[refpolicy] [PATCH 1/2] hadoop: update to CDH3

Paul Nuzzi pjnuzzi at tycho.ncsc.mil
Thu Dec 16 11:33:07 CST 2010


On 12/15/2010 03:17 PM, Christopher J. PeBenito wrote:
> On 12/13/10 10:39, Paul Nuzzi wrote:
>> On 12/11/2010 04:01 AM, Dominick Grift wrote:
>> On 12/11/2010 12:22 AM, Paul Nuzzi wrote:
>>
>> Does hadoop depend on kerberos? If no then kerberos_use should probably
>> be optional.
>>
>>
>>> The new version of hadoop added Kerberos for authentication.
> 
> So, to be explicit, its an unconditional requirement?

Yes.  I think all future versions of hadoop will be kerberos enabled.
 
> It seems like there should be a hadoop_home_t that is
> userdom_user_home_content()

Updated.


Signed-off-by: Paul Nuzzi <pjnuzzi at tycho.ncsc.mil>

---
 policy/modules/roles/unprivuser.te |    4 ++++
 policy/modules/services/hadoop.fc  |   14 +++++++++-----
 policy/modules/services/hadoop.if  |   27 ++++++++++++++++++++++++---
 policy/modules/services/hadoop.te  |   24 +++++++++++++++++++++++-
 4 files changed, 60 insertions(+), 9 deletions(-)

diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 606a257..7a48dad 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -70,6 +70,10 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
+        	hadoop_role(user_r, user_t)
+	')
+
+	optional_policy(`
 		irc_role(user_r, user_t)
 	')
 
diff --git a/policy/modules/services/hadoop.fc b/policy/modules/services/hadoop.fc
index 3035be2..00a877d 100644
--- a/policy/modules/services/hadoop.fc
+++ b/policy/modules/services/hadoop.fc
@@ -1,10 +1,10 @@
 /etc/hadoop.*							gen_context(system_u:object_r:hadoop_etc_t,s0)
 
-/etc/init\.d/hadoop-datanode				--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-jobtracker				--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
-/etc/init\.d/hadoop-namenode				--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-secondarynamenode			--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
-/etc/init\.d/hadoop-tasktracker				--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?datanode			--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?jobtracker			--	gen_context(system_u:object_r:hadoop_jobtracker_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?namenode			--	gen_context(system_u:object_r:hadoop_namenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?secondarynamenode		--	gen_context(system_u:object_r:hadoop_secondarynamenode_initrc_exec_t,s0)
+/etc/init\.d/hadoop-(.*-)?tasktracker			--	gen_context(system_u:object_r:hadoop_tasktracker_initrc_exec_t,s0)
 /etc/init\.d/zookeeper					--	gen_context(system_u:object_r:zookeeper_server_initrc_exec_t,s0)
 
 /etc/rc\.d/init\.d/hadoop-(.*-)?datanode		--	gen_context(system_u:object_r:hadoop_datanode_initrc_exec_t,s0)
@@ -24,10 +24,14 @@
 
 /var/lib/hadoop.*						gen_context(system_u:object_r:hadoop_var_lib_t,s0)
 /var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)?			gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
 /var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)?			gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
 /var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
+/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)?		gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
 /var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)?	gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
 /var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
+/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)?	gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
 /var/lib/zookeeper(/.*)?					gen_context(system_u:object_r:zookeeper_server_var_t,s0)
 
 /var/lock/subsys/hadoop-datanode			--	gen_context(system_u:object_r:hadoop_datanode_lock_t,s0)
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 9e9bfe7..d07e172 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -52,9 +52,12 @@ template(`hadoop_domain_template',`
 	# Shared hadoop_$1 policy.
 	#
 
-	allow hadoop_$1_t self:process execmem;
+	allow hadoop_$1_t self:capability { chown kill setgid setuid };
+	allow hadoop_$1_t self:key search;
+	allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
 	allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
 	allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
+	allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
 	allow hadoop_$1_t self:udp_socket create_socket_perms;
 	dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
 
@@ -69,8 +72,9 @@ template(`hadoop_domain_template',`
 	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
 	files_search_var_lib(hadoop_$1_t)
 
-	allow hadoop_$1_t hadoop_var_run_t:dir getattr;
-	files_search_pids(hadoop_$1_t)
+	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
+        filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
+        files_search_pids(hadoop_$1_t)
 
 	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
 	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
@@ -102,14 +106,29 @@ template(`hadoop_domain_template',`
 
 	files_read_etc_files(hadoop_$1_t)
 
+	init_read_utmp(hadoop_$1_t)
+	init_use_fds(hadoop_$1_t)
+	init_use_script_fds(hadoop_$1_t)
+	init_use_script_ptys(hadoop_$1_t)
+
+	kerberos_use(hadoop_$1_t)
+	kernel_read_kernel_sysctls(hadoop_$1_t)
+	kernel_read_sysctl(hadoop_$1_t)
+
+	logging_send_audit_msgs(hadoop_$1_t)
+	logging_send_syslog_msg(hadoop_$1_t)
+
 	miscfiles_read_localization(hadoop_$1_t)
 
+	su_exec(hadoop_$1_t)
 	sysnet_read_config(hadoop_$1_t)
 
 	hadoop_exec_config(hadoop_$1_t)
 
 	java_exec(hadoop_$1_t)
 
+	auth_domtrans_chkpwd(hadoop_$1_t)
+
 	optional_policy(`
 		nscd_socket_use(hadoop_$1_t)
 	')
@@ -156,12 +175,14 @@ template(`hadoop_domain_template',`
 	consoletype_exec(hadoop_$1_initrc_t)
 
 	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
+	fs_search_cgroup_dirs(hadoop_$1_initrc_t)
 
 	term_use_generic_ptys(hadoop_$1_initrc_t)
 
 	hadoop_exec_config(hadoop_$1_initrc_t)
 
 	init_rw_utmp(hadoop_$1_initrc_t)
+	init_use_fds(hadoop_$1_initrc_t)
 	init_use_script_ptys(hadoop_$1_initrc_t)
 
 	logging_send_syslog_msg(hadoop_$1_initrc_t)
diff --git a/policy/modules/services/hadoop.te b/policy/modules/services/hadoop.te
index 35a8131..ddf9ef7 100644
--- a/policy/modules/services/hadoop.te
+++ b/policy/modules/services/hadoop.te
@@ -15,6 +15,11 @@ ubac_constrained(hadoop_t)
 type hadoop_etc_t;
 files_config_file(hadoop_etc_t)
 
+type hadoop_home_t;
+typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t };
+typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t };
+userdom_user_home_content(hadoop_home_t)
+
 type hadoop_log_t;
 logging_log_file(hadoop_log_t)
 
@@ -133,15 +138,27 @@ corenet_tcp_connect_generic_port(hadoop_t)
 dev_read_rand(hadoop_t)
 dev_read_sysfs(hadoop_t)
 dev_read_urand(hadoop_t)
+domain_use_interactive_fds(hadoop_t)
 
 files_dontaudit_search_spool(hadoop_t)
+files_read_etc_files(hadoop_t)
 files_read_usr_files(hadoop_t)
+files_search_var_lib(hadoop_t)
 
 fs_getattr_xattr_fs(hadoop_t)
 
+kerberos_use(hadoop_t)
+
+manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
+userdom_search_user_home_dirs(hadoop_t)
+userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
+
 miscfiles_read_localization(hadoop_t)
 
-userdom_dontaudit_search_user_home_dirs(hadoop_t)
+sysnet_read_config(hadoop_t)
+
 userdom_use_user_terminals(hadoop_t)
 
 java_exec(hadoop_t)
@@ -215,8 +232,12 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
 corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
 
 manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
+setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
 filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
 
+filetrans_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_tasktracker_var_lib_t, lnk_file)
+manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, hadoop_tasktracker_var_lib_t)
+
 manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
 
 fs_getattr_xattr_fs(hadoop_tasktracker_t)
@@ -275,6 +296,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
 dev_read_rand(zookeeper_t)
 dev_read_sysfs(zookeeper_t)
 dev_read_urand(zookeeper_t)
+domain_use_interactive_fds(zookeeper_t)
 
 files_read_etc_files(zookeeper_t)
 files_read_usr_files(zookeeper_t)


More information about the refpolicy mailing list