From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 15 Dec 2010 15:17:15 -0500 Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3 In-Reply-To: <4D063E1F.1090406@tycho.ncsc.mil> References: <4D02B638.1000503@tycho.ncsc.mil> <4D033DF6.8000907@gmail.com> <4D063E1F.1090406@tycho.ncsc.mil> Message-ID: <4D09224B.4010308@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/13/10 10:39, Paul Nuzzi wrote: > On 12/11/2010 04:01 AM, Dominick Grift wrote: > On 12/11/2010 12:22 AM, Paul Nuzzi wrote: >>>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3). >>>> Fixed a bug where policy was preventing exporting files from the >>>> distributed file system to the user's home directory. >>>> >>>> Signed-off-by: Paul Nuzzi >>>> >>>> --- >>>> >>>> policy/modules/roles/unprivuser.te | 4 ++++ >>>> policy/modules/services/hadoop.fc | 14 +++++++++----- >>>> policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- >>>> policy/modules/services/hadoop.te | 14 ++++++++++++++ >>>> 4 files changed, 51 insertions(+), 8 deletions(-) >>>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if >>>> index 9e9bfe7..d1ff90d 100644 >>>> --- a/policy/modules/services/hadoop.if >>>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` >>>> filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) >>>> files_search_var_lib(hadoop_$1_t) >>>> >>>> - allow hadoop_$1_t hadoop_var_run_t:dir getattr; >>>> - files_search_pids(hadoop_$1_t) >>>> + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) >>>> + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) >>>> + files_search_pids(hadoop_$1_t) >>>> >>>> allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; >>>> manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) >>>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` >>>> >>>> files_read_etc_files(hadoop_$1_t) >>>> >>>> + init_read_utmp(hadoop_$1_t) >>>> + init_use_fds(hadoop_$1_t) >>>> + init_use_script_fds(hadoop_$1_t) >>>> + init_use_script_ptys(hadoop_$1_t) >>>> + >>>> + kerberos_use(hadoop_$1_t) > > Does hadoop depend on kerberos? If no then kerberos_use should probably > be optional. > > >> The new version of hadoop added Kerberos for authentication. So, to be explicit, its an unconditional requirement? >>>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te >>>> index 35a8131..b103f89 100644 >>>> --- a/policy/modules/services/hadoop.te >>>> +++ b/policy/modules/services/hadoop.te >>>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t) >>>> dev_read_rand(hadoop_t) >>>> dev_read_sysfs(hadoop_t) >>>> dev_read_urand(hadoop_t) >>>> +domain_use_interactive_fds(hadoop_t) >>>> >>>> files_dontaudit_search_spool(hadoop_t) >>>> +files_read_etc_files(hadoop_t) >>>> files_read_usr_files(hadoop_t) >>>> +files_search_var_lib(hadoop_t) >>>> >>>> fs_getattr_xattr_fs(hadoop_t) >>>> >>>> +kerberos_use(hadoop_t) >>>> + >>>> miscfiles_read_localization(hadoop_t) >>>> >>>> +sysnet_read_config(hadoop_t) >>>> + >>>> userdom_dontaudit_search_user_home_dirs(hadoop_t) >>>> +userdom_list_user_home_content(hadoop_t) >>>> +userdom_manage_user_home_content_files(hadoop_t) It seems like there should be a hadoop_home_t that is userdom_user_home_content() -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com