From: jkhosali@nps.edu (Jean Khosalim) Date: Thu, 9 Feb 2012 11:30:33 -0800 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <4F34184B.5030106@redhat.com> References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com> <002601cce6a0$e2e7ce20$a8b76a60$@edu> <4F32DDA1.3050901@redhat.com> <002701cce6a4$ba1efdc0$2e5cf940$@edu> <4F34184B.5030106@redhat.com> Message-ID: <000e01cce761$4adb45f0$e091d1d0$@edu> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following is the output of 'ps auxZ | grep java' (with portion of the ps line replaced with '.....' because it is too long): ----- Begin output of 'ps auxZ | grep java' ------ system_u:system_r:initrc_t:s0 root 1107 0.0 0.2 7808 2180 ? S 10:44 0:00 su mapred -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_tasktracker ..... org.apache.hadoop.mapred.TaskTracker system_u:system_r:initrc_t:s0 root 1109 0.0 0.2 7812 2188 ? S 10:44 0:00 su mapred -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_jobtracker ..... org.apache.hadoop.mapred.JobTracker system_u:system_r:initrc_t:s0 root 1111 0.0 0.2 7812 2188 ? S 10:44 0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_secondarynamenode ..... org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode system_u:system_r:initrc_t:s0 root 1113 0.0 0.2 7812 2192 ? S 10:44 0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_datanode ..... org.apache.hadoop.hdfs.server.datanode.DataNode system_u:system_r:initrc_t:s0 root 1115 0.0 0.2 7812 2184 ? S 10:44 0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_namenode ..... org.apache.hadoop.hdfs.server.namenode.NameNode system_u:system_r:unconfined_java_t:s0 mapred 1130 1.1 4.1 1197024 42552 ? Sl 10:44 0:06 java -Dproc_jobtracker ..... org.apache.hadoop.mapred.JobTracker system_u:system_r:unconfined_java_t:s0 hdfs 1131 1.1 6.3 1197864 64808 ? Sl 10:44 0:05 java -Dproc_namenode ..... org.apache.hadoop.hdfs.server.namenode.NameNode system_u:system_r:unconfined_java_t:s0 hdfs 1132 1.0 6.1 1191856 62752 ? Sl 10:44 0:05 java -Dproc_secondarynamenode ..... org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode system_u:system_r:unconfined_java_t:s0 mapred 1133 1.3 4.1 1195780 42856 ? Sl 10:44 0:07 java -Dproc_tasktracker ..... org.apache.hadoop.mapred.TaskTracker system_u:system_r:unconfined_java_t:s0 hdfs 1134 1.1 4.1 1194756 42528 ? Sl 10:44 0:05 java -Dproc_datanode ..... org.apache.hadoop.hdfs.server.datanode.DataNode ----- End output of 'ps auxZ | grep java' ------ Thanks, Jean Khosalim > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh at redhat.com] > Sent: Thursday, February 09, 2012 11:03 AM > To: Jean Khosalim > Cc: 'Christopher J. PeBenito'; refpolicy at oss1.tresys.com > Subject: Re: [refpolicy] SELinux policy for Hadoop > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/08/2012 04:00 PM, Jean Khosalim wrote: > > The following are the labels: > > > > In /etc/init.d directory: > > system_u:object_r:hadoop_datanode_initrc_exec_t:s0 > > hadoop-0.20-datanode > > system_u:object_r:hadoop_jobtracker_initrc_exec_t:s0 > > hadoop-0.20-jobtracker > > system_u:object_r:hadoop_namenode_initrc_exec_t:s0 > > hadoop-0.20-namenode > > system_u:object_r:hadoop_secondarynamenode_initrc_exec_t:s0 > > hadoop-0.20-secondarynamenode > > system_u:object_r:hadoop_tasktracker_initrc_exec_t:s0 > > hadoop-0.20-tasktracker > > > > In /usr/lib/hadoop-0.20/bin directory: > > system_u:object_r:hadoop_exec_t:s0 hadoop > > system_u:object_r:hadoop_exec_t:s0 hadoop-config.sh > > system_u:object_r:hadoop_exec_t:s0 hadoop-daemon.sh > > system_u:object_r:hadoop_exec_t:s0 hadoop-daemons.sh > > system_u:object_r:hadoop_exec_t:s0 rcc > > system_u:object_r:hadoop_exec_t:s0 slaves.sh > > system_u:object_r:hadoop_exec_t:s0 start-all.sh > > system_u:object_r:hadoop_exec_t:s0 start-balancer.sh > > system_u:object_r:hadoop_exec_t:s0 start-dfs.sh > > system_u:object_r:hadoop_exec_t:s0 start-mapred.sh > > system_u:object_r:hadoop_exec_t:s0 stop-all.sh > > system_u:object_r:hadoop_exec_t:s0 stop-balancer.sh > > system_u:object_r:hadoop_exec_t:s0 stop-dfs.sh > > system_u:object_r:hadoop_exec_t:s0 stop-mapred.sh > > > > > > Jean Khosalim Research Associate Computer Science Department Naval > > Postgraduate School 1411 Cunningham Rd, GE-231 Monterey, CA 93943 > > (831) 656-2222 jkhosali at nps.edu > > > > > > > >> -----Original Message----- From: Daniel J Walsh > >> [mailto:dwalsh at redhat.com] Sent: Wednesday, February 08, 2012 > >> 12:40 PM To: Jean Khosalim Cc: 'Christopher J. PeBenito'; > >> refpolicy at oss1.tresys.com Subject: Re: [refpolicy] SELinux policy > >> for Hadoop > >> > > On 02/08/2012 03:33 PM, Jean Khosalim wrote: > >>>> Yes, I did. > >>>> > >>>> Jean Khosalim > >>>> > >>>>> -----Original Message----- From: Christopher J. PeBenito > >>>>> [mailto:cpebenito at tresys.com] Sent: Wednesday, February 08, > >>>>> 2012 11:46 AM To: Jean Khosalim Cc: > >>>>> refpolicy at oss.tresys.com Subject: Re: [refpolicy] SELinux > >>>>> policy for Hadoop > >>>>> > >>>>> On 02/08/12 14:29, Jean Khosalim wrote: > >>>>>> I built a Fedora 16 system and installed Cloudera's CDH3 > >>>>>> (with > >>>>> Hadoop-0.20). > >>>>>> SElinux is enforcing and policy used is 'targeted'. Ran > >>>>>> a simple > >>>>> wordcount > >>>>>> example and it works. But I noticed that the Hadoop > >>>>>> related processes > >>>>> are > >>>>>> running with 'system_u:system_r:initrc_t:s0'. I was > >>>>>> expecting > >>>>> hadoop_t > >>>>>> instead of initrc_t. I also noticed that there is no > >>>>>> 'hadoop.pp' in > >>>>>> /etc/selinux/targeted/modules/active/modules directory. > >>>>>> > >>>>>> > >>>>>> > >>>>>> I ran 'yum update' on the system and force autorelabel on > >>>>>> boot (add 'enforcing=0 autorelabel' to grub). After > >>>>>> reboot, it looks like > >>>>> nothing > >>>>>> changed, i.e., Hadoop related processes still run with > >>>>>> 'system_u:system_r:initrc_t:s0' and there is no > >>>>>> 'hadoop.pp' in > >>>>>> /etc/selinux/targeted/modules/active/modules directory. > >>>>>> > >>>>>> > >>>>>> > >>>>>> Then I downloaded the source rpm for > >>>>>> selinux-policy-3.10.0- > >>>>> 75.fc16.src.rpm. > >>>>>> Looking at the source files, I noticed that > >>>>>> modules_targeted.conf > >>>>> doesn't > >>>>>> have 'hadoop'. I modified the file to add in 'hadoop' and > >>>>>> ran > >>>>> 'rpmbuild -ba > >>>>>> ./rpmbuild/SPECS/selinux-policy.spec' which generated a > >>>>>> new set of > >>>>> rpm. I > >>>>>> did a force rpm install of the newly created > >>>>>> selinux-policy-3.10.0-75.fc16.noarch.rpm and > >>>>>> selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. Then > >>>>>> I rebooted > >>>>> the > >>>>>> system. > >>>>>> > >>>>>> > >>>>>> > >>>>>> After the reboot, I now see 'hadoop.pp' IS in > >>>>>> /etc/selinux/targeted/modules/active/modules directory > >>>>>> and the hadoop related processes are now running with > >>>>>> 'system_u:system_r:unconfined_java_t:s0'. Is my > >>>>>> expectation that the > >>>>> hadoop > >>>>>> related processes will run as 'hadoop_t' incorrect? Are > >>>>>> there any > >>>>> steps that > >>>>>> I am missing? > >>>>> > >>>>> Did you relabel after you updated the policy? > >>>>> > >>>>> -- Chris PeBenito Tresys Technology, LLC www.tresys.com | > >>>>> oss.tresys.com > >>>> > >>>> _______________________________________________ refpolicy > >>>> mailing list refpolicy at oss.tresys.com > >>>> http://oss.tresys.com/mailman/listinfo/refpolicy > > > > > > What is the path to the daemon executables? Are they labeled with > > a hadoop*_exec_t type label? > > > Ok then which hadoop process is running as initrc_t? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk80GEsACgkQrlYvE4MpobM1pgCeO/P3RTGdlnZjtuqv9DS4t30W > hAoAoNO9n9Qjj/nK700MJGYjx0wUraR3 > =ygVH > -----END PGP SIGNATURE-----