From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 05 Jan 2011 10:23:51 -0500 Subject: [refpolicy] [PATCH 1/2] hadoop: update to CDH3 In-Reply-To: <4D0A4D53.6080004@tycho.ncsc.mil> References: <4D02B638.1000503@tycho.ncsc.mil> <4D033DF6.8000907@gmail.com> <4D063E1F.1090406@tycho.ncsc.mil> <4D09224B.4010308@tresys.com> <4D0A4D53.6080004@tycho.ncsc.mil> Message-ID: <4D248D07.7040206@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/16/10 12:33, Paul Nuzzi wrote: > On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote: >> On 12/13/10 10:39, Paul Nuzzi wrote: >>> On 12/11/2010 04:01 AM, Dominick Grift wrote: >>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote: >>> >>> Does hadoop depend on kerberos? If no then kerberos_use should probably >>> be optional. >>> >>> >>>> The new version of hadoop added Kerberos for authentication. >> >> So, to be explicit, its an unconditional requirement? > > Yes. I think all future versions of hadoop will be kerberos enabled. > >> It seems like there should be a hadoop_home_t that is >> userdom_user_home_content() > > Updated. Merged. I did some rule rearranging and whitespace cleanup. > Signed-off-by: Paul Nuzzi > > --- > policy/modules/roles/unprivuser.te | 4 ++++ > policy/modules/services/hadoop.fc | 14 +++++++++----- > policy/modules/services/hadoop.if | 27 ++++++++++++++++++++++++--- > policy/modules/services/hadoop.te | 24 +++++++++++++++++++++++- > 4 files changed, 60 insertions(+), 9 deletions(-) > > diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te > index 606a257..7a48dad 100644 > --- a/policy/modules/roles/unprivuser.te > +++ b/policy/modules/roles/unprivuser.te > @@ -70,6 +70,10 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > + hadoop_role(user_r, user_t) > + ') > + > + optional_policy(` > irc_role(user_r, user_t) > ') > > diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc > index 3035be2..00a877d 100644 > --- a/policy/modules/services/hadoop.fc > +++ b/policy/modules/services/hadoop.fc > @@ -1,10 +1,10 @@ > /etc/hadoop.* gen_context(system_u:object_r:hadoop_etc_t,s0) > > -/etc/init\.d/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) > -/etc/init\.d/hadoop-namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) > -/etc/init\.d/hadoop-tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?jobtracker -- gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?namenode -- gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?secondarynamenode -- gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0) > +/etc/init\.d/hadoop-(.*-)?tasktracker -- gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0) > /etc/init\.d/zookeeper -- gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0) > > /etc/rc\.d/init\.d/hadoop-(.*-)?datanode -- gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0) > @@ -24,10 +24,14 @@ > > /var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) > +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) > +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) > +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0) > /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) > +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0) > /var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0) > > /var/lock/subsys/hadoop-datanode -- gen_context(system_u:object_r:hadoop_datanode_lock_t,s0) > diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if > index 9e9bfe7..d07e172 100644 > --- a/policy/modules/services/hadoop.if > +++ b/policy/modules/services/hadoop.if > @@ -52,9 +52,12 @@ template(`hadoop_domain_template',` > # Shared hadoop_$1 policy. > # > > - allow hadoop_$1_t self:process execmem; > + allow hadoop_$1_t self:capability { chown kill setgid setuid }; > + allow hadoop_$1_t self:key search; > + allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; > allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; > allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; > + allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; > allow hadoop_$1_t self:udp_socket create_socket_perms; > dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; > > @@ -69,8 +72,9 @@ template(`hadoop_domain_template',` > filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) > files_search_var_lib(hadoop_$1_t) > > - allow hadoop_$1_t hadoop_var_run_t:dir getattr; > - files_search_pids(hadoop_$1_t) > + manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) > + filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) > + files_search_pids(hadoop_$1_t) > > allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; > manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) > @@ -102,14 +106,29 @@ template(`hadoop_domain_template',` > > files_read_etc_files(hadoop_$1_t) > > + init_read_utmp(hadoop_$1_t) > + init_use_fds(hadoop_$1_t) > + init_use_script_fds(hadoop_$1_t) > + init_use_script_ptys(hadoop_$1_t) > + > + kerberos_use(hadoop_$1_t) > + kernel_read_kernel_sysctls(hadoop_$1_t) > + kernel_read_sysctl(hadoop_$1_t) > + > + logging_send_audit_msgs(hadoop_$1_t) > + logging_send_syslog_msg(hadoop_$1_t) > + > miscfiles_read_localization(hadoop_$1_t) > > + su_exec(hadoop_$1_t) > sysnet_read_config(hadoop_$1_t) > > hadoop_exec_config(hadoop_$1_t) > > java_exec(hadoop_$1_t) > > + auth_domtrans_chkpwd(hadoop_$1_t) > + > optional_policy(` > nscd_socket_use(hadoop_$1_t) > ') > @@ -156,12 +175,14 @@ template(`hadoop_domain_template',` > consoletype_exec(hadoop_$1_initrc_t) > > fs_getattr_xattr_fs(hadoop_$1_initrc_t) > + fs_search_cgroup_dirs(hadoop_$1_initrc_t) > > term_use_generic_ptys(hadoop_$1_initrc_t) > > hadoop_exec_config(hadoop_$1_initrc_t) > > init_rw_utmp(hadoop_$1_initrc_t) > + init_use_fds(hadoop_$1_initrc_t) > init_use_script_ptys(hadoop_$1_initrc_t) > > logging_send_syslog_msg(hadoop_$1_initrc_t) > diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te > index 35a8131..ddf9ef7 100644 > --- a/policy/modules/services/hadoop.te > +++ b/policy/modules/services/hadoop.te > @@ -15,6 +15,11 @@ ubac_constrained(hadoop_t) > type hadoop_etc_t; > files_config_file(hadoop_etc_t) > > +type hadoop_home_t; > +typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t }; > +typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t }; > +userdom_user_home_content(hadoop_home_t) > + > type hadoop_log_t; > logging_log_file(hadoop_log_t) > > @@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t) > dev_read_rand(hadoop_t) > dev_read_sysfs(hadoop_t) > dev_read_urand(hadoop_t) > +domain_use_interactive_fds(hadoop_t) > > files_dontaudit_search_spool(hadoop_t) > +files_read_etc_files(hadoop_t) > files_read_usr_files(hadoop_t) > +files_search_var_lib(hadoop_t) > > fs_getattr_xattr_fs(hadoop_t) > > +kerberos_use(hadoop_t) > + > +manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) > +manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) > +manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t) > +userdom_search_user_home_dirs(hadoop_t) > +userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir }) > + > miscfiles_read_localization(hadoop_t) > > -userdom_dontaudit_search_user_home_dirs(hadoop_t) > +sysnet_read_config(hadoop_t) > + > userdom_use_user_terminals(hadoop_t) > > java_exec(hadoop_t) > @@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t) > corenet_tcp_connect_zope_port(hadoop_tasktracker_t) > > manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t); > +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t) > filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir) > > +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file) > +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t) > + > manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t) > > fs_getattr_xattr_fs(hadoop_tasktracker_t) > @@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t) > dev_read_rand(zookeeper_t) > dev_read_sysfs(zookeeper_t) > dev_read_urand(zookeeper_t) > +domain_use_interactive_fds(zookeeper_t) > > files_read_etc_files(zookeeper_t) > files_read_usr_files(zookeeper_t) -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com