From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 05 Jan 2011 08:48:45 -0500 Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec In-Reply-To: <4D0A4D3B.5050700@tycho.ncsc.mil> References: <4D02B63A.90808@tycho.ncsc.mil> <4D092B20.2030002@tresys.com> <4D0A4D3B.5050700@tycho.ncsc.mil> Message-ID: <4D2476BD.2000209@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/16/10 12:32, Paul Nuzzi wrote: > On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote: >> On 12/10/10 18:22, Paul Nuzzi wrote: >>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to >>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces >>> the architecture of Hadoop without having to modify any of the code. This adds a level of >>> confidentiality, integrity, and authentication provided outside the software stack. >> >> A few things. >> >> The verb used in Reference Policy interfaces for peer recv is recvfrom >> (a holdover from previous labeled networking implementations). So the >> interfaces are like hadoop_recvfrom_datanode(). > > Easy change. > >> It seems like setkey should be able to setcontext any type used on ipsec >> associations. I think the best thing would be to add additional support >> to either the ipsec or corenetwork modules (I haven't decided which one >> yet) for associations. So, say we have an interface called >> ipsec_spd_type() which adds the parameter type to the attribute >> ipsec_spd_types. Then we can have an allow setkey_t >> ipsec_spd_types:association setkey; rule and we don't have to update it >> every time more labeled network is added. > > That seems a lot less clunky than updating setkey every time we add a new association. > >> This is definitely wrong since its not a file: >> +files_type(hadoop_lan_t) > > Let me know how you would like to handle associations and I could update the > patch. Lets go with putting the associations in corenetwork. > Will the files_type error be cleared up when we re-engineer this? I'm not sure what you mean. The incorrect rule was added in your patch. >>> Signed-off-by: Paul Nuzzi >>> >>> --- >>> >>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if >>> index d07e172..c1ca3a6 100644 >>> --- a/policy/modules/services/hadoop.if >>> +++ b/policy/modules/services/hadoop.if >>> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',` >>> >>> files_read_etc_files(hadoop_$1_t) >>> >>> + hadoop_lan_polmatch(hadoop_$1_t) >>> + >>> init_read_utmp(hadoop_$1_t) >>> init_use_fds(hadoop_$1_t) >>> init_use_script_fds(hadoop_$1_t) >>> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',` >>> hadoop_read_config($1) >>> allow $1 hadoop_etc_t:file exec_file_perms; >>> ') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## polmatch on hadoop_lan_t >>> +## >>> +## >>> +## >>> +## Domain needing polmatch >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_lan_polmatch',` >>> + gen_require(` >>> + type hadoop_lan_t; >>> + ') >>> + >>> + allow $1 hadoop_lan_t:association polmatch; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## setcontext on hadoop_lan_t >>> +## >>> +## >>> +## >>> +## Domain needing setcontext >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_lan_setcontext',` >>> + gen_require(` >>> + type hadoop_lan_t; >>> + ') >>> + >>> + allow $1 hadoop_lan_t:association setcontext; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv hadoop_datanode_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_datanode_recv',` >>> + gen_require(` >>> + type hadoop_datanode_t; >>> + ') >>> + >>> + allow $1 hadoop_datanode_t:peer recv; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv hadoop_namenode_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_namenode_recv',` >>> + gen_require(` >>> + type hadoop_namenode_t; >>> + ') >>> + >>> + allow $1 hadoop_namenode_t:peer recv; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv hadoop_jobtracker_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_jobtracker_recv',` >>> + gen_require(` >>> + type hadoop_jobtracker_t; >>> + ') >>> + >>> + allow $1 hadoop_jobtracker_t:peer recv; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv hadoop_tasktracker_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_tasktracker_recv',` >>> + gen_require(` >>> + type hadoop_tasktracker_t; >>> + ') >>> + >>> + allow $1 hadoop_tasktracker_t:peer recv; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv hadoop_secondarynamenode_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_secondarynamenode_recv',` >>> + gen_require(` >>> + type hadoop_secondarynamenode_t; >>> + ') >>> + >>> + allow $1 hadoop_secondarynamenode_t:peer recv; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv hadoop_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`hadoop_recv',` >>> + gen_require(` >>> + type hadoop_t; >>> + ') >>> + >>> + allow $1 hadoop_t:peer recv; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv zookeeper_server_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`zookeeper_server_recv',` >>> + gen_require(` >>> + type zookeeper_server_t; >>> + ') >>> + >>> + allow $1 zookeeper_server_t:peer recv; >>> +') >>> + >>> +######################################## >>> +## >>> +## Give permission to a domain to >>> +## recv zookeeper_t >>> +## >>> +## >>> +## >>> +## Domain needing recv >>> +## permission >>> +## >>> +## >>> +# >>> +interface(`zookeeper_recv',` >>> + gen_require(` >>> + type zookeeper_t; >>> + ') >>> + >>> + allow $1 zookeeper_t:peer recv; >>> +') >>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te >>> index b103f89..e4bbe97 100644 >>> --- a/policy/modules/services/hadoop.te >>> +++ b/policy/modules/services/hadoop.te >>> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t) >>> type hadoop_etc_t; >>> files_config_file(hadoop_etc_t) >>> >>> +type hadoop_lan_t; >>> +files_type(hadoop_lan_t) >>> + >>> type hadoop_log_t; >>> logging_log_file(hadoop_log_t) >>> >>> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms; >>> >>> allow hadoop_t hadoop_domain:process signull; >>> >>> +hadoop_lan_polmatch(hadoop_t) >>> +allow hadoop_t self:peer recv; >>> +hadoop_datanode_recv(hadoop_t) >>> +hadoop_jobtracker_recv(hadoop_t) >>> +hadoop_namenode_recv(hadoop_t) >>> +hadoop_tasktracker_recv(hadoop_t) >>> + >>> read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) >>> read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) >>> can_exec(hadoop_t, hadoop_etc_t) >>> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t) >>> >>> fs_getattr_xattr_fs(hadoop_datanode_t) >>> >>> +allow hadoop_datanode_t self:peer recv; >>> +hadoop_jobtracker_recv(hadoop_datanode_t) >>> +hadoop_namenode_recv(hadoop_datanode_t) >>> +hadoop_recv(hadoop_datanode_t) >>> +hadoop_tasktracker_recv(hadoop_datanode_t) >>> + >>> ######################################## >>> # >>> # Hadoop jobtracker policy. >>> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t) >>> corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t) >>> corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t) >>> >>> +allow hadoop_jobtracker_t self:peer recv; >>> +hadoop_datanode_recv(hadoop_jobtracker_t) >>> +hadoop_namenode_recv(hadoop_jobtracker_t) >>> +hadoop_recv(hadoop_jobtracker_t) >>> +hadoop_tasktracker_recv(hadoop_jobtracker_t) >>> + >>> ######################################## >>> # >>> # Hadoop namenode policy. >>> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) >>> corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t) >>> corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t) >>> >>> +allow hadoop_namenode_t self:peer recv; >>> +hadoop_datanode_recv(hadoop_namenode_t) >>> +hadoop_jobtracker_recv(hadoop_namenode_t) >>> +hadoop_recv(hadoop_namenode_t) >>> +hadoop_secondarynamenode_recv(hadoop_namenode_t) >>> +hadoop_tasktracker_recv(hadoop_namenode_t) >>> + >>> ######################################## >>> # >>> # Hadoop secondary namenode policy. >>> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib >>> >>> corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t) >>> >>> +allow hadoop_secondarynamenode_t self:peer recv; >>> +hadoop_namenode_recv(hadoop_secondarynamenode_t) >>> + >>> ######################################## >>> # >>> # Hadoop tasktracker policy. >>> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) >>> >>> fs_getattr_xattr_fs(hadoop_tasktracker_t) >>> >>> +allow hadoop_tasktracker_t self:peer recv; >>> +hadoop_datanode_recv(hadoop_tasktracker_t) >>> +hadoop_jobtracker_recv(hadoop_tasktracker_t) >>> +hadoop_recv(hadoop_tasktracker_t) >>> +hadoop_namenode_recv(hadoop_tasktracker_t) >>> + >>> ######################################## >>> # >>> # Hadoop zookeeper client policy. >>> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms; >>> allow zookeeper_t self:udp_socket create_socket_perms; >>> dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms; >>> >>> +hadoop_lan_polmatch(zookeeper_t) >>> +zookeeper_server_recv(zookeeper_t) >>> + >>> read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) >>> read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) >>> >>> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms; >>> allow zookeeper_server_t self:tcp_socket create_stream_socket_perms; >>> allow zookeeper_server_t self:udp_socket create_socket_perms; >>> >>> +hadoop_lan_polmatch(zookeeper_server_t) >>> +allow zookeeper_server_t self:peer recv; >>> +zookeeper_recv(zookeeper_server_t) >>> + >>> allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms; >>> files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir) >>> >>> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te >>> index d82ff45..be9e5f1 100644 >>> --- a/policy/modules/system/ipsec.te >>> +++ b/policy/modules/system/ipsec.te >>> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t) >>> >>> files_read_etc_files(setkey_t) >>> >>> +hadoop_lan_setcontext(setkey_t) >>> + >>> init_dontaudit_use_fds(setkey_t) >>> >>> # allow setkey to set the context for ipsec SAs and policy. >>> >>> _______________________________________________ >>> refpolicy mailing list >>> refpolicy at oss.tresys.com >>> http://oss.tresys.com/mailman/listinfo/refpolicy >> >> > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com