From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi)
Date: Thu, 16 Dec 2010 12:32:43 -0500
Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec
In-Reply-To: <4D092B20.2030002@tresys.com>
References: <4D02B63A.90808@tycho.ncsc.mil> <4D092B20.2030002@tresys.com>
Message-ID: <4D0A4D3B.5050700@tycho.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
> On 12/10/10 18:22, Paul Nuzzi wrote:
>> Added labeled IPSec support to hadoop.  SELinux will be able to enforce what services are allowed to
>> connect to.  Labeled IPSec can enforce the range of services they can receive from.  This enforces
>> the architecture of Hadoop without having to modify any of the code.  This adds a level of
>> confidentiality, integrity, and authentication provided outside the software stack.
> 
> A few things.
> 
> The verb used in Reference Policy interfaces for peer recv is recvfrom
> (a holdover from previous labeled networking implementations).  So the
> interfaces are like hadoop_recvfrom_datanode().

Easy change.

> It seems like setkey should be able to setcontext any type used on ipsec
> associations.  I think the best thing would be to add additional support
> to either the ipsec or corenetwork modules (I haven't decided which one
> yet) for associations.  So, say we have an interface called
> ipsec_spd_type() which adds the parameter type to the attribute
> ipsec_spd_types.  Then we can have an allow setkey_t
> ipsec_spd_types:association setkey; rule and we don't have to update it
> every time more labeled network is added.

That seems a lot less clunky than updating setkey every time we add a new association.
 
> This is definitely wrong since its not a file:
> +files_type(hadoop_lan_t)

Let me know how you would like to handle associations and I could update the
patch.  Will the files_type error be cleared up when we re-engineer this?
 
>> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
>>
>> ---
>>
>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>> index d07e172..c1ca3a6 100644
>> --- a/policy/modules/services/hadoop.if
>> +++ b/policy/modules/services/hadoop.if
>> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
>>  
>>  	files_read_etc_files(hadoop_$1_t)
>>  
>> +	hadoop_lan_polmatch(hadoop_$1_t)
>> +
>>  	init_read_utmp(hadoop_$1_t)
>>  	init_use_fds(hadoop_$1_t)
>>  	init_use_script_fds(hadoop_$1_t)
>> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
>>  	hadoop_read_config($1)
>>  	allow $1 hadoop_etc_t:file exec_file_perms;
>>  ')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	polmatch on hadoop_lan_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing polmatch
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_lan_polmatch',`
>> +	gen_require(`
>> +		type hadoop_lan_t;
>> +	')
>> +
>> +	allow $1 hadoop_lan_t:association polmatch;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	setcontext on hadoop_lan_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing setcontext
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_lan_setcontext',`
>> +	gen_require(`
>> +		type hadoop_lan_t;
>> +	')
>> +
>> +	allow $1 hadoop_lan_t:association setcontext;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv hadoop_datanode_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_datanode_recv',`
>> +	gen_require(`
>> +		type hadoop_datanode_t;
>> +	')
>> +
>> +	allow $1 hadoop_datanode_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv hadoop_namenode_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_namenode_recv',`
>> +	gen_require(`
>> +		type hadoop_namenode_t;
>> +	')
>> +
>> +	allow $1 hadoop_namenode_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv hadoop_jobtracker_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_jobtracker_recv',`
>> +	gen_require(`
>> +		type hadoop_jobtracker_t;
>> +	')
>> +
>> +	allow $1 hadoop_jobtracker_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv hadoop_tasktracker_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_tasktracker_recv',`
>> +	gen_require(`
>> +		type hadoop_tasktracker_t;
>> +	')
>> +
>> +	allow $1 hadoop_tasktracker_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv hadoop_secondarynamenode_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_secondarynamenode_recv',`
>> +	gen_require(`
>> +		type hadoop_secondarynamenode_t;
>> +	')
>> +
>> +	allow $1 hadoop_secondarynamenode_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv hadoop_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`hadoop_recv',`
>> +	gen_require(`
>> +		type hadoop_t;
>> +	')
>> +
>> +	allow $1 hadoop_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv zookeeper_server_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`zookeeper_server_recv',`
>> +	gen_require(`
>> +		type zookeeper_server_t;
>> +	')
>> +
>> +	allow $1 zookeeper_server_t:peer recv;
>> +')
>> +
>> +########################################
>> +## <summary>
>> +##	Give permission to a domain to
>> +##	recv zookeeper_t
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain needing recv
>> +##	permission
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`zookeeper_recv',`
>> +	gen_require(`
>> +		type zookeeper_t;
>> +	')
>> +
>> +	allow $1 zookeeper_t:peer recv;
>> +')
>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>> index b103f89..e4bbe97 100644
>> --- a/policy/modules/services/hadoop.te
>> +++ b/policy/modules/services/hadoop.te
>> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
>>  type hadoop_etc_t;
>>  files_config_file(hadoop_etc_t)
>>  
>> +type hadoop_lan_t;
>> +files_type(hadoop_lan_t)
>> +
>>  type hadoop_log_t;
>>  logging_log_file(hadoop_log_t)
>>  
>> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>>  
>>  allow hadoop_t hadoop_domain:process signull;
>>  
>> +hadoop_lan_polmatch(hadoop_t)
>> +allow hadoop_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_t)
>> +hadoop_jobtracker_recv(hadoop_t)
>> +hadoop_namenode_recv(hadoop_t)
>> +hadoop_tasktracker_recv(hadoop_t)
>> +
>>  read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>>  read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>>  can_exec(hadoop_t, hadoop_etc_t)
>> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>>  
>>  fs_getattr_xattr_fs(hadoop_datanode_t)
>>  
>> +allow hadoop_datanode_t self:peer recv;
>> +hadoop_jobtracker_recv(hadoop_datanode_t)
>> +hadoop_namenode_recv(hadoop_datanode_t)
>> +hadoop_recv(hadoop_datanode_t)
>> +hadoop_tasktracker_recv(hadoop_datanode_t)
>> +
>>  ########################################
>>  #
>>  # Hadoop jobtracker policy.
>> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
>>  corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
>>  corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>>  
>> +allow hadoop_jobtracker_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_jobtracker_t)
>> +hadoop_namenode_recv(hadoop_jobtracker_t)
>> +hadoop_recv(hadoop_jobtracker_t)
>> +hadoop_tasktracker_recv(hadoop_jobtracker_t)
>> +
>>  ########################################
>>  #
>>  # Hadoop namenode policy.
>> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>  corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
>>  corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>>  
>> +allow hadoop_namenode_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_namenode_t)
>> +hadoop_jobtracker_recv(hadoop_namenode_t)
>> +hadoop_recv(hadoop_namenode_t)
>> +hadoop_secondarynamenode_recv(hadoop_namenode_t)
>> +hadoop_tasktracker_recv(hadoop_namenode_t)
>> +
>>  ########################################
>>  #
>>  # Hadoop secondary namenode policy.
>> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>>  
>>  corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>>  
>> +allow hadoop_secondarynamenode_t self:peer recv;
>> +hadoop_namenode_recv(hadoop_secondarynamenode_t)
>> +
>>  ########################################
>>  #
>>  # Hadoop tasktracker policy.
>> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>  
>>  fs_getattr_xattr_fs(hadoop_tasktracker_t)
>>  
>> +allow hadoop_tasktracker_t self:peer recv;
>> +hadoop_datanode_recv(hadoop_tasktracker_t)
>> +hadoop_jobtracker_recv(hadoop_tasktracker_t)
>> +hadoop_recv(hadoop_tasktracker_t)
>> +hadoop_namenode_recv(hadoop_tasktracker_t)
>> +
>>  ########################################
>>  #
>>  # Hadoop zookeeper client policy.
>> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
>>  allow zookeeper_t self:udp_socket create_socket_perms;
>>  dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>>  
>> +hadoop_lan_polmatch(zookeeper_t)
>> +zookeeper_server_recv(zookeeper_t)
>> +
>>  read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>>  read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>>  
>> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
>>  allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
>>  allow zookeeper_server_t self:udp_socket create_socket_perms;
>>  
>> +hadoop_lan_polmatch(zookeeper_server_t)
>> +allow zookeeper_server_t self:peer recv;
>> +zookeeper_recv(zookeeper_server_t)
>> +
>>  allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
>>  files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>>  
>> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
>> index d82ff45..be9e5f1 100644
>> --- a/policy/modules/system/ipsec.te
>> +++ b/policy/modules/system/ipsec.te
>> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
>>  
>>  files_read_etc_files(setkey_t)
>>  
>> +hadoop_lan_setcontext(setkey_t)
>> +
>>  init_dontaudit_use_fds(setkey_t)
>>  
>>  # allow setkey to set the context for ipsec SAs and policy.
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
>