[refpolicy] [PATCH] hadoop 1/10 -- unconfined
pjnuzzi at tycho.ncsc.mil
Mon Sep 20 13:02:12 CDT 2010
On 09/20/2010 01:03 PM, Dominick Grift wrote:
> On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
>> I fixed the hadoop patch based on all of the feedback I received. Added role support for sysadm_r to all of the services and programs. Steve and I were not able to successfully use init_script_domain. The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface. It was also causing problems with sysadm_r. I split up the patches since it was huge.
> Why did the init script domain not work for you?
> I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.
I wasn't able to transfer into the pseudo initrc domain with init_script_domain. Using
init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t. Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t. Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has.
Searching through refpolicy I don't see any references to init_script_domain. Lets see what everyone else thinks.
More information about the refpolicy