Rearrange some lines in hadoop.
This commit is contained in:
Chris PeBenito
parent
a45657403b
commit
60ca2bd83b
|
|
@ -24,13 +24,13 @@
|
|||
|
||||
/var/lib/hadoop.* gen_context(system_u:object_r:hadoop_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hadoop/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hadoop/dfs/name(/.*)? gen_context(system_u:object_r:hadoop_namenode_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hadoop/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hadoop/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hadoop/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hdfs/dfs/data(/.*)? gen_context(system_u:object_r:hadoop_datanode_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/hdfs/dfs/namesecondary(/.*)? gen_context(system_u:object_r:hadoop_secondarynamenode_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/mapred/mapred/local/jobTracker(/.*)? gen_context(system_u:object_r:hadoop_jobtracker_var_lib_t,s0)
|
||||
/var/lib/hadoop.*/cache/mapred/mapred/local/taskTracker(/.*)? gen_context(system_u:object_r:hadoop_tasktracker_var_lib_t,s0)
|
||||
/var/lib/zookeeper(/.*)? gen_context(system_u:object_r:zookeeper_server_var_t,s0)
|
||||
|
||||
|
|
|
|||
|
|
@ -53,11 +53,11 @@ template(`hadoop_domain_template',`
|
|||
#
|
||||
|
||||
allow hadoop_$1_t self:capability { chown kill setgid setuid };
|
||||
allow hadoop_$1_t self:key search;
|
||||
allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
|
||||
allow hadoop_$1_t self:key search;
|
||||
allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
|
||||
allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
|
||||
allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
|
||||
allow hadoop_$1_t self:udp_socket create_socket_perms;
|
||||
dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
|
||||
|
||||
|
|
@ -81,6 +81,8 @@ template(`hadoop_domain_template',`
|
|||
filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
|
||||
files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir)
|
||||
|
||||
kernel_read_kernel_sysctls(hadoop_$1_t)
|
||||
kernel_read_sysctl(hadoop_$1_t)
|
||||
kernel_read_network_state(hadoop_$1_t)
|
||||
kernel_read_system_state(hadoop_$1_t)
|
||||
|
||||
|
|
@ -106,28 +108,27 @@ template(`hadoop_domain_template',`
|
|||
|
||||
files_read_etc_files(hadoop_$1_t)
|
||||
|
||||
auth_domtrans_chkpwd(hadoop_$1_t)
|
||||
|
||||
init_read_utmp(hadoop_$1_t)
|
||||
init_use_fds(hadoop_$1_t)
|
||||
init_use_script_fds(hadoop_$1_t)
|
||||
init_use_script_ptys(hadoop_$1_t)
|
||||
|
||||
kerberos_use(hadoop_$1_t)
|
||||
kernel_read_kernel_sysctls(hadoop_$1_t)
|
||||
kernel_read_sysctl(hadoop_$1_t)
|
||||
|
||||
logging_send_audit_msgs(hadoop_$1_t)
|
||||
logging_send_syslog_msg(hadoop_$1_t)
|
||||
|
||||
miscfiles_read_localization(hadoop_$1_t)
|
||||
|
||||
su_exec(hadoop_$1_t)
|
||||
sysnet_read_config(hadoop_$1_t)
|
||||
|
||||
hadoop_exec_config(hadoop_$1_t)
|
||||
|
||||
java_exec(hadoop_$1_t)
|
||||
|
||||
auth_domtrans_chkpwd(hadoop_$1_t)
|
||||
kerberos_use(hadoop_$1_t)
|
||||
|
||||
su_exec(hadoop_$1_t)
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(hadoop_$1_t)
|
||||
|
|
|
|||
|
|
@ -16,8 +16,6 @@ type hadoop_etc_t;
|
|||
files_config_file(hadoop_etc_t)
|
||||
|
||||
type hadoop_home_t;
|
||||
typealias hadoop_home_t alias { user_hadoop_home_t staff_hadoop_home_t sysadm_hadoop_home_t };
|
||||
typealias hadoop_home_t alias { auditadm_hadoop_home_t secadm_hadoop_home_t };
|
||||
userdom_user_home_content(hadoop_home_t)
|
||||
|
||||
type hadoop_log_t;
|
||||
|
|
@ -94,6 +92,11 @@ read_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
|
|||
read_lnk_files_pattern(hadoop_t, hadoop_etc_t, hadoop_etc_t)
|
||||
can_exec(hadoop_t, hadoop_etc_t)
|
||||
|
||||
manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
|
||||
manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
|
||||
manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
|
||||
userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
|
||||
|
||||
allow hadoop_t hadoop_hsperfdata_t:dir manage_dir_perms;
|
||||
files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
|
||||
|
||||
|
|
@ -105,6 +108,7 @@ filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, { dir file })
|
|||
|
||||
manage_dirs_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
|
||||
manage_files_pattern(hadoop_t, hadoop_var_lib_t, hadoop_var_lib_t)
|
||||
files_search_var_lib(hadoop_t)
|
||||
|
||||
getattr_dirs_pattern(hadoop_t, hadoop_var_run_t, hadoop_var_run_t)
|
||||
|
||||
|
|
@ -138,23 +142,15 @@ corenet_tcp_connect_generic_port(hadoop_t)
|
|||
dev_read_rand(hadoop_t)
|
||||
dev_read_sysfs(hadoop_t)
|
||||
dev_read_urand(hadoop_t)
|
||||
|
||||
domain_use_interactive_fds(hadoop_t)
|
||||
|
||||
files_dontaudit_search_spool(hadoop_t)
|
||||
files_read_etc_files(hadoop_t)
|
||||
files_read_usr_files(hadoop_t)
|
||||
files_search_var_lib(hadoop_t)
|
||||
|
||||
fs_getattr_xattr_fs(hadoop_t)
|
||||
|
||||
kerberos_use(hadoop_t)
|
||||
|
||||
manage_dirs_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
|
||||
manage_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
|
||||
manage_lnk_files_pattern(hadoop_t, hadoop_home_t, hadoop_home_t)
|
||||
userdom_search_user_home_dirs(hadoop_t)
|
||||
userdom_user_home_content_filetrans(hadoop_t, hadoop_home_t, { file dir })
|
||||
|
||||
miscfiles_read_localization(hadoop_t)
|
||||
|
||||
sysnet_read_config(hadoop_t)
|
||||
|
|
@ -163,6 +159,8 @@ userdom_use_user_terminals(hadoop_t)
|
|||
|
||||
java_exec(hadoop_t)
|
||||
|
||||
kerberos_use(hadoop_t)
|
||||
|
||||
optional_policy(`
|
||||
nis_use_ypbind(hadoop_t)
|
||||
')
|
||||
|
|
@ -227,10 +225,6 @@ corenet_tcp_connect_hadoop_namenode_port(hadoop_secondarynamenode_t)
|
|||
|
||||
allow hadoop_tasktracker_t self:process signal;
|
||||
|
||||
corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t)
|
||||
corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
|
||||
corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
|
||||
|
||||
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_tasktracker_log_t, hadoop_tasktracker_log_t);
|
||||
setattr_dirs_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_log_t)
|
||||
filetrans_pattern(hadoop_tasktracker_t, hadoop_log_t, hadoop_tasktracker_log_t, dir)
|
||||
|
|
@ -240,6 +234,10 @@ manage_lnk_files_pattern(hadoop_tasktracker_t, hadoop_tasktracker_var_lib_t, had
|
|||
|
||||
manage_dirs_pattern(hadoop_tasktracker_t, hadoop_var_lib_t, hadoop_var_lib_t)
|
||||
|
||||
corenet_tcp_connect_hadoop_datanode_port(hadoop_tasktracker_t)
|
||||
corenet_tcp_connect_hadoop_namenode_port(hadoop_tasktracker_t)
|
||||
corenet_tcp_connect_zope_port(hadoop_tasktracker_t)
|
||||
|
||||
fs_getattr_xattr_fs(hadoop_tasktracker_t)
|
||||
|
||||
########################################
|
||||
|
|
@ -296,6 +294,7 @@ corenet_tcp_connect_generic_port(zookeeper_t)
|
|||
dev_read_rand(zookeeper_t)
|
||||
dev_read_sysfs(zookeeper_t)
|
||||
dev_read_urand(zookeeper_t)
|
||||
|
||||
domain_use_interactive_fds(zookeeper_t)
|
||||
|
||||
files_read_etc_files(zookeeper_t)
|
||||
|
|
|
|||
Loading…
Reference in New Issue