From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 13 Feb 2012 16:44:29 -0500
Subject: [refpolicy] SELinux policy for Hadoop
In-Reply-To: <000301ccea96$289502f0$79bf08d0$@edu>
References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com>
	<002601cce6a0$e2e7ce20$a8b76a60$@edu> <4F32DDA1.3050901@redhat.com>
	<002701cce6a4$ba1efdc0$2e5cf940$@edu> <4F34184B.5030106@redhat.com>
	<000e01cce761$4adb45f0$e091d1d0$@edu> <4F3441D0.508@redhat.com>
	<000301ccea96$289502f0$79bf08d0$@edu>
Message-ID: <4F39843D.70202@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/13/2012 04:26 PM, Jean Khosalim wrote:
> Hi Daniel,
> 
> Thank you for responding. To try your suggestion, I did the
> following: 1. First stop all the services: service
> hadoop-0.20-datanode stop service hadoop-0.20-namenode stop service
> hadoop-0.20-secondarynamenode stop service hadoop-0.20-jobtracker
> stop service hadoop-0.20-tasktracker stop (Make sure all Hadoop
> processes are stopped. And ps no longer show them). 2. Modified
> /usr/lib/hadoop-0.20/conf/hadoop-env.sh, by adding the following 
> lines: export HADOOP_DATANODE_USER=hdfs export
> HADOOP_NAMENODE_USER=hdfs export
> HADOOP_SECONDARYNAMENODE_USER=hdfs export
> HADOOP_JOBTRACKER_USER=mapred export
> HADOOP_TASKTRACKER_USER=mapred 3. Start the Hadoop processes
> manually: /usr/lib/hadoop-0.20/bin/start-all.sh
> 
> But the result of the ps output is still the same, i.e., running
> with unconfined_java_t.
> 
> Is this what you meant by "a shell script that would execute the
> java for each different user" method?
> 
> I am trying to figure how to use runcon (what arguments to use).
> 
> Thanks, Jean Khosalim
> 

The problem is haddoop-0.20-jobtracker is executing java --class.  So
no transition happens.

If hadoop-0.20-jobtracker executing /usr/bin/hadoop-jobtracker which
had java --class within it, then we could label
/usr/bin/hadoop-jobtracker hadoop_exec_t, and the transitions would
happen.

Alternatively you could attempt

runcon -t hadpoop_t -- java --class ...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk85hDoACgkQrlYvE4MpobPB7wCfdD0woHw+DrSAqQCtlr4tIkxy
B8wAn1JtWhsQNhGNWo5XwFfW7dQgPRDV
=U4PI
-----END PGP SIGNATURE-----