From: jkhosali@nps.edu (Jean Khosalim)
Date: Wed, 8 Feb 2012 11:29:59 -0800
Subject: [refpolicy] SELinux policy for Hadoop
Message-ID: <001801cce698$0bd44560$237cd020$@edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hi all,

 

I built a Fedora 16 system and installed Cloudera's CDH3 (with Hadoop-0.20).
SElinux is enforcing and policy used is 'targeted'. Ran a simple wordcount
example and it works. But I noticed that the Hadoop related processes are
running with 'system_u:system_r:initrc_t:s0'. I was expecting hadoop_t
instead of initrc_t. I also noticed that there is no 'hadoop.pp' in
/etc/selinux/targeted/modules/active/modules directory.

 

I ran 'yum update' on the system and force autorelabel on boot (add
'enforcing=0 autorelabel' to grub). After reboot, it looks like nothing
changed, i.e., Hadoop related processes still run with
'system_u:system_r:initrc_t:s0' and there is no 'hadoop.pp' in
/etc/selinux/targeted/modules/active/modules directory.

 

Then I downloaded the source rpm for selinux-policy-3.10.0-75.fc16.src.rpm.
Looking at the source files, I noticed that modules_targeted.conf doesn't
have 'hadoop'. I modified the file to add in 'hadoop' and ran 'rpmbuild -ba
./rpmbuild/SPECS/selinux-policy.spec' which generated a new set of rpm. I
did a force rpm install of the newly created
selinux-policy-3.10.0-75.fc16.noarch.rpm and
selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. Then I rebooted the
system.

 

After the reboot, I now see 'hadoop.pp' IS in
/etc/selinux/targeted/modules/active/modules directory and the hadoop
related processes are now running with
'system_u:system_r:unconfined_java_t:s0'. Is my expectation that the hadoop
related processes will run as 'hadoop_t' incorrect? Are there any steps that
I am missing?

 

Any help will be much appreciated. Thank you in advance.

 

Sincerely,

Jean Khosalim

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20120208/cc365404/attachment.html