From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 13 Jan 2011 14:22:41 -0500
Subject: [refpolicy] [PATCH 2/2] hadoop: labeled ipsec
In-Reply-To: <4D25EEE3.9080608@tycho.ncsc.mil>
References: <4D02B63A.90808@tycho.ncsc.mil> <4D092B20.2030002@tresys.com>
	<4D0A4D3B.5050700@tycho.ncsc.mil> <4D2476BD.2000209@tresys.com>
	<4D25EEE3.9080608@tycho.ncsc.mil>
Message-ID: <4D2F5101.8050404@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/06/11 11:33, Paul Nuzzi wrote:
> On 01/05/2011 08:48 AM, Christopher J. PeBenito wrote:
>> On 12/16/10 12:32, Paul Nuzzi wrote:
>>> On 12/15/2010 03:54 PM, Christopher J. PeBenito wrote:
>>>> On 12/10/10 18:22, Paul Nuzzi wrote:
>>>>> Added labeled IPSec support to hadoop.  SELinux will be able to enforce what services are allowed to
>>>>> connect to.  Labeled IPSec can enforce the range of services they can receive from.  This enforces
>>>>> the architecture of Hadoop without having to modify any of the code.  This adds a level of
>>>>> confidentiality, integrity, and authentication provided outside the software stack.
>>>>
>>>> A few things.
>>>>
>>>> The verb used in Reference Policy interfaces for peer recv is recvfrom
>>>> (a holdover from previous labeled networking implementations).  So the
>>>> interfaces are like hadoop_recvfrom_datanode().
>>>
>>> Easy change.
>>>
>>>> It seems like setkey should be able to setcontext any type used on ipsec
>>>> associations.  I think the best thing would be to add additional support
>>>> to either the ipsec or corenetwork modules (I haven't decided which one
>>>> yet) for associations.  So, say we have an interface called
>>>> ipsec_spd_type() which adds the parameter type to the attribute
>>>> ipsec_spd_types.  Then we can have an allow setkey_t
>>>> ipsec_spd_types:association setkey; rule and we don't have to update it
>>>> every time more labeled network is added.
>>>
>>> That seems a lot less clunky than updating setkey every time we add a new association.
>>>  
>>>> This is definitely wrong since its not a file:
>>>> +files_type(hadoop_lan_t)
>>>
>>> Let me know how you would like to handle associations and I could update the
>>> patch.
>>
>> Lets go with putting the associations in corenetwork.
>>
>>>  Will the files_type error be cleared up when we re-engineer this?
>>
>> I'm not sure what you mean.  The incorrect rule was added in your patch.
>>
> 
> Adds labeled IPSec policy to hadoop to control the remote processes that are allowed to connect to the cloud's services.

Merged.  I did some interface renaming and rearranging.

> Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
> 
> ---
>  policy/modules/kernel/corenetwork.if.in |   38 ++++++
>  policy/modules/kernel/corenetwork.te.in |    1 
>  policy/modules/services/hadoop.if       |  182 ++++++++++++++++++++++++++++++++
>  policy/modules/services/hadoop.te       |   45 +++++++
>  policy/modules/system/ipsec.te          |    2 
>  5 files changed, 268 insertions(+)
> 
> diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
> index b06df19..3103644 100644
> --- a/policy/modules/kernel/corenetwork.if.in
> +++ b/policy/modules/kernel/corenetwork.if.in
> @@ -3042,3 +3042,41 @@ interface(`corenet_unconfined',`
>  
>  	typeattribute $1 corenet_unconfined_type;
>  ')
> +
> +########################################
> +## <summary>
> +##	Make the specified type usable
> +##	for labeled ipsec.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be used for labeled ipsec.
> +##	</summary>
> +## </param>
> +#
> +interface(`ipsec_spd_type',`
> +	gen_require(`
> +		attribute ipsec_spd_types;
> +	')
> +
> +	typeattribute $1 ipsec_spd_types;
> +')
> +
> +########################################
> +## <summary>
> +##	Make the specified type usable
> +##	for labeled ipsec.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Type to be used for labeled ipsec.
> +##	</summary>
> +## </param>
> +#
> +interface(`ipsec_spd_type_setcontext',`
> +	gen_require(`
> +		attribute ipsec_spd_types;
> +	')
> +
> +	allow $1 ipsec_spd_types:association setcontext;
> +')
> diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
> index edefaf3..8ee5e51 100644
> --- a/policy/modules/kernel/corenetwork.te.in
> +++ b/policy/modules/kernel/corenetwork.te.in
> @@ -6,6 +6,7 @@ policy_module(corenetwork, 1.15.0)
>  #
>  
>  attribute client_packet_type;
> +attribute ipsec_spd_types;
>  attribute netif_type;
>  attribute node_type;
>  attribute packet_type;
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index b5ab49e..3fc31f7 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -110,6 +110,8 @@ template(`hadoop_domain_template',`
>  
>  	auth_domtrans_chkpwd(hadoop_$1_t)
>  
> +	hadoop_lan_polmatch(hadoop_$1_t)
> +
>  	init_read_utmp(hadoop_$1_t)
>  	init_use_fds(hadoop_$1_t)
>  	init_use_script_fds(hadoop_$1_t)
> @@ -350,3 +352,183 @@ interface(`hadoop_exec_config',`
>  	hadoop_read_config($1)
>  	allow $1 hadoop_etc_t:file exec_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	polmatch on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing polmatch
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_lan_polmatch',`
> +	gen_require(`
> +		type hadoop_lan_t;
> +	')
> +
> +	allow $1 hadoop_lan_t:association polmatch;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom hadoop_datanode_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_datanode',`
> +	gen_require(`
> +		type hadoop_datanode_t;
> +	')
> +
> +	allow $1 hadoop_datanode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom hadoop_namenode_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_namenode',`
> +	gen_require(`
> +		type hadoop_namenode_t;
> +	')
> +
> +	allow $1 hadoop_namenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom hadoop_jobtracker_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_jobtracker',`
> +	gen_require(`
> +		type hadoop_jobtracker_t;
> +	')
> +
> +	allow $1 hadoop_jobtracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom hadoop_tasktracker_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_tasktracker',`
> +	gen_require(`
> +		type hadoop_tasktracker_t;
> +	')
> +
> +	allow $1 hadoop_tasktracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom hadoop_secondarynamenode_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom_secondarynamenode',`
> +	gen_require(`
> +		type hadoop_secondarynamenode_t;
> +	')
> +
> +	allow $1 hadoop_secondarynamenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom hadoop_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_recvfrom',`
> +	gen_require(`
> +		type hadoop_t;
> +	')
> +
> +	allow $1 hadoop_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom zookeeper_server_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`zookeeper_recvfrom_server',`
> +	gen_require(`
> +		type zookeeper_server_t;
> +	')
> +
> +	allow $1 zookeeper_server_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recvfrom zookeeper_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recvfrom
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`zookeeper_recvfrom',`
> +	gen_require(`
> +		type zookeeper_t;
> +	')
> +
> +	allow $1 zookeeper_t:peer recv;
> +')
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 9a9c206..b1427eb 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -18,6 +18,9 @@ files_config_file(hadoop_etc_t)
>  type hadoop_home_t;
>  userdom_user_home_content(hadoop_home_t)
>  
> +type hadoop_lan_t;
> +ipsec_spd_type(hadoop_lan_t)
> +
>  type hadoop_log_t;
>  logging_log_file(hadoop_log_t)
>  
> @@ -88,6 +91,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  allow hadoop_t hadoop_domain:process signull;
>  
> +hadoop_lan_polmatch(hadoop_t)
> +allow hadoop_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_t)
> +hadoop_recvfrom_jobtracker(hadoop_t)
> +hadoop_recvfrom_namenode(hadoop_t)
> +hadoop_recvfrom_tasktracker(hadoop_t)
> +
>  read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>  read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>  can_exec(hadoop_t, hadoop_etc_t)
> @@ -184,6 +194,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>  
>  fs_getattr_xattr_fs(hadoop_datanode_t)
>  
> +allow hadoop_datanode_t self:peer recv;
> +hadoop_recvfrom_jobtracker(hadoop_datanode_t)
> +hadoop_recvfrom_namenode(hadoop_datanode_t)
> +hadoop_recvfrom(hadoop_datanode_t)
> +hadoop_recvfrom_tasktracker(hadoop_datanode_t)
> +
>  ########################################
>  #
>  # Hadoop jobtracker policy.
> @@ -198,6 +214,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
>  corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
>  corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>  
> +allow hadoop_jobtracker_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_jobtracker_t)
> +hadoop_recvfrom_namenode(hadoop_jobtracker_t)
> +hadoop_recvfrom(hadoop_jobtracker_t)
> +hadoop_recvfrom_tasktracker(hadoop_jobtracker_t)
> +
>  ########################################
>  #
>  # Hadoop namenode policy.
> @@ -209,6 +231,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
>  corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
>  corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>  
> +allow hadoop_namenode_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_namenode_t)
> +hadoop_recvfrom_jobtracker(hadoop_namenode_t)
> +hadoop_recvfrom(hadoop_namenode_t)
> +hadoop_recvfrom_secondarynamenode(hadoop_namenode_t)
> +hadoop_recvfrom_tasktracker(hadoop_namenode_t)
> +
>  ########################################
>  #
>  # Hadoop secondary namenode policy.
> @@ -218,6 +247,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>  
>  corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>  
> +allow hadoop_secondarynamenode_t self:peer recv;
> +hadoop_recvfrom_namenode(hadoop_secondarynamenode_t)
> +
>  ########################################
>  #
>  # Hadoop tasktracker policy.
> @@ -240,6 +272,12 @@ corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>  
>  fs_getattr_xattr_fs(hadoop_tasktracker_t)
>  
> +allow hadoop_tasktracker_t self:peer recv;
> +hadoop_recvfrom_datanode(hadoop_tasktracker_t)
> +hadoop_recvfrom_jobtracker(hadoop_tasktracker_t)
> +hadoop_recvfrom(hadoop_tasktracker_t)
> +hadoop_recvfrom_namenode(hadoop_tasktracker_t)
> +
>  ########################################
>  #
>  # Hadoop zookeeper client policy.
> @@ -251,6 +289,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
>  allow zookeeper_t self:udp_socket create_socket_perms;
>  dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>  
> +hadoop_lan_polmatch(zookeeper_t)
> +zookeeper_recvfrom_server(zookeeper_t)
> +
>  read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>  read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>  
> @@ -325,6 +366,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
>  allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
>  allow zookeeper_server_t self:udp_socket create_socket_perms;
>  
> +hadoop_lan_polmatch(zookeeper_server_t)
> +allow zookeeper_server_t self:peer recv;
> +zookeeper_recvfrom(zookeeper_server_t)
> +
>  allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
>  files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>  
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d82ff45..13f76a3 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -414,6 +414,7 @@ init_dontaudit_use_fds(setkey_t)
>  
>  # allow setkey to set the context for ipsec SAs and policy.
>  ipsec_setcontext_default_spd(setkey_t)
> +ipsec_spd_type_setcontext(setkey_t)
>  
>  locallogin_use_fds(setkey_t)
>  
> @@ -422,3 +423,4 @@ miscfiles_read_localization(setkey_t)
>  seutil_read_config(setkey_t)
>  
>  userdom_use_user_terminals(setkey_t)
> +


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com