From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 09 Feb 2012 14:02:35 -0500 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <002701cce6a4$ba1efdc0$2e5cf940$@edu> References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com> <002601cce6a0$e2e7ce20$a8b76a60$@edu> <4F32DDA1.3050901@redhat.com> <002701cce6a4$ba1efdc0$2e5cf940$@edu> Message-ID: <4F34184B.5030106@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/08/2012 04:00 PM, Jean Khosalim wrote: > The following are the labels: > > In /etc/init.d directory: > system_u:object_r:hadoop_datanode_initrc_exec_t:s0 > hadoop-0.20-datanode > system_u:object_r:hadoop_jobtracker_initrc_exec_t:s0 > hadoop-0.20-jobtracker > system_u:object_r:hadoop_namenode_initrc_exec_t:s0 > hadoop-0.20-namenode > system_u:object_r:hadoop_secondarynamenode_initrc_exec_t:s0 > hadoop-0.20-secondarynamenode > system_u:object_r:hadoop_tasktracker_initrc_exec_t:s0 > hadoop-0.20-tasktracker > > In /usr/lib/hadoop-0.20/bin directory: > system_u:object_r:hadoop_exec_t:s0 hadoop > system_u:object_r:hadoop_exec_t:s0 hadoop-config.sh > system_u:object_r:hadoop_exec_t:s0 hadoop-daemon.sh > system_u:object_r:hadoop_exec_t:s0 hadoop-daemons.sh > system_u:object_r:hadoop_exec_t:s0 rcc > system_u:object_r:hadoop_exec_t:s0 slaves.sh > system_u:object_r:hadoop_exec_t:s0 start-all.sh > system_u:object_r:hadoop_exec_t:s0 start-balancer.sh > system_u:object_r:hadoop_exec_t:s0 start-dfs.sh > system_u:object_r:hadoop_exec_t:s0 start-mapred.sh > system_u:object_r:hadoop_exec_t:s0 stop-all.sh > system_u:object_r:hadoop_exec_t:s0 stop-balancer.sh > system_u:object_r:hadoop_exec_t:s0 stop-dfs.sh > system_u:object_r:hadoop_exec_t:s0 stop-mapred.sh > > > Jean Khosalim Research Associate Computer Science Department Naval > Postgraduate School 1411 Cunningham Rd, GE-231 Monterey, CA 93943 > (831) 656-2222 jkhosali at nps.edu > > > >> -----Original Message----- From: Daniel J Walsh >> [mailto:dwalsh at redhat.com] Sent: Wednesday, February 08, 2012 >> 12:40 PM To: Jean Khosalim Cc: 'Christopher J. PeBenito'; >> refpolicy at oss1.tresys.com Subject: Re: [refpolicy] SELinux policy >> for Hadoop >> > On 02/08/2012 03:33 PM, Jean Khosalim wrote: >>>> Yes, I did. >>>> >>>> Jean Khosalim >>>> >>>>> -----Original Message----- From: Christopher J. PeBenito >>>>> [mailto:cpebenito at tresys.com] Sent: Wednesday, February 08, >>>>> 2012 11:46 AM To: Jean Khosalim Cc: >>>>> refpolicy at oss.tresys.com Subject: Re: [refpolicy] SELinux >>>>> policy for Hadoop >>>>> >>>>> On 02/08/12 14:29, Jean Khosalim wrote: >>>>>> I built a Fedora 16 system and installed Cloudera's CDH3 >>>>>> (with >>>>> Hadoop-0.20). >>>>>> SElinux is enforcing and policy used is 'targeted'. Ran >>>>>> a simple >>>>> wordcount >>>>>> example and it works. But I noticed that the Hadoop >>>>>> related processes >>>>> are >>>>>> running with 'system_u:system_r:initrc_t:s0'. I was >>>>>> expecting >>>>> hadoop_t >>>>>> instead of initrc_t. I also noticed that there is no >>>>>> 'hadoop.pp' in >>>>>> /etc/selinux/targeted/modules/active/modules directory. >>>>>> >>>>>> >>>>>> >>>>>> I ran 'yum update' on the system and force autorelabel on >>>>>> boot (add 'enforcing=0 autorelabel' to grub). After >>>>>> reboot, it looks like >>>>> nothing >>>>>> changed, i.e., Hadoop related processes still run with >>>>>> 'system_u:system_r:initrc_t:s0' and there is no >>>>>> 'hadoop.pp' in >>>>>> /etc/selinux/targeted/modules/active/modules directory. >>>>>> >>>>>> >>>>>> >>>>>> Then I downloaded the source rpm for >>>>>> selinux-policy-3.10.0- >>>>> 75.fc16.src.rpm. >>>>>> Looking at the source files, I noticed that >>>>>> modules_targeted.conf >>>>> doesn't >>>>>> have 'hadoop'. I modified the file to add in 'hadoop' and >>>>>> ran >>>>> 'rpmbuild -ba >>>>>> ./rpmbuild/SPECS/selinux-policy.spec' which generated a >>>>>> new set of >>>>> rpm. I >>>>>> did a force rpm install of the newly created >>>>>> selinux-policy-3.10.0-75.fc16.noarch.rpm and >>>>>> selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. Then >>>>>> I rebooted >>>>> the >>>>>> system. >>>>>> >>>>>> >>>>>> >>>>>> After the reboot, I now see 'hadoop.pp' IS in >>>>>> /etc/selinux/targeted/modules/active/modules directory >>>>>> and the hadoop related processes are now running with >>>>>> 'system_u:system_r:unconfined_java_t:s0'. Is my >>>>>> expectation that the >>>>> hadoop >>>>>> related processes will run as 'hadoop_t' incorrect? Are >>>>>> there any >>>>> steps that >>>>>> I am missing? >>>>> >>>>> Did you relabel after you updated the policy? >>>>> >>>>> -- Chris PeBenito Tresys Technology, LLC www.tresys.com | >>>>> oss.tresys.com >>>> >>>> _______________________________________________ refpolicy >>>> mailing list refpolicy at oss.tresys.com >>>> http://oss.tresys.com/mailman/listinfo/refpolicy > > > What is the path to the daemon executables? Are they labeled with > a hadoop*_exec_t type label? > Ok then which hadoop process is running as initrc_t? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk80GEsACgkQrlYvE4MpobM1pgCeO/P3RTGdlnZjtuqv9DS4t30W hAoAoNO9n9Qjj/nK700MJGYjx0wUraR3 =ygVH -----END PGP SIGNATURE-----