bc71a042d8
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote: > On 10/04/10 13:15, Paul Nuzzi wrote: >> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote: >>> On 10/01/10 11:17, Paul Nuzzi wrote: >>>> On 10/01/2010 08:02 AM, Dominick Grift wrote: >>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote: >>>>>> I updated the patch based on recommendations from the mailing list. >>>>>> All of hadoop's services are included in one module instead of >>>>>> individual ones. Unconfined and sysadm roles are given access to >>>>>> hadoop and zookeeper client domain transitions. The services are started >>>>>> using run_init. Let me know what you think. >>>>> >>>>> Why do some hadoop domain need to manage generic tmp? >>>>> >>>>> files_manage_generic_tmp_dirs(zookeeper_t) >>>>> files_manage_generic_tmp_dirs(hadoop_t) >>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t) >>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t) >>>>> files_manage_generic_tmp_files(hadoop_$1_t) >>>>> files_manage_generic_tmp_dirs(hadoop_$1_t) >>>> >>>> This has to be done for Java JMX to work. All of the files are written to >>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while >>>> all the files for each service are labeled with hadoop_*_tmp_t. The first service >>>> will end up owning the directory if it is not labeled tmp_t. >>> >>> The hsperfdata dir in /tmp certainly the bane of policy writers. Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir. I suggest you do something like >>> >>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir) >>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir) >>> >>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file) >>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file) >>> >> >> That looks like a better way to handle the tmp_t problem. >> >> I changed the patch with your comments. Hopefully this will be one of the last updates. >> Tested on a CDH3 cluster as a module without any problems. > > There are several little issues with style, but it'll be easier just to fix them when its committed. > > Other comments inline. > I did my best locking down the ports hadoop uses. Unfortunately the services use high, randomized ports making tcp_connect_generic_port a must have. Hopefully one day hadoop will settle on static ports. I added hadoop_datanode port 50010 since it is important to lock down that service. I changed the patch based on the rest of the comments. Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
453 lines
7.2 KiB
Plaintext
453 lines
7.2 KiB
Plaintext
policy_module(sysadm, 2.1.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow sysadm to debug or ptrace all processes.
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(allow_ptrace, false)
|
|
|
|
role sysadm_r;
|
|
|
|
userdom_admin_user_template(sysadm)
|
|
|
|
ifndef(`enable_mls',`
|
|
userdom_security_admin_template(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
corecmd_exec_shell(sysadm_t)
|
|
|
|
mls_process_read_up(sysadm_t)
|
|
|
|
ubac_process_exempt(sysadm_t)
|
|
ubac_file_exempt(sysadm_t)
|
|
ubac_fd_exempt(sysadm_t)
|
|
|
|
init_exec(sysadm_t)
|
|
|
|
# Add/remove user home directories
|
|
userdom_manage_user_home_dirs(sysadm_t)
|
|
userdom_home_filetrans_user_home_dir(sysadm_t)
|
|
|
|
ifdef(`direct_sysadm_daemon',`
|
|
optional_policy(`
|
|
init_run_daemon(sysadm_t, sysadm_r)
|
|
')
|
|
',`
|
|
ifdef(`distro_gentoo',`
|
|
optional_policy(`
|
|
seutil_init_script_run_runinit(sysadm_t, sysadm_r)
|
|
')
|
|
')
|
|
')
|
|
|
|
ifndef(`enable_mls',`
|
|
logging_manage_audit_log(sysadm_t)
|
|
logging_manage_audit_config(sysadm_t)
|
|
logging_run_auditctl(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
tunable_policy(`allow_ptrace',`
|
|
domain_ptrace_all_domains(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
amanda_run_recover(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
apache_run_helper(sysadm_t, sysadm_r)
|
|
#apache_run_all_scripts(sysadm_t, sysadm_r)
|
|
#apache_domtrans_sys_script(sysadm_t)
|
|
apache_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
# cjp: why is this not apm_run_client
|
|
apm_domtrans_client(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
apt_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
auditadm_role_change(sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
backup_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
bind_run_ndc(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
bootloader_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
certwatch_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
clock_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
clockspeed_run_cli(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
cvs_exec(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dcc_run_cdcc(sysadm_t, sysadm_r)
|
|
dcc_run_client(sysadm_t, sysadm_r)
|
|
dcc_run_dbclean(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
ddcprobe_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
dmesg_exec(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dmidecode_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
dpkg_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
firstboot_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
fstools_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
hadoop_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
# allow system administrator to use the ipsec script to look
|
|
# at things (e.g., ipsec auto --status)
|
|
# probably should create an ipsec_admin role for this kind of thing
|
|
ipsec_exec_mgmt(sysadm_t)
|
|
ipsec_stream_connect(sysadm_t)
|
|
# for lsof
|
|
ipsec_getattr_key_sockets(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
iptables_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
kudzu_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
libs_run_ldconfig(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
lockdev_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
logrotate_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
lpd_run_checkpc(sysadm_t, sysadm_r)
|
|
lpd_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
lvm_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
modutils_run_depmod(sysadm_t, sysadm_r)
|
|
modutils_run_insmod(sysadm_t, sysadm_r)
|
|
modutils_run_update_mods(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
mount_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
mozilla_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mplayer_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mta_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
munin_stream_connect(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
mysql_stream_connect(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
netutils_run(sysadm_t, sysadm_r)
|
|
netutils_run_ping(sysadm_t, sysadm_r)
|
|
netutils_run_traceroute(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
ntp_stub()
|
|
corenet_udp_bind_ntp_port(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
oav_run_update(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
pcmcia_run_cardctl(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
portage_run(sysadm_t, sysadm_r)
|
|
portage_run_gcc_config(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
portmap_run_helper(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
pyzor_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
quota_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
raid_domtrans_mdadm(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
razor_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpc_domtrans_nfsd(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rpm_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
rssh_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
rsync_exec(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
samba_run_net(sysadm_t, sysadm_r)
|
|
samba_run_winbind_helper(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
screen_role_template(sysadm, sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
secadm_role_change(sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_run_setfiles(sysadm_t, sysadm_r)
|
|
seutil_run_runinit(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
spamassassin_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
ssh_role_template(sysadm, sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
staff_role_change(sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
su_role_template(sysadm, sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sudo_role_template(sysadm, sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
sysnet_run_ifconfig(sysadm_t, sysadm_r)
|
|
sysnet_run_dhcpc(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
thunderbird_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tripwire_run_siggen(sysadm_t, sysadm_r)
|
|
tripwire_run_tripwire(sysadm_t, sysadm_r)
|
|
tripwire_run_twadmin(sysadm_t, sysadm_r)
|
|
tripwire_run_twprint(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
tvtime_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
tzdata_domtrans(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
uml_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unconfined_domtrans(sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
unprivuser_role_change(sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
usbmodules_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
userhelper_role_template(sysadm, sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
usermanage_run_admin_passwd(sysadm_t, sysadm_r)
|
|
usermanage_run_groupadd(sysadm_t, sysadm_r)
|
|
usermanage_run_useradd(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
vmware_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
vpn_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
webalizer_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
wireshark_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
xserver_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
yam_run(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
optional_policy(`
|
|
hadoop_zookeeper_run_client(sysadm_t, sysadm_r)
|
|
')
|
|
|
|
ifndef(`distro_redhat',`
|
|
optional_policy(`
|
|
auth_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
bluetooth_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cdrecord_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_admin_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
dbus_role_template(sysadm, sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
evolution_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
games_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gift_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gnome_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
gpg_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
irc_role(sysadm_r, sysadm_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
java_role(sysadm_r, sysadm_t)
|
|
')
|
|
')
|
|
|