From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 8 Feb 2012 14:46:10 -0500 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <001801cce698$0bd44560$237cd020$@edu> References: <001801cce698$0bd44560$237cd020$@edu> Message-ID: <4F32D102.3060605@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/08/12 14:29, Jean Khosalim wrote: > I built a Fedora 16 system and installed Cloudera's CDH3 (with Hadoop-0.20). > SElinux is enforcing and policy used is 'targeted'. Ran a simple wordcount > example and it works. But I noticed that the Hadoop related processes are > running with 'system_u:system_r:initrc_t:s0'. I was expecting hadoop_t > instead of initrc_t. I also noticed that there is no 'hadoop.pp' in > /etc/selinux/targeted/modules/active/modules directory. > > > > I ran 'yum update' on the system and force autorelabel on boot (add > 'enforcing=0 autorelabel' to grub). After reboot, it looks like nothing > changed, i.e., Hadoop related processes still run with > 'system_u:system_r:initrc_t:s0' and there is no 'hadoop.pp' in > /etc/selinux/targeted/modules/active/modules directory. > > > > Then I downloaded the source rpm for selinux-policy-3.10.0-75.fc16.src.rpm. > Looking at the source files, I noticed that modules_targeted.conf doesn't > have 'hadoop'. I modified the file to add in 'hadoop' and ran 'rpmbuild -ba > ./rpmbuild/SPECS/selinux-policy.spec' which generated a new set of rpm. I > did a force rpm install of the newly created > selinux-policy-3.10.0-75.fc16.noarch.rpm and > selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. Then I rebooted the > system. > > > > After the reboot, I now see 'hadoop.pp' IS in > /etc/selinux/targeted/modules/active/modules directory and the hadoop > related processes are now running with > 'system_u:system_r:unconfined_java_t:s0'. Is my expectation that the hadoop > related processes will run as 'hadoop_t' incorrect? Are there any steps that > I am missing? Did you relabel after you updated the policy? -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com