selinux-refpolicy/policy/modules/services/hadoop.if

## <summary>Software for reliable, scalable, distributed computing.</summary>

#######################################
## <summary>
##	The template to define a hadoop domain.
## </summary>
## <param name="domain_prefix">
##	<summary>
##	Domain prefix to be used.
##	</summary>
## </param>
#
template(`hadoop_domain_template',`
	gen_require(`
		attribute hadoop_domain;
		type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
		type hadoop_exec_t, hadoop_hsperfdata_t;
	')

	########################################
	#
	# Shared declarations.
	#

	type hadoop_$1_t, hadoop_domain;
	domain_type(hadoop_$1_t)
	domain_entry_file(hadoop_$1_t, hadoop_exec_t)
	role system_r types hadoop_$1_t;

	type hadoop_$1_initrc_t;
	type hadoop_$1_initrc_exec_t;
	init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
	role system_r types hadoop_$1_initrc_t;

	type hadoop_$1_initrc_var_run_t;
	files_pid_file(hadoop_$1_initrc_var_run_t)

	type hadoop_$1_lock_t;
	files_lock_file(hadoop_$1_lock_t)

	type hadoop_$1_log_t;
	logging_log_file(hadoop_$1_log_t)

	type hadoop_$1_tmp_t;
	files_tmp_file(hadoop_$1_tmp_t)

	type hadoop_$1_var_lib_t;
	files_type(hadoop_$1_var_lib_t)

	####################################
	#
	# Shared hadoop_$1 policy.
	#

	allow hadoop_$1_t self:capability { chown kill setgid setuid };
	allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
	allow hadoop_$1_t self:key search;
	allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
	allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
	allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
	allow hadoop_$1_t self:udp_socket create_socket_perms;
	dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;

	allow hadoop_$1_t hadoop_domain:process signull;

	manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
	filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
	logging_search_logs(hadoop_$1_t)

	manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
	manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
	files_search_var_lib(hadoop_$1_t)

	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
	filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
	files_search_pids(hadoop_$1_t)

	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
	filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
	files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir)

	kernel_read_kernel_sysctls(hadoop_$1_t)
	kernel_read_sysctl(hadoop_$1_t)
	kernel_read_network_state(hadoop_$1_t)
	kernel_read_system_state(hadoop_$1_t)

	corecmd_exec_bin(hadoop_$1_t)
	corecmd_exec_shell(hadoop_$1_t)

	corenet_all_recvfrom_unlabeled(hadoop_$1_t)
	corenet_all_recvfrom_netlabel(hadoop_$1_t)
	corenet_tcp_bind_all_nodes(hadoop_$1_t)
	corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
	corenet_udp_sendrecv_generic_if(hadoop_$1_t)
	corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
	corenet_udp_sendrecv_generic_node(hadoop_$1_t)
	corenet_tcp_sendrecv_all_ports(hadoop_$1_t)
	corenet_udp_bind_generic_node(hadoop_$1_t)
	# Hadoop uses high ordered random ports for services
	# If permanent ports are chosen, remove line below and lock down
	corenet_tcp_connect_generic_port(hadoop_$1_t)

	dev_read_rand(hadoop_$1_t)
	dev_read_urand(hadoop_$1_t)
	dev_read_sysfs(hadoop_$1_t)

	files_read_etc_files(hadoop_$1_t)

	auth_domtrans_chkpwd(hadoop_$1_t)

	hadoop_match_lan_spd(hadoop_$1_t)

	init_read_utmp(hadoop_$1_t)
	init_use_fds(hadoop_$1_t)
	init_use_script_fds(hadoop_$1_t)
	init_use_script_ptys(hadoop_$1_t)

	logging_send_audit_msgs(hadoop_$1_t)
	logging_send_syslog_msg(hadoop_$1_t)

	miscfiles_read_localization(hadoop_$1_t)

	sysnet_read_config(hadoop_$1_t)

	hadoop_exec_config(hadoop_$1_t)

	java_exec(hadoop_$1_t)

	kerberos_use(hadoop_$1_t)

	su_exec(hadoop_$1_t)

	optional_policy(`
		nscd_socket_use(hadoop_$1_t)
	')

	####################################
	#
	# Shared hadoop_$1 initrc policy.
	#

	allow hadoop_$1_initrc_t self:capability { setuid setgid };
	dontaudit hadoop_$1_initrc_t self:capability sys_tty_config;
	allow hadoop_$1_initrc_t self:process setsched;
	allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms;

	allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };

	domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
	files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)
	files_search_locks(hadoop_$1_initrc_t)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
	filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
	files_search_pids(hadoop_$1_initrc_t)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
	filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
	logging_search_logs(hadoop_$1_initrc_t)

	manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
	manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)

	kernel_read_kernel_sysctls(hadoop_$1_initrc_t)
	kernel_read_sysctl(hadoop_$1_initrc_t)
	kernel_read_system_state(hadoop_$1_initrc_t)

	corecmd_exec_bin(hadoop_$1_initrc_t)
	corecmd_exec_shell(hadoop_$1_initrc_t)

	files_read_etc_files(hadoop_$1_initrc_t)
	files_read_usr_files(hadoop_$1_initrc_t)

	consoletype_exec(hadoop_$1_initrc_t)

	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
	fs_search_cgroup_dirs(hadoop_$1_initrc_t)

	term_use_generic_ptys(hadoop_$1_initrc_t)

	hadoop_exec_config(hadoop_$1_initrc_t)

	init_rw_utmp(hadoop_$1_initrc_t)
	init_use_fds(hadoop_$1_initrc_t)
	init_use_script_ptys(hadoop_$1_initrc_t)

	logging_send_syslog_msg(hadoop_$1_initrc_t)
	logging_send_audit_msgs(hadoop_$1_initrc_t)

	miscfiles_read_localization(hadoop_$1_initrc_t)

	userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)

	optional_policy(`
		nscd_socket_use(hadoop_$1_initrc_t)
	')
')

########################################
## <summary>
##	Role access for hadoop.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`hadoop_role',`
	gen_require(`
		type hadoop_t;
	')

	hadoop_domtrans($2)
	role $1 types hadoop_t;

	allow $2 hadoop_t:process { ptrace signal_perms };
	ps_process_pattern($2, hadoop_t)

	hadoop_domtrans_zookeeper_client($2)
	role $1 types zookeeper_t;

	allow $2 zookeeper_t:process { ptrace signal_perms };
	ps_process_pattern($2, zookeeper_t)
')

########################################
## <summary>
##	Execute hadoop in the
##	hadoop domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans',`
	gen_require(`
		type hadoop_t, hadoop_exec_t;
	')

	domtrans_pattern($1, hadoop_exec_t, hadoop_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom',`
	gen_require(`
		type hadoop_t;
	')

	allow $1 hadoop_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper client in the
##	zookeeper client domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans_zookeeper_client',`
	gen_require(`
		type zookeeper_t, zookeeper_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom zookeeper_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_zookeeper_client',`
	gen_require(`
		type zookeeper_t;
	')

	allow $1 zookeeper_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper server in the
##	zookeeper server domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans_zookeeper_server',`
	gen_require(`
		type zookeeper_server_t, zookeeper_server_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom zookeeper_server_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_zookeeper_server',`
	gen_require(`
		type zookeeper_server_t;
	')

	allow $1 zookeeper_server_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper server in the
##	zookeeper domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_initrc_domtrans_zookeeper_server',`
	gen_require(`
		type zookeeper_server_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_datanode_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_datanode',`
	gen_require(`
		type hadoop_datanode_t;
	')

	allow $1 hadoop_datanode_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to read
##	hadoop_etc_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing read permission
##	</summary>
## </param>
#
interface(`hadoop_read_config',`
	gen_require(`
		type hadoop_etc_t;
	')

	read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
	read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	execute hadoop_etc_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing read and execute
##	permission
##	</summary>
## </param>
#
interface(`hadoop_exec_config',`
	gen_require(`
		type hadoop_etc_t;
	')

	hadoop_read_config($1)
	allow $1 hadoop_etc_t:file exec_file_perms;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_jobtracker_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_jobtracker',`
	gen_require(`
		type hadoop_jobtracker_t;
	')

	allow $1 hadoop_jobtracker_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to
##	polmatch on hadoop_lan_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing polmatch
##	permission
##	</summary>
## </param>
#
interface(`hadoop_match_lan_spd',`
	gen_require(`
		type hadoop_lan_t;
	')

	allow $1 hadoop_lan_t:association polmatch;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_namenode_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_namenode',`
	gen_require(`
		type hadoop_namenode_t;
	')

	allow $1 hadoop_namenode_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_secondarynamenode_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_secondarynamenode',`
	gen_require(`
		type hadoop_secondarynamenode_t;
	')

	allow $1 hadoop_secondarynamenode_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_tasktracker_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_tasktracker',`
	gen_require(`
		type hadoop_tasktracker_t;
	')

	allow $1 hadoop_tasktracker_t:peer recv;
')