From: dwalsh@redhat.com (Daniel J Walsh) Date: Tue, 14 Feb 2012 09:25:41 -0500 Subject: [refpolicy] SELinux policy for Hadoop In-Reply-To: <000d01ccea9e$6ce2b170$46a81450$@edu> References: <001801cce698$0bd44560$237cd020$@edu> <4F32D102.3060605@tresys.com> <002601cce6a0$e2e7ce20$a8b76a60$@edu> <4F32DDA1.3050901@redhat.com> <002701cce6a4$ba1efdc0$2e5cf940$@edu> <4F34184B.5030106@redhat.com> <000e01cce761$4adb45f0$e091d1d0$@edu> <4F3441D0.508@redhat.com> <000301ccea96$289502f0$79bf08d0$@edu> <4F39843D.70202@redhat.com> <000d01ccea9e$6ce2b170$46a81450$@edu> Message-ID: <4F3A6EE5.5010305@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 02/13/2012 05:25 PM, Jean Khosalim wrote: > I am using Cloudera CDH3 (I followed instructions found in > https://ccp.cloudera.com/display/CDHDOC/CDH3+Installation to > install it). > > Using the above installation: /etc/init.d/hadoop-0.20-jobtracker > (labeled system_u:object_r:hadoop_jobtracker_initrc_exec_t:s0) Its > 'start()' calls: daemon /usr/lib/hadoop-0.20/bin/hadoop-daemon.sh > --config "/etc/hadoop-0.20/conf" start jobtracker $DAEMON_FLAGS > > > The script /usr/lib/hadoop-0.20/bin/hadoop-daemon.sh (labeled > system_u:object_r:hadoop_exec_t:s0) in turn calls nice -n > $HADOOP_NICENESS "$HADOOP_HOME"/bin/hadoop --config > $HADOOP_CONF_DIR $command "$@" < /dev/null > > > Then /usr/lib/hadoop-0.20/bin/hadoop script (labeled > system_u:object_r:hadoop_exec_t:s0) invoke java: nohup su > $HADOOP_DAEMON_USER -s $JAVA -- -Dproc_$COMMAND_JAVA..... > Ok what label does this run as? > > If I try to run: runcon -t hadoop_t su hdfs -s > /usr/java/jdk1.6.0_30/bin/java -- -Dproc_$COMMAND_JAVA..... I got > runcon: invalid contect: unconfined_u: > unconfined_r:hadoop_t:s0-s0:c0.c1023: Invalid argument. > Try runcon system_u:system_r:hadoop_t:s0 su hdfs -s /usr/java/jdk1.6.0_30/bin/java -- > > Thanks, Jean Khosalim > > > >> -----Original Message----- From: Daniel J Walsh >> [mailto:dwalsh at redhat.com] Sent: Monday, February 13, 2012 1:44 >> PM To: Jean Khosalim Cc: 'Christopher J. PeBenito'; >> refpolicy at oss1.tresys.com Subject: Re: [refpolicy] SELinux policy >> for Hadoop >> > On 02/13/2012 04:26 PM, Jean Khosalim wrote: >>>> Hi Daniel, >>>> >>>> Thank you for responding. To try your suggestion, I did the >>>> following: 1. First stop all the services: service >>>> hadoop-0.20-datanode stop service hadoop-0.20-namenode stop >>>> service hadoop-0.20-secondarynamenode stop service >>>> hadoop-0.20-jobtracker stop service hadoop-0.20-tasktracker >>>> stop (Make sure all Hadoop processes are stopped. And ps no >>>> longer show them). 2. Modified >>>> /usr/lib/hadoop-0.20/conf/hadoop-env.sh, by adding the >>>> following lines: export HADOOP_DATANODE_USER=hdfs export >>>> HADOOP_NAMENODE_USER=hdfs export >>>> HADOOP_SECONDARYNAMENODE_USER=hdfs export >>>> HADOOP_JOBTRACKER_USER=mapred export >>>> HADOOP_TASKTRACKER_USER=mapred 3. Start the Hadoop processes >>>> manually: /usr/lib/hadoop-0.20/bin/start-all.sh >>>> >>>> But the result of the ps output is still the same, i.e., >>>> running with unconfined_java_t. >>>> >>>> Is this what you meant by "a shell script that would execute >>>> the java for each different user" method? >>>> >>>> I am trying to figure how to use runcon (what arguments to >>>> use). >>>> >>>> Thanks, Jean Khosalim >>>> > > The problem is haddoop-0.20-jobtracker is executing java --class. > So no transition happens. > > If hadoop-0.20-jobtracker executing /usr/bin/hadoop-jobtracker > which had java --class within it, then we could label > /usr/bin/hadoop-jobtracker hadoop_exec_t, and the transitions > would happen. > > Alternatively you could attempt > > runcon -t hadpoop_t -- java --class ... > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk86buUACgkQrlYvE4MpobMh/wCgnhgP7RhyASBXD4p+9R4CWRJk ec8An27OGLwk2KE6rAWM1p1EWgRYoeyP =SpEF -----END PGP SIGNATURE-----