From: pjnuzzi@tycho.ncsc.mil (Paul Nuzzi) Date: Thu, 06 Jan 2011 11:33:39 -0500 Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec In-Reply-To: <4D2476BD.2000209@tresys.com> References: <4D02B63A.90808@tycho.ncsc.mil> <4D092B20.2030002@tresys.com> <4D0A4D3B.5050700@tycho.ncsc.mil> <4D2476BD.2000209@tresys.com> Message-ID: <4D25EEE3.9080608@tycho.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote: > On 12/16/10 12:32, Paul Nuzzi wrote: >> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote: >>> On 12/10/10 18:22, Paul Nuzzi wrote: >>>> Added labeled IPSec support to hadoop. SELinux will be able to enforce what services are allowed to >>>> connect to. Labeled IPSec can enforce the range of services they can receive from. This enforces >>>> the architecture of Hadoop without having to modify any of the code. This adds a level of >>>> confidentiality, integrity, and authentication provided outside the software stack. >>> >>> A few things. >>> >>> The verb used in Reference Policy interfaces for peer recv is recvfrom >>> (a holdover from previous labeled networking implementations). So the >>> interfaces are like hadoop_recvfrom_datanode(). >> >> Easy change. >> >>> It seems like setkey should be able to setcontext any type used on ipsec >>> associations. I think the best thing would be to add additional support >>> to either the ipsec or corenetwork modules (I haven't decided which one >>> yet) for associations. So, say we have an interface called >>> ipsec_spd_type() which adds the parameter type to the attribute >>> ipsec_spd_types. Then we can have an allow setkey_t >>> ipsec_spd_types:association setkey; rule and we don't have to update it >>> every time more labeled network is added. >> >> That seems a lot less clunky than updating setkey every time we add a new association. >> >>> This is definitely wrong since its not a file: >>> +files_type(hadoop_lan_t) >> >> Let me know how you would like to handle associations and I could update the >> patch. > > Lets go with putting the associations in corenetwork. > >> Will the files_type error be cleared up when we re-engineer this? > > I'm not sure what you mean. The incorrect rule was added in your patch. > Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services. Signed-off-by: Paul Nuzzi --- policy/modules/kernel/corenetwork.if.in | 38 ++++++ policy/modules/kernel/corenetwork.te.in | 1 policy/modules/services/hadoop.if | 182 ++++++++++++++++++++++++++++++++ policy/modules/services/hadoop.te | 45 +++++++ policy/modules/system/ipsec.te | 2 5 files changed, 268 insertions(+) diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in index b06df19..3103644 100644 --- a/policy/modules/kernel/corenetwork.if.in +++ b/policy/modules/kernel/corenetwork.if.in @@ -3042,3 +3042,41 @@ interface(`corenet_unconfined',` typeattribute $1 corenet_unconfined_type; ') + +######################################## +## +## Make the specified type usable +## for labeled ipsec. +## +## +## +## Type to be used for labeled ipsec. +## +## +# +interface(`ipsec_spd_type',` + gen_require(` + attribute ipsec_spd_types; + ') + + typeattribute $1 ipsec_spd_types; +') + +######################################## +## +## Make the specified type usable +## for labeled ipsec. +## +## +## +## Type to be used for labeled ipsec. +## +## +# +interface(`ipsec_spd_type_setcontext',` + gen_require(` + attribute ipsec_spd_types; + ') + + allow $1 ipsec_spd_types:association setcontext; +') diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in index edefaf3..8ee5e51 100644 --- a/policy/modules/kernel/corenetwork.te.in +++ b/policy/modules/kernel/corenetwork.te.in @@ -6,6 +6,7 @@ policy_module(corenetwork, 1.15.0) # attribute client_packet_type; +attribute ipsec_spd_types; attribute netif_type; attribute node_type; attribute packet_type; diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if index b5ab49e..3fc31f7 100644 --- a/policy/modules/services/hadoop.if +++ b/policy/modules/services/hadoop.if @@ -110,6 +110,8 @@ template(`hadoop_domain_template',` auth_domtrans_chkpwd(hadoop_$1_t) + hadoop_lan_polmatch(hadoop_$1_t) + init_read_utmp(hadoop_$1_t) init_use_fds(hadoop_$1_t) init_use_script_fds(hadoop_$1_t) @@ -350,3 +352,183 @@ interface(`hadoop_exec_config',` hadoop_read_config($1) allow $1 hadoop_etc_t:file exec_file_perms; ') + +######################################## +## +## Give permission to a domain to +## polmatch on hadoop_lan_t +## +## +## +## Domain needing polmatch +## permission +## +## +# +interface(`hadoop_lan_polmatch',` + gen_require(` + type hadoop_lan_t; + ') + + allow $1 hadoop_lan_t:association polmatch; +') + +######################################## +## +## Give permission to a domain to +## recvfrom hadoop_datanode_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`hadoop_recvfrom_datanode',` + gen_require(` + type hadoop_datanode_t; + ') + + allow $1 hadoop_datanode_t:peer recv; +') + +######################################## +## +## Give permission to a domain to +## recvfrom hadoop_namenode_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`hadoop_recvfrom_namenode',` + gen_require(` + type hadoop_namenode_t; + ') + + allow $1 hadoop_namenode_t:peer recv; +') + +######################################## +## +## Give permission to a domain to +## recvfrom hadoop_jobtracker_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`hadoop_recvfrom_jobtracker',` + gen_require(` + type hadoop_jobtracker_t; + ') + + allow $1 hadoop_jobtracker_t:peer recv; +') + +######################################## +## +## Give permission to a domain to +## recvfrom hadoop_tasktracker_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`hadoop_recvfrom_tasktracker',` + gen_require(` + type hadoop_tasktracker_t; + ') + + allow $1 hadoop_tasktracker_t:peer recv; +') + +######################################## +## +## Give permission to a domain to +## recvfrom hadoop_secondarynamenode_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`hadoop_recvfrom_secondarynamenode',` + gen_require(` + type hadoop_secondarynamenode_t; + ') + + allow $1 hadoop_secondarynamenode_t:peer recv; +') + +######################################## +## +## Give permission to a domain to +## recvfrom hadoop_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`hadoop_recvfrom',` + gen_require(` + type hadoop_t; + ') + + allow $1 hadoop_t:peer recv; +') + +######################################## +## +## Give permission to a domain to +## recvfrom zookeeper_server_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`zookeeper_recvfrom_server',` + gen_require(` + type zookeeper_server_t; + ') + + allow $1 zookeeper_server_t:peer recv; +') + +######################################## +## +## Give permission to a domain to +## recvfrom zookeeper_t +## +## +## +## Domain needing recvfrom +## permission +## +## +# +interface(`zookeeper_recvfrom',` + gen_require(` + type zookeeper_t; + ') + + allow $1 zookeeper_t:peer recv; +') diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te index 9a9c206..b1427eb 100644 --- a/policy/modules/services/hadoop.te +++ b/policy/modules/services/hadoop.te @@ -18,6 +18,9 @@ files_config_file(hadoop_etc_t) type hadoop_home_t; userdom_user_home_content(hadoop_home_t) +type hadoop_lan_t; +ipsec_spd_type(hadoop_lan_t) + type hadoop_log_t; logging_log_file(hadoop_log_t) @@ -88,6 +91,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms; allow hadoop_t hadoop_domain:process signull; +hadoop_lan_polmatch(hadoop_t) +allow hadoop_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_t) +hadoop_recvfrom_jobtracker(hadoop_t) +hadoop_recvfrom_namenode(hadoop_t) +hadoop_recvfrom_tasktracker(hadoop_t) + read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t) can_exec(hadoop_t, hadoop_etc_t) @@ -184,6 +194,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t) fs_getattr_xattr_fs(hadoop_datanode_t) +allow hadoop_datanode_t self:peer recv; +hadoop_recvfrom_jobtracker(hadoop_datanode_t) +hadoop_recvfrom_namenode(hadoop_datanode_t) +hadoop_recvfrom(hadoop_datanode_t) +hadoop_recvfrom_tasktracker(hadoop_datanode_t) + ######################################## # # Hadoop jobtracker policy. @@ -198,6 +214,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t) corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t) corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t) +allow hadoop_jobtracker_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_jobtracker_t) +hadoop_recvfrom_namenode(hadoop_jobtracker_t) +hadoop_recvfrom(hadoop_jobtracker_t) +hadoop_recvfrom_tasktracker(hadoop_jobtracker_t) + ######################################## # # Hadoop namenode policy. @@ -209,6 +231,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t) corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t) corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t) +allow hadoop_namenode_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_namenode_t) +hadoop_recvfrom_jobtracker(hadoop_namenode_t) +hadoop_recvfrom(hadoop_namenode_t) +hadoop_recvfrom_secondarynamenode(hadoop_namenode_t) +hadoop_recvfrom_tasktracker(hadoop_namenode_t) + ######################################## # # Hadoop secondary namenode policy. @@ -218,6 +247,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t) +allow hadoop_secondarynamenode_t self:peer recv; +hadoop_recvfrom_namenode(hadoop_secondarynamenode_t) + ######################################## # # Hadoop tasktracker policy. @@ -240,6 +272,12 @@ corenet_tcp_connect_zope_port(hadoop_tasktracker_t) fs_getattr_xattr_fs(hadoop_tasktracker_t) +allow hadoop_tasktracker_t self:peer recv; +hadoop_recvfrom_datanode(hadoop_tasktracker_t) +hadoop_recvfrom_jobtracker(hadoop_tasktracker_t) +hadoop_recvfrom(hadoop_tasktracker_t) +hadoop_recvfrom_namenode(hadoop_tasktracker_t) + ######################################## # # Hadoop zookeeper client policy. @@ -251,6 +289,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms; allow zookeeper_t self:udp_socket create_socket_perms; dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms; +hadoop_lan_polmatch(zookeeper_t) +zookeeper_recvfrom_server(zookeeper_t) + read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t) @@ -325,6 +366,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms; allow zookeeper_server_t self:tcp_socket create_stream_socket_perms; allow zookeeper_server_t self:udp_socket create_socket_perms; +hadoop_lan_polmatch(zookeeper_server_t) +allow zookeeper_server_t self:peer recv; +zookeeper_recvfrom(zookeeper_server_t) + allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms; files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir) diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te index d82ff45..13f76a3 100644 --- a/policy/modules/system/ipsec.te +++ b/policy/modules/system/ipsec.te @@ -414,6 +414,7 @@ init_dontaudit_use_fds(setkey_t) # allow setkey to set the context for ipsec SAs and policy. ipsec_setcontext_default_spd(setkey_t) +ipsec_spd_type_setcontext(setkey_t) locallogin_use_fds(setkey_t) @@ -422,3 +423,4 @@ miscfiles_read_localization(setkey_t) seutil_read_config(setkey_t) userdom_use_user_terminals(setkey_t) +