From: jkhosali@nps.edu (Jean Khosalim) Date: Wed, 8 Feb 2012 12:33:16 -0800 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <4F32D102.3060605@tresys.com> References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com> Message-ID: <002601cce6a0$e2e7ce20$a8b76a60$@edu> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Yes, I did. Jean Khosalim > -----Original Message----- > From: Christopher J. PeBenito [mailto:cpebenito at tresys.com] > Sent: Wednesday, February 08, 2012 11:46 AM > To: Jean Khosalim > Cc: refpolicy at oss.tresys.com > Subject: Re: [refpolicy] SELinux policy for Hadoop > > On 02/08/12 14:29, Jean Khosalim wrote: > > I built a Fedora 16 system and installed Cloudera's CDH3 (with > Hadoop-0.20). > > SElinux is enforcing and policy used is 'targeted'. Ran a simple > wordcount > > example and it works. But I noticed that the Hadoop related processes > are > > running with 'system_u:system_r:initrc_t:s0'. I was expecting > hadoop_t > > instead of initrc_t. I also noticed that there is no 'hadoop.pp' in > > /etc/selinux/targeted/modules/active/modules directory. > > > > > > > > I ran 'yum update' on the system and force autorelabel on boot (add > > 'enforcing=0 autorelabel' to grub). After reboot, it looks like > nothing > > changed, i.e., Hadoop related processes still run with > > 'system_u:system_r:initrc_t:s0' and there is no 'hadoop.pp' in > > /etc/selinux/targeted/modules/active/modules directory. > > > > > > > > Then I downloaded the source rpm for selinux-policy-3.10.0- > 75.fc16.src.rpm. > > Looking at the source files, I noticed that modules_targeted.conf > doesn't > > have 'hadoop'. I modified the file to add in 'hadoop' and ran > 'rpmbuild -ba > > ./rpmbuild/SPECS/selinux-policy.spec' which generated a new set of > rpm. I > > did a force rpm install of the newly created > > selinux-policy-3.10.0-75.fc16.noarch.rpm and > > selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. Then I rebooted > the > > system. > > > > > > > > After the reboot, I now see 'hadoop.pp' IS in > > /etc/selinux/targeted/modules/active/modules directory and the hadoop > > related processes are now running with > > 'system_u:system_r:unconfined_java_t:s0'. Is my expectation that the > hadoop > > related processes will run as 'hadoop_t' incorrect? Are there any > steps that > > I am missing? > > Did you relabel after you updated the policy? > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com