From: jkhosali@nps.edu (Jean Khosalim) Date: Mon, 13 Feb 2012 14:25:43 -0800 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <4F39843D.70202@redhat.com> References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com> <002601cce6a0$e2e7ce20$a8b76a60$@edu> <4F32DDA1.3050901@redhat.com> <002701cce6a4$ba1efdc0$2e5cf940$@edu> <4F34184B.5030106@redhat.com> <000e01cce761$4adb45f0$e091d1d0$@edu> <4F3441D0.508@redhat.com> <000301ccea96$289502f0$79bf08d0$@edu> <4F39843D.70202@redhat.com> Message-ID: <000d01ccea9e$6ce2b170$46a81450$@edu> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I am using Cloudera CDH3 (I followed instructions found in https://ccp.cloudera.com/display/CDHDOC/CDH3+Installation to install it). Using the above installation: /etc/init.d/hadoop-0.20-jobtracker (labeled system_u:object_r:hadoop_jobtracker_initrc_exec_t:s0) Its 'start()' calls: daemon /usr/lib/hadoop-0.20/bin/hadoop-daemon.sh --config "/etc/hadoop-0.20/conf" start jobtracker $DAEMON_FLAGS The script /usr/lib/hadoop-0.20/bin/hadoop-daemon.sh (labeled system_u:object_r:hadoop_exec_t:s0) in turn calls nice -n $HADOOP_NICENESS "$HADOOP_HOME"/bin/hadoop --config $HADOOP_CONF_DIR $command "$@" < /dev/null Then /usr/lib/hadoop-0.20/bin/hadoop script (labeled system_u:object_r:hadoop_exec_t:s0) invoke java: nohup su $HADOOP_DAEMON_USER -s $JAVA -- -Dproc_$COMMAND_JAVA..... If I try to run: runcon -t hadoop_t su hdfs -s /usr/java/jdk1.6.0_30/bin/java -- -Dproc_$COMMAND_JAVA..... I got runcon: invalid contect: unconfined_u: unconfined_r:hadoop_t:s0-s0:c0.c1023: Invalid argument. Thanks, Jean Khosalim > -----Original Message----- > From: Daniel J Walsh [mailto:dwalsh at redhat.com] > Sent: Monday, February 13, 2012 1:44 PM > To: Jean Khosalim > Cc: 'Christopher J. PeBenito'; refpolicy at oss1.tresys.com > Subject: Re: [refpolicy] SELinux policy for Hadoop > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 02/13/2012 04:26 PM, Jean Khosalim wrote: > > Hi Daniel, > > > > Thank you for responding. To try your suggestion, I did the > > following: 1. First stop all the services: service > > hadoop-0.20-datanode stop service hadoop-0.20-namenode stop service > > hadoop-0.20-secondarynamenode stop service hadoop-0.20-jobtracker > > stop service hadoop-0.20-tasktracker stop (Make sure all Hadoop > > processes are stopped. And ps no longer show them). 2. Modified > > /usr/lib/hadoop-0.20/conf/hadoop-env.sh, by adding the following > > lines: export HADOOP_DATANODE_USER=hdfs export > > HADOOP_NAMENODE_USER=hdfs export > > HADOOP_SECONDARYNAMENODE_USER=hdfs export > > HADOOP_JOBTRACKER_USER=mapred export > > HADOOP_TASKTRACKER_USER=mapred 3. Start the Hadoop processes > > manually: /usr/lib/hadoop-0.20/bin/start-all.sh > > > > But the result of the ps output is still the same, i.e., running > > with unconfined_java_t. > > > > Is this what you meant by "a shell script that would execute the > > java for each different user" method? > > > > I am trying to figure how to use runcon (what arguments to use). > > > > Thanks, Jean Khosalim > > > > The problem is haddoop-0.20-jobtracker is executing java --class. So > no transition happens. > > If hadoop-0.20-jobtracker executing /usr/bin/hadoop-jobtracker which > had java --class within it, then we could label > /usr/bin/hadoop-jobtracker hadoop_exec_t, and the transitions would > happen. > > Alternatively you could attempt > > runcon -t hadpoop_t -- java --class ... > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.12 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk85hDoACgkQrlYvE4MpobPB7wCfdD0woHw+DrSAqQCtlr4tIkxy > B8wAn1JtWhsQNhGNWo5XwFfW7dQgPRDV > =U4PI > -----END PGP SIGNATURE-----