From 22f5be25475d99066b491c8d3e1712b4d8243dec Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Sun, 8 Aug 2021 12:52:17 -0400
Subject: [PATCH] hadoop, roles: use user exec domain attribute

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/roles/sysadm.te      |  2 +-
 policy/modules/roles/unprivuser.te  |  2 +-
 policy/modules/services/hadoop.if   | 38 ++++++++++++++++++++---------
 policy/modules/system/unconfined.te |  2 +-
 4 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 49ec421e9..39478e271 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -440,7 +440,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	hadoop_role(sysadm_r, sysadm_t)
+	hadoop_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
 ')
 
 optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index fa2fb0375..ddde7ecc1 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -83,7 +83,7 @@ ifndef(`distro_redhat',`
 	')
 
 	optional_policy(`
-		hadoop_role(user_r, user_t)
+		hadoop_role(user, user_t, user_application_exec_domain, user_r)
 	')
 
 	optional_policy(`
diff --git a/policy/modules/services/hadoop.if b/policy/modules/services/hadoop.if
index 32713a77f..80569ee34 100644
--- a/policy/modules/services/hadoop.if
+++ b/policy/modules/services/hadoop.if
@@ -94,37 +94,53 @@ template(`hadoop_domain_template',`
 ## <summary>
 ##	Role access for hadoop.
 ## </summary>
-## <param name="role">
+## <param name="role_prefix">
 ##	<summary>
-##	Role allowed access.
+##	The prefix of the user role (e.g., user
+##	is the prefix for user_r).
 ##	</summary>
 ## </param>
-## <param name="domain">
+## <param name="user_domain">
 ##	<summary>
-##	Domain allowed access.
+##	User domain for the role.
+##	</summary>
+## </param>
+## <param name="user_exec_domain">
+##	<summary>
+##	User exec domain for execute and transition access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
-interface(`hadoop_role',`
+template(`hadoop_role',`
 	gen_require(`
 		attribute_role hadoop_roles, zookeeper_roles;
 		type hadoop_t, zookeeper_t, hadoop_home_t;
 		type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t;
 	')
 
-	hadoop_domtrans($2)
-	roleattribute $1 hadoop_roles;
+	hadoop_domtrans($3)
+	roleattribute $4 hadoop_roles;
 
-	hadoop_domtrans_zookeeper_client($2)
-	roleattribute $1 zookeeper_roles;
+	hadoop_domtrans_zookeeper_client($3)
+	roleattribute $4 zookeeper_roles;
 
-	allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms };
-	ps_process_pattern($2, { hadoop_t zookeeper_t })
+	allow $3 { hadoop_t zookeeper_t }:process { ptrace signal_perms };
+	ps_process_pattern($3, { hadoop_t zookeeper_t })
 
 	allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms };
 	allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms };
 	allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+
+	optional_policy(`
+		systemd_user_app_status($1, hadoop_t)
+		systemd_user_app_status($1, zookeeper_t)
+	')
 ')
 
 ########################################
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index b69b8649d..e85466fd3 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -101,7 +101,7 @@ optional_policy(`
 ')
 
 optional_policy(`
-	hadoop_role(unconfined_r, unconfined_t)
+	hadoop_role(unconfined, unconfined_t, unconfined_application_exec_domain, unconfined_r)
 ')
 
 optional_policy(`