[refpolicy] [PATCH] hadoop 1/10 -- unconfined
Christopher J. PeBenito
cpebenito at tresys.com
Fri Oct 1 12:56:00 CDT 2010
On 10/01/10 11:17, Paul Nuzzi wrote:
> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>> I updated the patch based on recommendations from the mailing list.
>>> All of hadoop's services are included in one module instead of
>>> individual ones. Unconfined and sysadm roles are given access to
>>> hadoop and zookeeper client domain transitions. The services are started
>>> using run_init. Let me know what you think.
>>
>> Why do some hadoop domain need to manage generic tmp?
>>
>> files_manage_generic_tmp_dirs(zookeeper_t)
>> files_manage_generic_tmp_dirs(hadoop_t)
>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>> files_manage_generic_tmp_files(hadoop_$1_t)
>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>
> This has to be done for Java JMX to work. All of the files are written to
> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
> all the files for each service are labeled with hadoop_*_tmp_t. The first service
> will end up owning the directory if it is not labeled tmp_t.
The hsperfdata dir in /tmp certainly the bane of policy writers. Based
on a quick look through the policy, it looks like the only dir they
create in /tmp is this hsperfdata dir. I suggest you do something like
files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
More information about the refpolicy
mailing list