From: dwalsh@redhat.com (Daniel J Walsh) Date: Wed, 08 Feb 2012 15:40:01 -0500 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <002601cce6a0$e2e7ce20$a8b76a60$@edu> References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com> <002601cce6a0$e2e7ce20$a8b76a60$@edu> Message-ID: <4F32DDA1.3050901@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/08/2012 03:33 PM, Jean Khosalim wrote: > Yes, I did. > > Jean Khosalim > >> -----Original Message----- From: Christopher J. PeBenito >> [mailto:cpebenito at tresys.com] Sent: Wednesday, February 08, 2012 >> 11:46 AM To: Jean Khosalim Cc: refpolicy at oss.tresys.com Subject: >> Re: [refpolicy] SELinux policy for Hadoop >> >> On 02/08/12 14:29, Jean Khosalim wrote: >>> I built a Fedora 16 system and installed Cloudera's CDH3 (with >> Hadoop-0.20). >>> SElinux is enforcing and policy used is 'targeted'. Ran a >>> simple >> wordcount >>> example and it works. But I noticed that the Hadoop related >>> processes >> are >>> running with 'system_u:system_r:initrc_t:s0'. I was expecting >> hadoop_t >>> instead of initrc_t. I also noticed that there is no >>> 'hadoop.pp' in /etc/selinux/targeted/modules/active/modules >>> directory. >>> >>> >>> >>> I ran 'yum update' on the system and force autorelabel on boot >>> (add 'enforcing=0 autorelabel' to grub). After reboot, it looks >>> like >> nothing >>> changed, i.e., Hadoop related processes still run with >>> 'system_u:system_r:initrc_t:s0' and there is no 'hadoop.pp' in >>> /etc/selinux/targeted/modules/active/modules directory. >>> >>> >>> >>> Then I downloaded the source rpm for selinux-policy-3.10.0- >> 75.fc16.src.rpm. >>> Looking at the source files, I noticed that >>> modules_targeted.conf >> doesn't >>> have 'hadoop'. I modified the file to add in 'hadoop' and ran >> 'rpmbuild -ba >>> ./rpmbuild/SPECS/selinux-policy.spec' which generated a new set >>> of >> rpm. I >>> did a force rpm install of the newly created >>> selinux-policy-3.10.0-75.fc16.noarch.rpm and >>> selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. Then I >>> rebooted >> the >>> system. >>> >>> >>> >>> After the reboot, I now see 'hadoop.pp' IS in >>> /etc/selinux/targeted/modules/active/modules directory and the >>> hadoop related processes are now running with >>> 'system_u:system_r:unconfined_java_t:s0'. Is my expectation >>> that the >> hadoop >>> related processes will run as 'hadoop_t' incorrect? Are there >>> any >> steps that >>> I am missing? >> >> Did you relabel after you updated the policy? >> >> -- Chris PeBenito Tresys Technology, LLC www.tresys.com | >> oss.tresys.com > > _______________________________________________ refpolicy mailing > list refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy What is the path to the daemon executables? Are they labeled with a hadoop*_exec_t type label? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8y3aEACgkQrlYvE4MpobNkzwCfbk+GiOqZPmBSadfgVjFOz/bX lBQAoNXK3Mgqe81K9Aj3ip5djNYX3KTb =aW6b -----END PGP SIGNATURE-----