From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Mon, 13 Dec 2010 10:39:11 -0500 Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3 In-Reply-To: <4D033DF6.8000907@gmail.com> References: <4D02B638.1000503@tycho.ncsc.mil> <4D033DF6.8000907@gmail.com> Message-ID: <4D063E1F.1090406@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/11/2010 04:01 AM, Dominick Grift wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 12/11/2010 12:22 AM, Paul Nuzzi wrote: >> Updated the hadoop policy to work with the latest Cloudera version (CDHb3). >> Fixed a bug where policy was preventing exporting files from the >> distributed file system to the user's home directory. >> >> Signed-off-by: Paul Nuzzi >> >> --- >> >> policy/modules/roles/unprivuser.te | 4 ++++ >> policy/modules/services/hadoop.fc | 14 +++++++++----- >> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- >> policy/modules/services/hadoop.te | 14 ++++++++++++++ >> 4 files changed, 51 insertions(+), 8 deletions(-) >> >> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te >> index 606a257..7a48dad 100644 >> --- a/policy/modules/roles/unprivuser.te >> +++ b/policy/modules/roles/unprivuser.te >> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` >> ') >> >> optional_policy(` >> + hadoop_role(user_r, user_t) >> + ') >> + >> + optional_policy(` >> irc_role(user_r, user_t) >> ') >> >> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc >> index 3035be2..00a877d 100644 >> --- a/policy/modules/services/hadoop.fc >> +++ b/policy/modules/services/hadoop.fc >> @@ -1,10 +1,10 @@ >> /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) >> >> -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) >> -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) >> +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) >> /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) >> >> /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) >> @@ -24,10 +24,14 @@ >> >> /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) >> /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) >> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) >> /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) >> >> /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) >> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if >> index 9e9bfe7..d1ff90d 100644 >> --- a/policy/modules/services/hadoop.if >> +++ b/policy/modules/services/hadoop.if >> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` >> # Shared hadoop_$1 policy. >> # >> >> - allow hadoop_$1_t self:process execmem; >> + allow hadoop_$1_t self:capability { chown kill setgid setuid }; >> + allow hadoop_$1_t self:key search; >> + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; >> allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; >> allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; >> + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; >> allow hadoop_$1_t self:udp_socket create_socket_perms; >> dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; >> >> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` >> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) >> files_search_var_lib(hadoop_$1_t) >> >> - allow hadoop_$1_t hadoop_var_run_t:dir getattr; >> - files_search_pids(hadoop_$1_t) >> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) >> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) >> + files_search_pids(hadoop_$1_t) >> >> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; >> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) >> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` >> >> files_read_etc_files(hadoop_$1_t) >> >> + init_read_utmp(hadoop_$1_t) >> + init_use_fds(hadoop_$1_t) >> + init_use_script_fds(hadoop_$1_t) >> + init_use_script_ptys(hadoop_$1_t) >> + >> + kerberos_use(hadoop_$1_t) > > Does hadoop depend on kerberos? If no then kerberos_use should probably > be optional. > The new version of hadoop added Kerberos for authentication. >> + kernel_read_kernel_sysctls(hadoop_$1_t) >> + kernel_read_sysctl(hadoop_$1_t) >> + >> + logging_send_audit_msgs(hadoop_$1_t) >> + logging_send_syslog_msg(hadoop_$1_t) >> + >> miscfiles_read_localization(hadoop_$1_t) >> >> + su_exec(hadoop_$1_t) > > Does hadoop depend on su? If not then su_exec should probably be optional. > > (btw would sudo work?) > The hadoop developers have been adding more security to the software stack. From what I can tell, the services start out as root and then execute su to drop privileges. >> sysnet_read_config(hadoop_$1_t) >> >> hadoop_exec_config(hadoop_$1_t) >> >> java_exec(hadoop_$1_t) >> >> + auth_domtrans_chkpwd(hadoop_$1_t) >> + >> optional_policy(` >> nscd_socket_use(hadoop_$1_t) >> ') >> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` >> consoletype_exec(hadoop_$1_initrc_t) >> >> fs_getattr_xattr_fs(hadoop_$1_initrc_t) >> + fs_search_cgroup_dirs(hadoop_$1_initrc_t) >> >> term_use_generic_ptys(hadoop_$1_initrc_t) >> >> hadoop_exec_config(hadoop_$1_initrc_t) >> >> init_rw_utmp(hadoop_$1_initrc_t) >> + init_use_fds(hadoop_$1_initrc_t) >> init_use_script_ptys(hadoop_$1_initrc_t) >> >> logging_send_syslog_msg(hadoop_$1_initrc_t) >> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te >> index 35a8131..b103f89 100644 >> --- a/policy/modules/services/hadoop.te >> +++ b/policy/modules/services/hadoop.te >> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t) >> dev_read_rand(hadoop_t) >> dev_read_sysfs(hadoop_t) >> dev_read_urand(hadoop_t) >> +domain_use_interactive_fds(hadoop_t) >> >> files_dontaudit_search_spool(hadoop_t) >> +files_read_etc_files(hadoop_t) >> files_read_usr_files(hadoop_t) >> +files_search_var_lib(hadoop_t) >> >> fs_getattr_xattr_fs(hadoop_t) >> >> +kerberos_use(hadoop_t) >> + >> miscfiles_read_localization(hadoop_t) >> >> +sysnet_read_config(hadoop_t) >> + >> userdom_dontaudit_search_user_home_dirs(hadoop_t) >> +userdom_list_user_home_content(hadoop_t) >> +userdom_manage_user_home_content_files(hadoop_t) >> userdom_use_user_terminals(hadoop_t) >> >> java_exec(hadoop_t) >> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) >> corenet_tcp_connect_zope_port(hadoop_tasktracker_t) >> >> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); >> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) >> filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) >> >> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) >> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) >> + >> manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) >> >> fs_getattr_xattr_fs(hadoop_tasktracker_t) >> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) >> dev_read_rand(zookeeper_t) >> dev_read_sysfs(zookeeper_t) >> dev_read_urand(zookeeper_t) >> +domain_use_interactive_fds(zookeeper_t) >> >> files_read_etc_files(zookeeper_t) >> files_read_usr_files(zookeeper_t) >> >> _______________________________________________ >> refpolicy mailing list >> refpolicy at oss.tresys.com >> http://oss.tresys.com/mailman/listinfo/refpolicy > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.16 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La > 8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH > =qPch > -----END PGP SIGNATURE----- > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy >