From: dwalsh@redhat.com (Daniel J Walsh) Date: Thu, 09 Feb 2012 16:59:44 -0500 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <000e01cce761$4adb45f0$e091d1d0$@edu> References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com> <002601cce6a0$e2e7ce20$a8b76a60$@edu> <4F32DDA1.3050901@redhat.com> <002701cce6a4$ba1efdc0$2e5cf940$@edu> <4F34184B.5030106@redhat.com> <000e01cce761$4adb45f0$e091d1d0$@edu> Message-ID: <4F3441D0.508@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok this looks like the init scripts are executing java rather then going through a shell script. SELinux relies on transition rules. When a_t executes b_exec_t transition to b_t. So we would have a rule saying initrc_t -> hadoop_exec_t -> hadoop_t But you are showing initrc_t -> java_exec_t -> initrc_t The way to make this work would be to have a shell script that would execute the java for each different user or to use runcon. On 02/09/2012 02:30 PM, Jean Khosalim wrote: > The following is the output of 'ps auxZ | grep java' (with portion > of the ps line replaced with '.....' because it is too long): > > ----- Begin output of 'ps auxZ | grep java' ------ > > system_u:system_r:initrc_t:s0 root 1107 0.0 0.2 7808 > 2180 ? S 10:44 0:00 su mapred -s > /usr/java/jdk1.6.0_30/bin/java -- -Dproc_tasktracker ..... > org.apache.hadoop.mapred.TaskTracker system_u:system_r:initrc_t:s0 > root 1109 0.0 0.2 7812 2188 ? S 10:44 0:00 su mapred > -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_jobtracker ..... > org.apache.hadoop.mapred.JobTracker system_u:system_r:initrc_t:s0 > root 1111 0.0 0.2 7812 2188 ? S 10:44 0:00 su hdfs > -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_secondarynamenode > ..... org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode > system_u:system_r:initrc_t:s0 root 1113 0.0 0.2 7812 > 2192 ? S 10:44 0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java > -- -Dproc_datanode ..... > org.apache.hadoop.hdfs.server.datanode.DataNode > system_u:system_r:initrc_t:s0 root 1115 0.0 0.2 7812 > 2184 ? S 10:44 0:00 su hdfs -s /usr/java/jdk1.6.0_30/bin/java > -- -Dproc_namenode ..... > org.apache.hadoop.hdfs.server.namenode.NameNode > system_u:system_r:unconfined_java_t:s0 mapred 1130 1.1 4.1 1197024 > 42552 ? Sl 10:44 0:06 java -Dproc_jobtracker ..... > org.apache.hadoop.mapred.JobTracker > system_u:system_r:unconfined_java_t:s0 hdfs 1131 1.1 6.3 1197864 > 64808 ? Sl 10:44 0:05 java -Dproc_namenode ..... > org.apache.hadoop.hdfs.server.namenode.NameNode > system_u:system_r:unconfined_java_t:s0 hdfs 1132 1.0 6.1 1191856 > 62752 ? Sl 10:44 0:05 java -Dproc_secondarynamenode ..... > org.apache.hadoop.hdfs.server.namenode.SecondaryNameNode > system_u:system_r:unconfined_java_t:s0 mapred 1133 1.3 4.1 1195780 > 42856 ? Sl 10:44 0:07 java -Dproc_tasktracker ..... > org.apache.hadoop.mapred.TaskTracker > system_u:system_r:unconfined_java_t:s0 hdfs 1134 1.1 4.1 1194756 > 42528 ? Sl 10:44 0:05 java -Dproc_datanode ..... > org.apache.hadoop.hdfs.server.datanode.DataNode > > ----- End output of 'ps auxZ | grep java' ------ > > Thanks, Jean Khosalim > >> -----Original Message----- From: Daniel J Walsh >> [mailto:dwalsh at redhat.com] Sent: Thursday, February 09, 2012 >> 11:03 AM To: Jean Khosalim Cc: 'Christopher J. PeBenito'; >> refpolicy at oss1.tresys.com Subject: Re: [refpolicy] SELinux policy >> for Hadoop >> > On 02/08/2012 04:00 PM, Jean Khosalim wrote: >>>> The following are the labels: >>>> >>>> In /etc/init.d directory: >>>> system_u:object_r:hadoop_datanode_initrc_exec_t:s0 >>>> hadoop-0.20-datanode >>>> system_u:object_r:hadoop_jobtracker_initrc_exec_t:s0 >>>> hadoop-0.20-jobtracker >>>> system_u:object_r:hadoop_namenode_initrc_exec_t:s0 >>>> hadoop-0.20-namenode >>>> system_u:object_r:hadoop_secondarynamenode_initrc_exec_t:s0 >>>> hadoop-0.20-secondarynamenode >>>> system_u:object_r:hadoop_tasktracker_initrc_exec_t:s0 >>>> hadoop-0.20-tasktracker >>>> >>>> In /usr/lib/hadoop-0.20/bin directory: >>>> system_u:object_r:hadoop_exec_t:s0 hadoop >>>> system_u:object_r:hadoop_exec_t:s0 hadoop-config.sh >>>> system_u:object_r:hadoop_exec_t:s0 hadoop-daemon.sh >>>> system_u:object_r:hadoop_exec_t:s0 hadoop-daemons.sh >>>> system_u:object_r:hadoop_exec_t:s0 rcc >>>> system_u:object_r:hadoop_exec_t:s0 slaves.sh >>>> system_u:object_r:hadoop_exec_t:s0 start-all.sh >>>> system_u:object_r:hadoop_exec_t:s0 start-balancer.sh >>>> system_u:object_r:hadoop_exec_t:s0 start-dfs.sh >>>> system_u:object_r:hadoop_exec_t:s0 start-mapred.sh >>>> system_u:object_r:hadoop_exec_t:s0 stop-all.sh >>>> system_u:object_r:hadoop_exec_t:s0 stop-balancer.sh >>>> system_u:object_r:hadoop_exec_t:s0 stop-dfs.sh >>>> system_u:object_r:hadoop_exec_t:s0 stop-mapred.sh >>>> >>>> >>>> Jean Khosalim Research Associate Computer Science Department >>>> Naval Postgraduate School 1411 Cunningham Rd, GE-231 >>>> Monterey, CA 93943 (831) 656-2222 jkhosali at nps.edu >>>> >>>> >>>> >>>>> -----Original Message----- From: Daniel J Walsh >>>>> [mailto:dwalsh at redhat.com] Sent: Wednesday, February 08, >>>>> 2012 12:40 PM To: Jean Khosalim Cc: 'Christopher J. >>>>> PeBenito'; refpolicy at oss1.tresys.com Subject: Re: >>>>> [refpolicy] SELinux policy for Hadoop >>>>> >>>> On 02/08/2012 03:33 PM, Jean Khosalim wrote: >>>>>>> Yes, I did. >>>>>>> >>>>>>> Jean Khosalim >>>>>>> >>>>>>>> -----Original Message----- From: Christopher J. >>>>>>>> PeBenito [mailto:cpebenito at tresys.com] Sent: >>>>>>>> Wednesday, February 08, 2012 11:46 AM To: Jean >>>>>>>> Khosalim Cc: refpolicy at oss.tresys.com Subject: Re: >>>>>>>> [refpolicy] SELinux policy for Hadoop >>>>>>>> >>>>>>>> On 02/08/12 14:29, Jean Khosalim wrote: >>>>>>>>> I built a Fedora 16 system and installed Cloudera's >>>>>>>>> CDH3 (with >>>>>>>> Hadoop-0.20). >>>>>>>>> SElinux is enforcing and policy used is 'targeted'. >>>>>>>>> Ran a simple >>>>>>>> wordcount >>>>>>>>> example and it works. But I noticed that the >>>>>>>>> Hadoop related processes >>>>>>>> are >>>>>>>>> running with 'system_u:system_r:initrc_t:s0'. I >>>>>>>>> was expecting >>>>>>>> hadoop_t >>>>>>>>> instead of initrc_t. I also noticed that there is >>>>>>>>> no 'hadoop.pp' in >>>>>>>>> /etc/selinux/targeted/modules/active/modules >>>>>>>>> directory. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> I ran 'yum update' on the system and force >>>>>>>>> autorelabel on boot (add 'enforcing=0 autorelabel' >>>>>>>>> to grub). After reboot, it looks like >>>>>>>> nothing >>>>>>>>> changed, i.e., Hadoop related processes still run >>>>>>>>> with 'system_u:system_r:initrc_t:s0' and there is >>>>>>>>> no 'hadoop.pp' in >>>>>>>>> /etc/selinux/targeted/modules/active/modules >>>>>>>>> directory. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> Then I downloaded the source rpm for >>>>>>>>> selinux-policy-3.10.0- >>>>>>>> 75.fc16.src.rpm. >>>>>>>>> Looking at the source files, I noticed that >>>>>>>>> modules_targeted.conf >>>>>>>> doesn't >>>>>>>>> have 'hadoop'. I modified the file to add in >>>>>>>>> 'hadoop' and ran >>>>>>>> 'rpmbuild -ba >>>>>>>>> ./rpmbuild/SPECS/selinux-policy.spec' which >>>>>>>>> generated a new set of >>>>>>>> rpm. I >>>>>>>>> did a force rpm install of the newly created >>>>>>>>> selinux-policy-3.10.0-75.fc16.noarch.rpm and >>>>>>>>> selinux-policy-targeted-3.10.0-75.fc16.noarch.rpm. >>>>>>>>> Then I rebooted >>>>>>>> the >>>>>>>>> system. >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> After the reboot, I now see 'hadoop.pp' IS in >>>>>>>>> /etc/selinux/targeted/modules/active/modules >>>>>>>>> directory and the hadoop related processes are now >>>>>>>>> running with >>>>>>>>> 'system_u:system_r:unconfined_java_t:s0'. Is my >>>>>>>>> expectation that the >>>>>>>> hadoop >>>>>>>>> related processes will run as 'hadoop_t' incorrect? >>>>>>>>> Are there any >>>>>>>> steps that >>>>>>>>> I am missing? >>>>>>>> >>>>>>>> Did you relabel after you updated the policy? >>>>>>>> >>>>>>>> -- Chris PeBenito Tresys Technology, LLC >>>>>>>> www.tresys.com | oss.tresys.com >>>>>>> >>>>>>> _______________________________________________ >>>>>>> refpolicy mailing list refpolicy at oss.tresys.com >>>>>>> http://oss.tresys.com/mailman/listinfo/refpolicy >>>> >>>> >>>> What is the path to the daemon executables? Are they labeled >>>> with a hadoop*_exec_t type label? >>>> > Ok then which hadoop process is running as initrc_t? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk80QdAACgkQrlYvE4MpobNMjgCfaz1b6aS30WnxH4KFQNKGtC3l WAoAoMIM9gQ64yRqpDnNOMeIzZpuMQxX =Bi/v -----END PGP SIGNATURE-----