[refpolicy] [PATCH 1/2] hadoop: update to CDH3

Christopher J. PeBenito cpebenito at tresys.com
Wed Dec 15 14:17:15 CST 2010


On 12/13/10 10:39, Paul Nuzzi wrote:
> On 12/11/2010 04:01 AM, Dominick Grift wrote:
> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>>> Updated the hadoop policy to work with the latest Cloudera version (CDHb3).
>>>> Fixed a bug where policy was preventing exporting files from the
>>>> distributed file system to the user's home directory. 
>>>>
>>>> Signed-off-by: Paul Nuzzi <pjnuzzi at tycho.ncsc.mil>
>>>>
>>>> ---
>>>>
>>>>  policy/modules/roles/unprivuser.te |    4 ++++
>>>>  policy/modules/services/hadoop.fc  |   14 +++++++++-----
>>>>  policy/modules/services/hadoop.if  |   27 ++++++++++++++++++++++++---
>>>>  policy/modules/services/hadoop.te  |   14 ++++++++++++++
>>>>  4 files changed, 51 insertions(+), 8 deletions(-)

>>>> diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
>>>> index 9e9bfe7..d1ff90d 100644
>>>> --- a/policy/modules/services/hadoop.if

>>>> @@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
>>>>  	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
>>>>  	files_search_var_lib(hadoop_$1_t)
>>>>  
>>>> -	allow hadoop_$1_t hadoop_var_run_t:dir getattr;
>>>> -	files_search_pids(hadoop_$1_t)
>>>> +	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
>>>> +        filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
>>>> +        files_search_pids(hadoop_$1_t)
>>>>  
>>>>  	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
>>>>  	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
>>>> @@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
>>>>  
>>>>  	files_read_etc_files(hadoop_$1_t)
>>>>  
>>>> +	init_read_utmp(hadoop_$1_t)
>>>> +	init_use_fds(hadoop_$1_t)
>>>> +	init_use_script_fds(hadoop_$1_t)
>>>> +	init_use_script_ptys(hadoop_$1_t)
>>>> +
>>>> +	kerberos_use(hadoop_$1_t)
> 
> Does hadoop depend on kerberos? If no then kerberos_use should probably
> be optional.
> 
> 
>> The new version of hadoop added Kerberos for authentication.

So, to be explicit, its an unconditional requirement?

>>>> diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
>>>> index 35a8131..b103f89 100644
>>>> --- a/policy/modules/services/hadoop.te
>>>> +++ b/policy/modules/services/hadoop.te
>>>> @@ -133,15 +133,24 @@ corenet_tcp_connect_generic_port(hadoop_t)
>>>>  dev_read_rand(hadoop_t)
>>>>  dev_read_sysfs(hadoop_t)
>>>>  dev_read_urand(hadoop_t)
>>>> +domain_use_interactive_fds(hadoop_t)
>>>>  
>>>>  files_dontaudit_search_spool(hadoop_t)
>>>> +files_read_etc_files(hadoop_t)
>>>>  files_read_usr_files(hadoop_t)
>>>> +files_search_var_lib(hadoop_t)
>>>>  
>>>>  fs_getattr_xattr_fs(hadoop_t)
>>>>  
>>>> +kerberos_use(hadoop_t)
>>>> +
>>>>  miscfiles_read_localization(hadoop_t)
>>>>  
>>>> +sysnet_read_config(hadoop_t)
>>>> +
>>>>  userdom_dontaudit_search_user_home_dirs(hadoop_t)
>>>> +userdom_list_user_home_content(hadoop_t)
>>>> +userdom_manage_user_home_content_files(hadoop_t)

It seems like there should be a hadoop_home_t that is
userdom_user_home_content()


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com


More information about the refpolicy mailing list