[refpolicy] [PATCH 1/2] hadoop: update to CDH3

Paul Nuzzi pjnuzzi at tycho.ncsc.mil
Mon Dec 13 09:39:11 CST 2010


On 12/11/2010 04:01 AM, Dominick Grift wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
>> Fixed a bug where policy was preventing exporting files from the
>> distributed file system to the user's home directory. 
>>
>> Signed-off-by: Paul Nuzzi <pjnuzzi at tycho.ncsc.mil>
>>
>> ---
>>
>>  policy/modules/roles/unprivuser.te |    4 ++++
>>  policy/modules/services/hadoop.fc  |   14 +++++++++-----
>>  policy/modules/services/hadoop.if  |   27 ++++++++++++++++++++++++---
>>  policy/modules/services/hadoop.te  |   14 ++++++++++++++
>>  4 files changed, 51 insertions(+), 8 deletions(-)
>>
>> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
>> index 606a257..7a48dad 100644
>> --- a/policy/modules/roles/unprivuser.te
>> +++ b/policy/modules/roles/unprivuser.te
>> @@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
>>  	')
>>  
>>  	optional_policy(`
>> +        	hadoop_role(user_r, user_t)
>> +	')
>> +
>> +	optional_policy(`
>>  		irc_role(user_r, user_t)
>>  	')
>>  
>> diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
>> index 3035be2..00a877d 100644
>> --- a/policy/modules/services/hadoop.fc
>> +++ b/policy/modules/services/hadoop.fc
>> @@ -1,10 +1,10 @@
>>  /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
>>  
>> -/etc/init\.d/hadoop-datanode				--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-jobtracker				--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-namenode				--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-secondarynamenode			--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
>> -/etc/init\.d/hadoop-tasktracker				--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
>> +/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
>>  /etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
>>  
>>  /etc/rc\.d/init\.d/hadoop-(.*-)?datanode		--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
>> @@ -24,10 +24,14 @@
>>  
>>  /var/lib/hadoop.*						gen_context(system_u:object_r:hadoop_var_lib_t,s0)
>>  /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
>>  /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)?			gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
>>  /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
>>  /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
>>  /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
>> +/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
>>  /var/lib/zookeeper(/.*)?					gen_context(system_u:object_r:zookeeper_server_var_t,s0)
>>  
>>  /var/lock/subsys/hadoop-datanode			--	gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>> index 9e9bfe7..d1ff90d 100644
>> --- a/policy/modules/services/hadoop.if
>> +++ b/policy/modules/services/hadoop.if
>> @@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
>>  	# Shared hadoop_$1 policy.
>>  	#
>>  
>> -	allow hadoop_$1_t self:process execmem;
>> +	allow hadoop_$1_t self:capability { chown kill setgid setuid };
>> +	allow hadoop_$1_t self:key search;
>> +	allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
>>  	allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
>>  	allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
>> +	allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
>>  	allow hadoop_$1_t self:udp_socket create_socket_perms;
>>  	dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
>>  
>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
>>  	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
>>  	files_search_var_lib(hadoop_$1_t)
>>  
>> -	allow hadoop_$1_t hadoop_var_run_t:dir getattr;
>> -	files_search_pids(hadoop_$1_t)
>> +	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
>> +        filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
>> +        files_search_pids(hadoop_$1_t)
>>  
>>  	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
>>  	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>>  
>>  	files_read_etc_files(hadoop_$1_t)
>>  
>> +	init_read_utmp(hadoop_$1_t)
>> +	init_use_fds(hadoop_$1_t)
>> +	init_use_script_fds(hadoop_$1_t)
>> +	init_use_script_ptys(hadoop_$1_t)
>> +
>> +	kerberos_use(hadoop_$1_t)
> 
> Does hadoop depend on kerberos? If no then kerberos_use should probably
> be optional.
> 

The new version of hadoop added Kerberos for authentication.

>> +	kernel_read_kernel_sysctls(hadoop_$1_t)
>> +	kernel_read_sysctl(hadoop_$1_t)
>> +
>> +	logging_send_audit_msgs(hadoop_$1_t)
>> +	logging_send_syslog_msg(hadoop_$1_t)
>> +
>>  	miscfiles_read_localization(hadoop_$1_t)
>>  
>> +	su_exec(hadoop_$1_t)
> 
> Does hadoop depend on su? If not then su_exec should probably be optional.
> 
> (btw would sudo work?)
> 

The hadoop developers have been adding more security to the software stack.  From what
I can tell, the services start out as root and then execute su to drop privileges. 


>>  	sysnet_read_config(hadoop_$1_t)
>>  
>>  	hadoop_exec_config(hadoop_$1_t)
>>  
>>  	java_exec(hadoop_$1_t)
>>  
>> +	auth_domtrans_chkpwd(hadoop_$1_t)
>> +
>>  	optional_policy(`
>>  		nscd_socket_use(hadoop_$1_t)
>>  	')
>> @@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
>>  	consoletype_exec(hadoop_$1_initrc_t)
>>  
>>  	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
>> +	fs_search_cgroup_dirs(hadoop_$1_initrc_t)
>>  
>>  	term_use_generic_ptys(hadoop_$1_initrc_t)
>>  
>>  	hadoop_exec_config(hadoop_$1_initrc_t)
>>  
>>  	init_rw_utmp(hadoop_$1_initrc_t)
>> +	init_use_fds(hadoop_$1_initrc_t)
>>  	init_use_script_ptys(hadoop_$1_initrc_t)
>>  
>>  	logging_send_syslog_msg(hadoop_$1_initrc_t)
>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>> index 35a8131..b103f89 100644
>> --- a/policy/modules/services/hadoop.te
>> +++ b/policy/modules/services/hadoop.te
>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
>>  dev_read_rand(hadoop_t)
>>  dev_read_sysfs(hadoop_t)
>>  dev_read_urand(hadoop_t)
>> +domain_use_interactive_fds(hadoop_t)
>>  
>>  files_dontaudit_search_spool(hadoop_t)
>> +files_read_etc_files(hadoop_t)
>>  files_read_usr_files(hadoop_t)
>> +files_search_var_lib(hadoop_t)
>>  
>>  fs_getattr_xattr_fs(hadoop_t)
>>  
>> +kerberos_use(hadoop_t)
>> +
>>  miscfiles_read_localization(hadoop_t)
>>  
>> +sysnet_read_config(hadoop_t)
>> +
>>  userdom_dontaudit_search_user_home_dirs(hadoop_t)
>> +userdom_list_user_home_content(hadoop_t)
>> +userdom_manage_user_home_content_files(hadoop_t)
>>  userdom_use_user_terminals(hadoop_t)
>>  
>>  java_exec(hadoop_t)
>> @@ -215,8 +224,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
>>  corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
>>  
>>  manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
>> +setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
>>  filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
>>  
>> +filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
>> +manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
>> +
>>  manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
>>  
>>  fs_getattr_xattr_fs(hadoop_tasktracker_t)
>> @@ -275,6 +288,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
>>  dev_read_rand(zookeeper_t)
>>  dev_read_sysfs(zookeeper_t)
>>  dev_read_urand(zookeeper_t)
>> +domain_use_interactive_fds(zookeeper_t)
>>  
>>  files_read_etc_files(zookeeper_t)
>>  files_read_usr_files(zookeeper_t)
>>
>> _______________________________________________
>> refpolicy mailing list
>> refpolicy at oss.tresys.com
>> http://oss.tresys.com/mailman/listinfo/refpolicy
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk0DPfYACgkQMlxVo39jgT/FRQCaAnmATWIf2/KsG5GZylufw5La
> 8KQAn3/XDpXh/FN61oWR3WAmTW7wzIsH
> =qPch
> -----END PGP SIGNATURE-----
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
> 



More information about the refpolicy mailing list