc51 l30AoLilMysgmkqTmuXa4J95slNBI+LP =Z3Xy -----END PGP SIGNATURE-----