From: jkhosali@nps.edu (Jean Khosalim)
Date: Wed, 8 Feb 2012 13:00:45 -0800
Subject: [refpolicy] SELinux policy for Hadoop
In-Reply-To: <4F32DDA1.3050901@redhat.com>
References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com>
	<002601cce6a0$e2e7ce20$a8b76a60$@edu> <4F32DDA1.3050901@redhat.com>
Message-ID: <002701cce6a4$ba1efdc0$2e5cf940$@edu>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The following are the labels:

In /etc/init.d directory:
system_u:object_r:hadoop_datanode_initrc_exec_t:s0 hadoop-0.20-datanode
system_u:object_r:hadoop_jobtracker_initrc_exec_t:s0 hadoop-0.20-jobtracker
system_u:object_r:hadoop_namenode_initrc_exec_t:s0 hadoop-0.20-namenode
system_u:object_r:hadoop_secondarynamenode_initrc_exec_t:s0
hadoop-0.20-secondarynamenode
system_u:object_r:hadoop_tasktracker_initrc_exec_t:s0
hadoop-0.20-tasktracker

In /usr/lib/hadoop-0.20/bin directory:
system_u:object_r:hadoop_exec_t:s0 hadoop
system_u:object_r:hadoop_exec_t:s0 hadoop-config.sh
system_u:object_r:hadoop_exec_t:s0 hadoop-daemon.sh
system_u:object_r:hadoop_exec_t:s0 hadoop-daemons.sh
system_u:object_r:hadoop_exec_t:s0 rcc
system_u:object_r:hadoop_exec_t:s0 slaves.sh
system_u:object_r:hadoop_exec_t:s0 start-all.sh
system_u:object_r:hadoop_exec_t:s0 start-balancer.sh
system_u:object_r:hadoop_exec_t:s0 start-dfs.sh
system_u:object_r:hadoop_exec_t:s0 start-mapred.sh
system_u:object_r:hadoop_exec_t:s0 stop-all.sh
system_u:object_r:hadoop_exec_t:s0 stop-balancer.sh
system_u:object_r:hadoop_exec_t:s0 stop-dfs.sh
system_u:object_r:hadoop_exec_t:s0 stop-mapred.sh


Jean Khosalim
Research Associate
Computer Science Department
Naval Postgraduate School
1411 Cunningham Rd, GE-231
Monterey, CA  93943
(831) 656-2222
jkhosali at nps.edu



> -----Original Message-----
> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
> Sent: Wednesday, February 08, 2012 12:40 PM
> To: Jean Khosalim
> Cc: 'Christopher J. PeBenito'; refpolicy at oss1.tresys.com
> Subject: Re: [refpolicy] SELinux policy for Hadoop
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 02/08/2012 03:33 PM, Jean Khosalim wrote:
> > Yes, I did.
> >
> > Jean Khosalim
> >
> >> -----Original Message----- From: Christopher J. PeBenito
> >> [mailto:cpebenito at tresys.com] Sent: Wednesday, February 08, 2012
> >> 11:46 AM To: Jean Khosalim Cc: refpolicy at oss.tresys.com Subject:
> >> Re: [refpolicy] SELinux policy for Hadoop
> >>
> >> On 02/08/12 14:29, Jean Khosalim wrote:
> >>> I built a Fedora 16 system and installed Cloudera's CDH3 (with
> >> Hadoop-0.20).
> >>> SElinux is enforcing and policy used is 'targeted'. Ran a
> >>> simple
> >> wordcount
> >>> example and it works. But I noticed that the Hadoop related
> >>> processes
> >> are
> >>> running with 'system_u:system_r:initrc_t:s0'. I was expecting
> >> hadoop_t
> >>> instead of initrc_t. I also noticed that there is no
> >>> 'hadoop.pp' in /etc/selinux/targeted/modules/active/modules
> >>> directory.
> >>>
> >>>
> >>>
> >>> I ran 'yum update' on the system and force autorelabel on boot
> >>> (add 'enforcing=0 autorelabel' to grub). After reboot, it looks
> >>> like
> >> nothing
> >>> changed, i.e., Hadoop related processes still run with
> >>> 'system_u:system_r:initrc_t:s0' and there is no 'hadoop.pp' in
> >>> /etc/selinux/targeted/modules/active/modules directory.
> >>>
> >>>
> >>>
> >>> Then I downloaded the source rpm for selinux-policy-3.10.0-
> >> 75.fc16.src.rpm.
> >>> Looking at the source files, I noticed that
> >>> modules_targeted.conf
> >> doesn't
> >>> have 'hadoop'. I modified the file to add in 'hadoop' and ran
> >> 'rpmbuild -ba
> >>> ./rpmbuild/SPECS/selinux-policy.spec' which generated a new set
> >>> of
> >> rpm. I
> >>> did a force rpm install of the newly created
> >>> selinux-policy-3.10.0-75.fc16.noarch.rpm and
> >>> selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. Then I
> >>> rebooted
> >> the
> >>> system.
> >>>
> >>>
> >>>
> >>> After the reboot, I now see 'hadoop.pp' IS in
> >>> /etc/selinux/targeted/modules/active/modules directory and the
> >>> hadoop related processes are now running with
> >>> 'system_u:system_r:unconfined_java_t:s0'. Is my expectation
> >>> that the
> >> hadoop
> >>> related processes will run as 'hadoop_t' incorrect? Are there
> >>> any
> >> steps that
> >>> I am missing?
> >>
> >> Did you relabel after you updated the policy?
> >>
> >> -- Chris PeBenito Tresys Technology, LLC www.tresys.com |
> >> oss.tresys.com
> >
> > _______________________________________________ refpolicy mailing
> > list refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> 
> What is the path to the daemon executables?  Are they labeled with a
> hadoop*_exec_t type label?
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk8y3aEACgkQrlYvE4MpobNkzwCfbk+GiOqZPmBSadfgVjFOz/bX
> lBQAoNXK3Mgqe81K9Aj3ip5djNYX3KTb
> =aW6b
> -----END PGP SIGNATURE-----