[refpolicy] [PATCH] hadoop 1/10 -- unconfined

[Paul Nuzzi]

On 09/20/2010 01:03 PM, Dominick Grift wrote:
> On Mon, Sep 20, 2010 at 10:34:28AM -0400, Paul Nuzzi wrote:
>> I fixed the hadoop patch based on all of the feedback I received.  Added role support for sysadm_r to all of the services and programs.  Steve and I were not able to successfully use init_script_domain.  The interface didn't provide what we needed so I had to patch unconfined.if with a role transition interface.  It was also causing problems with sysadm_r.  I split up the patches since it was huge. 
> 
> Why did the init script domain not work for you?
> 
> I am interested in helping to make this policy upstreamable but i am not sure about how to deal with this init scenario and i would like to hear from others what the best way is to go forward with this.
> 

I wasn't able to transfer into the pseudo initrc domain with init_script_domain.  Using
init_script_domain(hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) executed the startup script in unconfined_u:system_r:initrc_t instead of :hadoop_datanode_initrc_t.  Using init_daemon_domain (which I know works) and init_script_domain together gives a semodule insert error conflicting te rule for (init_t, hadoop_datanode_initrc_exec_t:process): old was initrc_t, new is hadoop_datanode_initrc_t.  Maybe this is because it contains domtrans_pattern(init_run_all_scripts_domain, $2, $1) instead of domtrans_pattern(initrc_t,$2,$1) that init_daemon_domain has.

Searching through refpolicy I don't see any references to init_script_domain.  Lets see what everyone else thinks.