[refpolicy] [PATCH 2/2] hadoop: labeled ipsec

Dominick Grift domg472 at gmail.com
Sat Dec 11 02:56:30 CST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
> Added labeled IPSec support to hadoop.  SELinux will be able to enforce what services are allowed to
> connect to.  Labeled IPSec can enforce the range of services they can receive from.  This enforces
> the architecture of Hadoop without having to modify any of the code.  This adds a level of
> confidentiality, integrity, and authentication provided outside the software stack.
> 
> Signed-off-by: Paul Nuzzi <pjnuzzi at tycho.ncsc.mil>
> 
> ---
> 
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index d07e172..c1ca3a6 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -106,6 +106,8 @@ template(`hadoop_domain_template',`
>  
>  	files_read_etc_files(hadoop_$1_t)
>  
> +	hadoop_lan_polmatch(hadoop_$1_t)
> +
>  	init_read_utmp(hadoop_$1_t)
>  	init_use_fds(hadoop_$1_t)
>  	init_use_script_fds(hadoop_$1_t)
> @@ -350,3 +352,203 @@ interface(`hadoop_exec_config',`
>  	hadoop_read_config($1)
>  	allow $1 hadoop_etc_t:file exec_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	polmatch on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing polmatch
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_lan_polmatch',`
> +	gen_require(`
> +		type hadoop_lan_t;
> +	')
> +
> +	allow $1 hadoop_lan_t:association polmatch;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	setcontext on hadoop_lan_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing setcontext
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_lan_setcontext',`
> +	gen_require(`
> +		type hadoop_lan_t;
> +	')
> +
> +	allow $1 hadoop_lan_t:association setcontext;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv hadoop_datanode_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_datanode_recv',`
> +	gen_require(`
> +		type hadoop_datanode_t;
> +	')
> +
> +	allow $1 hadoop_datanode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv hadoop_namenode_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_namenode_recv',`
> +	gen_require(`
> +		type hadoop_namenode_t;
> +	')
> +
> +	allow $1 hadoop_namenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv hadoop_jobtracker_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_jobtracker_recv',`
> +	gen_require(`
> +		type hadoop_jobtracker_t;
> +	')
> +
> +	allow $1 hadoop_jobtracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv hadoop_tasktracker_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_tasktracker_recv',`
> +	gen_require(`
> +		type hadoop_tasktracker_t;
> +	')
> +
> +	allow $1 hadoop_tasktracker_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv hadoop_secondarynamenode_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_secondarynamenode_recv',`
> +	gen_require(`
> +		type hadoop_secondarynamenode_t;
> +	')
> +
> +	allow $1 hadoop_secondarynamenode_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv hadoop_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`hadoop_recv',`
> +	gen_require(`
> +		type hadoop_t;
> +	')
> +
> +	allow $1 hadoop_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv zookeeper_server_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`zookeeper_server_recv',`
> +	gen_require(`
> +		type zookeeper_server_t;
> +	')
> +
> +	allow $1 zookeeper_server_t:peer recv;
> +')
> +
> +########################################
> +## <summary>
> +##	Give permission to a domain to
> +##	recv zookeeper_t
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain needing recv
> +##	permission
> +##	</summary>
> +## </param>
> +#
> +interface(`zookeeper_recv',`
> +	gen_require(`
> +		type zookeeper_t;
> +	')
> +
> +	allow $1 zookeeper_t:peer recv;
> +')
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index b103f89..e4bbe97 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -15,6 +15,9 @@ ubac_constrained(hadoop_t)
>  type hadoop_etc_t;
>  files_config_file(hadoop_etc_t)
>  
> +type hadoop_lan_t;
> +files_type(hadoop_lan_t)
> +
>  type hadoop_log_t;
>  logging_log_file(hadoop_log_t)
>  
> @@ -85,6 +88,13 @@ dontaudit hadoop_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  allow hadoop_t hadoop_domain:process signull;
>  
> +hadoop_lan_polmatch(hadoop_t)
> +allow hadoop_t self:peer recv;
> +hadoop_datanode_recv(hadoop_t)
> +hadoop_jobtracker_recv(hadoop_t)
> +hadoop_namenode_recv(hadoop_t)
> +hadoop_tasktracker_recv(hadoop_t)
> +
>  read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>  read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
>  can_exec(hadoop_t, hadoop_etc_t)
> @@ -178,6 +188,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_datanode_t)
>  
>  fs_getattr_xattr_fs(hadoop_datanode_t)
>  
> +allow hadoop_datanode_t self:peer recv;
> +hadoop_jobtracker_recv(hadoop_datanode_t)
> +hadoop_namenode_recv(hadoop_datanode_t)
> +hadoop_recv(hadoop_datanode_t)
> +hadoop_tasktracker_recv(hadoop_datanode_t)
> +
>  ########################################
>  #
>  # Hadoop jobtracker policy.
> @@ -192,6 +208,12 @@ corenet_tcp_bind_zope_port(hadoop_jobtracker_t)
>  corenet_tcp_connect_hadoop_datanode_port(hadoop_jobtracker_t)
>  corenet_tcp_connect_hadoop_namenode_port(hadoop_jobtracker_t)
>  
> +allow hadoop_jobtracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_jobtracker_t)
> +hadoop_namenode_recv(hadoop_jobtracker_t)
> +hadoop_recv(hadoop_jobtracker_t)
> +hadoop_tasktracker_recv(hadoop_jobtracker_t)
> +
>  ########################################
>  #
>  # Hadoop namenode policy.
> @@ -203,6 +225,13 @@ manage_files_pattern(hadoop_namenode_t, hadoop_var_lib_t, hadoop_var_lib_t)
>  corenet_tcp_bind_hadoop_namenode_port(hadoop_namenode_t)
>  corenet_tcp_connect_hadoop_namenode_port(hadoop_namenode_t)
>  
> +allow hadoop_namenode_t self:peer recv;
> +hadoop_datanode_recv(hadoop_namenode_t)
> +hadoop_jobtracker_recv(hadoop_namenode_t)
> +hadoop_recv(hadoop_namenode_t)
> +hadoop_secondarynamenode_recv(hadoop_namenode_t)
> +hadoop_tasktracker_recv(hadoop_namenode_t)
> +
>  ########################################
>  #
>  # Hadoop secondary namenode policy.
> @@ -212,6 +241,9 @@ manage_dirs_pattern(hadoop_secondarynamenode_t, hadoop_var_lib_t, hadoop_var_lib
>  
>  corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
>  
> +allow hadoop_secondarynamenode_t self:peer recv;
> +hadoop_namenode_recv(hadoop_secondarynamenode_t)
> +
>  ########################################
>  #
>  # Hadoop tasktracker policy.
> @@ -234,6 +266,12 @@ manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>  
>  fs_getattr_xattr_fs(hadoop_tasktracker_t)
>  
> +allow hadoop_tasktracker_t self:peer recv;
> +hadoop_datanode_recv(hadoop_tasktracker_t)
> +hadoop_jobtracker_recv(hadoop_tasktracker_t)
> +hadoop_recv(hadoop_tasktracker_t)
> +hadoop_namenode_recv(hadoop_tasktracker_t)
> +
>  ########################################
>  #
>  # Hadoop zookeeper client policy.
> @@ -245,6 +283,9 @@ allow zookeeper_t self:tcp_socket create_stream_socket_perms;
>  allow zookeeper_t self:udp_socket create_socket_perms;
>  dontaudit zookeeper_t self:netlink_route_socket rw_netlink_socket_perms;
>  
> +hadoop_lan_polmatch(zookeeper_t)
> +zookeeper_server_recv(zookeeper_t)
> +
>  read_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>  read_lnk_files_pattern(zookeeper_t, zookeeper_etc_t, zookeeper_etc_t)
>  
> @@ -318,6 +359,10 @@ allow zookeeper_server_t self:netlink_route_socket rw_netlink_socket_perms;
>  allow zookeeper_server_t self:tcp_socket create_stream_socket_perms;
>  allow zookeeper_server_t self:udp_socket create_socket_perms;
>  
> +hadoop_lan_polmatch(zookeeper_server_t)
> +allow zookeeper_server_t self:peer recv;
> +zookeeper_recv(zookeeper_server_t)
> +
>  allow zookeeper_server_t hadoop_hsperfdata_t:dir manage_dir_perms;
>  files_tmp_filetrans(zookeeper_server_t, hadoop_hsperfdata_t, dir)
>  
> diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
> index d82ff45..be9e5f1 100644
> --- a/policy/modules/system/ipsec.te
> +++ b/policy/modules/system/ipsec.te
> @@ -410,6 +410,8 @@ domain_ipsec_setcontext_all_domains(setkey_t)
>  
>  files_read_etc_files(setkey_t)
>  
> +hadoop_lan_setcontext(setkey_t)
> +

^ I think this should probably be optional as i believe there is no need
for the ipsec module to depend in the hadoop module.

optional_policy(`
 hadoop_lan_setcontext(setkey_t)
')

>  init_dontaudit_use_fds(setkey_t)
>  
>  # allow setkey to set the context for ipsec SAs and policy.
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0DPL4ACgkQMlxVo39jgT80aACgkMpaimtdti5UU4/7g77uoc51
l30AoLilMysgmkqTmuXa4J95slNBI+LP
=Z3Xy
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list