[refpolicy] [PATCH 1/2] hadoop: update to CDH3

Dominick Grift domg472 at gmail.com
Sat Dec 11 03:01:42 CST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
> Fixed a bug where policy was preventing exporting files from the
> distributed file system to the user's home directory. 
> 
> Signed-off-by: Paul Nuzzi <pjnuzzi at tycho.ncsc.mil>
> 
> ---
> 
>  policy/modules/roles/unprivuser.te |    4 ++++
>  policy/modules/services/hadoop.fc  |   14 +++++++++-----
>  policy/modules/services/hadoop.if  |   27 ++++++++++++++++++++++++---
>  policy/modules/services/hadoop.te  |   14 ++++++++++++++
>  4 files changed, 51 insertions(+), 8 deletions(-)
> 
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 606a257..7a48dad 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
>  	')
>  
>  	optional_policy(`
> +        	hadoop_role(user_r, user_t)
> +	')
> +
> +	optional_policy(`
>  		irc_role(user_r, user_t)
>  	')
>  
> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
> index 3035be2..00a877d 100644
> --- a/policy/modules/services/hadoop.fc
> +++ b/policy/modules/services/hadoop.fc
> @@ -1,10 +1,10 @@
>  /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
>  
> -/etc/init\.d/hadoop-datanode				--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-jobtracker				--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-namenode				--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-secondarynamenode			--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> -/etc/init\.d/hadoop-tasktracker				--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
> +/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>  /etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>  
>  /etc/rc\.d/init\.d/hadoop-(.*-)?datanode		--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
> @@ -24,10 +24,14 @@
>  
>  /var/lib/hadoop.*						gen_context(system_u:object_r:hadoop_var_lib_t,s0)
>  /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
>  /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)?			gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
>  /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
>  /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
>  /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
>  /var/lib/zookeeper(/.*)?					gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>  
>  /var/lock/subsys/hadoop-datanode			--	gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
> index 9e9bfe7..d1ff90d 100644
> --- a/policy/modules/services/hadoop.if
> +++ b/policy/modules/services/hadoop.if
> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
>  	# Shared hadoop_$1 policy.
>  	#
>  
> -	allow hadoop_$1_t self:process execmem;
> +	allow hadoop_$1_t self:capability { chown kill setgid setuid };
> +	allow hadoop_$1_t self:key search;
> +	allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
>  	allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
>  	allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
> +	allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
>  	allow hadoop_$1_t self:udp_socket create_socket_perms;
>  	dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>  
> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
>  	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
>  	files_search_var_lib(hadoop_$1_t)
>  
> -	allow hadoop_$1_t hadoop_var_run_t:dir getattr;
> -	files_search_pids(hadoop_$1_t)
> +	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
> +        filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
> +        files_search_pids(hadoop_$1_t)
>  
>  	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
>  	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>  
>  	files_read_etc_files(hadoop_$1_t)
>  
> +	init_read_utmp(hadoop_$1_t)
> +	init_use_fds(hadoop_$1_t)
> +	init_use_script_fds(hadoop_$1_t)
> +	init_use_script_ptys(hadoop_$1_t)
> +
> +	kerberos_use(hadoop_$1_t)

Does hadoop depend on kerberos? If no then kerberos_use should probably
be optional.

> +	kernel_read_kernel_sysctls(hadoop_$1_t)
> +	kernel_read_sysctl(hadoop_$1_t)
> +
> +	logging_send_audit_msgs(hadoop_$1_t)
> +	logging_send_syslog_msg(hadoop_$1_t)
> +
>  	miscfiles_read_localization(hadoop_$1_t)
>  
> +	su_exec(hadoop_$1_t)

Does hadoop depend on su? If not then su_exec should probably be optional.

(btw would sudo work?)

>  	sysnet_read_config(hadoop_$1_t)
>  
>  	hadoop_exec_config(hadoop_$1_t)
>  
>  	java_exec(hadoop_$1_t)
>  
> +	auth_domtrans_chkpwd(hadoop_$1_t)
> +
>  	optional_policy(`
>  		nscd_socket_use(hadoop_$1_t)
>  	')
> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
>  	consoletype_exec(hadoop_$1_initrc_t)
>  
>  	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
> +	fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>  
>  	term_use_generic_ptys(hadoop_$1_initrc_t)
>  
>  	hadoop_exec_config(hadoop_$1_initrc_t)
>  
>  	init_rw_utmp(hadoop_$1_initrc_t)
> +	init_use_fds(hadoop_$1_initrc_t)
>  	init_use_script_ptys(hadoop_$1_initrc_t)
>  
>  	logging_send_syslog_msg(hadoop_$1_initrc_t)
> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
> index 35a8131..b103f89 100644
> --- a/policy/modules/services/hadoop.te
> +++ b/policy/modules/services/hadoop.te
> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
>  dev_read_rand(hadoop_t)
>  dev_read_sysfs(hadoop_t)
>  dev_read_urand(hadoop_t)
> +domain_use_interactive_fds(hadoop_t)
>  
>  files_dontaudit_search_spool(hadoop_t)
> +files_read_etc_files(hadoop_t)
>  files_read_usr_files(hadoop_t)
> +files_search_var_lib(hadoop_t)
>  
>  fs_getattr_xattr_fs(hadoop_t)
>  
> +kerberos_use(hadoop_t)
> +
>  miscfiles_read_localization(hadoop_t)
>  
> +sysnet_read_config(hadoop_t)
> +
>  userdom_dontaudit_search_user_home_dirs(hadoop_t)
> +userdom_list_user_home_content(hadoop_t)
> +userdom_manage_user_home_content_files(hadoop_t)
>  userdom_use_user_terminals(hadoop_t)
>  
>  java_exec(hadoop_t)
> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
>  corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>  
>  manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
>  filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>  
> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
> +
>  manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>  
>  fs_getattr_xattr_fs(hadoop_tasktracker_t)
> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
>  dev_read_rand(zookeeper_t)
>  dev_read_sysfs(zookeeper_t)
>  dev_read_urand(zookeeper_t)
> +domain_use_interactive_fds(zookeeper_t)
>  
>  files_read_etc_files(zookeeper_t)
>  files_read_usr_files(zookeeper_t)
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La
8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH
=qPch
-----END PGP SIGNATURE-----


More information about the refpolicy mailing list