From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi)
Date: Mon, 13 Dec 2010 10:41:42 -0500
Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec
In-Reply-To: <4D033CBE.9020000@gmail.com>
References: <4D02B63A.90808@tycho.ncsc.mil> <4D033CBE.9020000@gmail.com>
Message-ID: <4D063EB6.6080601@tycho.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/11/2010 03:56 AM, Dominick Grift wrote:
> ^ I think this should probably be optional as i believe there is no need
> for the ipsec module to depend in the hadoop module.
> 
> optional_policy(`
>  hadoop_lan_setcontext(setkey_t)
> ')
> 

You are right.


Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
 
---
 policy/modules/services/hadoop.if |  202 ++++++++++++++++++++++++++++++++++++++
 policy/modules/services/hadoop.te |   45 ++++++++
 policy/modules/system/ipsec.te    |    5 
 3 files changed, 252 insertions(+)

diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index d07e172..c1ca3a6 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
 
 	files_read_etc_files(hadoop_$1_t)
 
+	hadoop_lan_polmatch(hadoop_$1_t)
+
 	init_read_utmp(hadoop_$1_t)
 	init_use_fds(hadoop_$1_t)
 	init_use_script_fds(hadoop_$1_t)
@@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
 	hadoop_read_config($1)
 	allow $1 hadoop_etc_t:file exec_file_perms;
 ')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	polmatch on hadoop_lan_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing polmatch
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_lan_polmatch',`
+	gen_require(`
+		type hadoop_lan_t;
+	')
+
+	allow $1 hadoop_lan_t:association polmatch;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	setcontext on hadoop_lan_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing setcontext
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_lan_setcontext',`
+	gen_require(`
+		type hadoop_lan_t;
+	')
+
+	allow $1 hadoop_lan_t:association setcontext;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv hadoop_datanode_t	
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_datanode_recv',`
+	gen_require(`
+		type hadoop_datanode_t;
+	')
+
+	allow $1 hadoop_datanode_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv hadoop_namenode_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_namenode_recv',`
+	gen_require(`
+		type hadoop_namenode_t;
+	')
+
+	allow $1 hadoop_namenode_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv hadoop_jobtracker_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_jobtracker_recv',`
+	gen_require(`
+		type hadoop_jobtracker_t;
+	')
+
+	allow $1 hadoop_jobtracker_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv hadoop_tasktracker_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_tasktracker_recv',`
+	gen_require(`
+		type hadoop_tasktracker_t;
+	')
+
+	allow $1 hadoop_tasktracker_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv hadoop_secondarynamenode_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_secondarynamenode_recv',`
+	gen_require(`
+		type hadoop_secondarynamenode_t;
+	')
+
+	allow $1 hadoop_secondarynamenode_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv hadoop_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recv',`
+	gen_require(`
+		type hadoop_t;
+	')
+
+	allow $1 hadoop_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv zookeeper_server_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`zookeeper_server_recv',`
+	gen_require(`
+		type zookeeper_server_t;
+	')
+
+	allow $1 zookeeper_server_t:peer recv;
+')
+
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recv zookeeper_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recv
+##	permission
+##	</summary>
+## </param>
+#
+interface(`zookeeper_recv',`
+	gen_require(`
+		type zookeeper_t;
+	')
+
+	allow $1 zookeeper_t:peer recv;
+')
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index b103f89..e4bbe97 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
 type hadoop_etc_t;
 files_config_file(hadoop_etc_t)
 
+type hadoop_lan_t;
+files_type(hadoop_lan_t)
+
 type hadoop_log_t;
 logging_log_file(hadoop_log_t)
 
@@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
 
 allow hadoop_t hadoop_domain:process signull;
 
+hadoop_lan_polmatch(hadoop_t)
+allow hadoop_t self:peer recv;
+hadoop_datanode_recv(hadoop_t)
+hadoop_jobtracker_recv(hadoop_t)
+hadoop_namenode_recv(hadoop_t)
+hadoop_tasktracker_recv(hadoop_t)
+
 read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
 read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
 can_exec(hadoop_t, hadoop_etc_t)
@@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
 
 fs_getattr_xattr_fs(hadoop_datanode_t)
 
+allow hadoop_datanode_t self:peer recv;
+hadoop_jobtracker_recv(hadoop_datanode_t)
+hadoop_namenode_recv(hadoop_datanode_t)
+hadoop_recv(hadoop_datanode_t)
+hadoop_tasktracker_recv(hadoop_datanode_t)
+
 ########################################
 #
 # Hadoop jobtracker policy.
@@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
 corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
 corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
 
+allow hadoop_jobtracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_jobtracker_t)
+hadoop_namenode_recv(hadoop_jobtracker_t)
+hadoop_recv(hadoop_jobtracker_t)
+hadoop_tasktracker_recv(hadoop_jobtracker_t)
+
 ########################################
 #
 # Hadoop namenode policy.
@@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
 corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
 corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
 
+allow hadoop_namenode_t self:peer recv;
+hadoop_datanode_recv(hadoop_namenode_t)
+hadoop_jobtracker_recv(hadoop_namenode_t)
+hadoop_recv(hadoop_namenode_t)
+hadoop_secondarynamenode_recv(hadoop_namenode_t)
+hadoop_tasktracker_recv(hadoop_namenode_t)
+
 ########################################
 #
 # Hadoop secondary namenode policy.
@@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
 
 corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
 
+allow hadoop_secondarynamenode_t self:peer recv;
+hadoop_namenode_recv(hadoop_secondarynamenode_t)
+
 ########################################
 #
 # Hadoop tasktracker policy.
@@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
 
 fs_getattr_xattr_fs(hadoop_tasktracker_t)
 
+allow hadoop_tasktracker_t self:peer recv;
+hadoop_datanode_recv(hadoop_tasktracker_t)
+hadoop_jobtracker_recv(hadoop_tasktracker_t)
+hadoop_recv(hadoop_tasktracker_t)
+hadoop_namenode_recv(hadoop_tasktracker_t)
+
 ########################################
 #
 # Hadoop zookeeper client policy.
@@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
 allow zookeeper_t self:udp_socket create_socket_perms;
 dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
 
+hadoop_lan_polmatch(zookeeper_t)
+zookeeper_server_recv(zookeeper_t)
+
 read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
 read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
 
@@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
 allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
 allow zookeeper_server_t self:udp_socket create_socket_perms;
 
+hadoop_lan_polmatch(zookeeper_server_t)
+allow zookeeper_server_t self:peer recv;
+zookeeper_recv(zookeeper_server_t)
+
 allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
 files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
 
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index d82ff45..c6545bb 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -422,3 +422,8 @@ miscfiles_read_localization(setkey_t)
 seutil_read_config(setkey_t)
 
 userdom_use_user_terminals(setkey_t)
+
+optional_policy(`
+	hadoop_lan_setcontext(setkey_t)
+')
+