psss / rpms / selinux-policy

Forked from rpms/selinux-policy 5 years ago
Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f7 f8 f9 master master-docker master_contrib private-master-atomic-policy private-master-migrate-to-var-lib-selinux requires tests
  1.   master_contrib
  2.   hadoop.if
Blob Blame History Raw 
## <summary>Software for reliable, scalable, distributed computing.</summary>

#######################################
## <summary>
##	The template to define a hadoop domain.
## </summary>
## <param name="domain_prefix">
##	<summary>
##	Domain prefix to be used.
##	</summary>
## </param>
#
template(`hadoop_domain_template',`
	gen_require(`
		attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file;
		attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file;
		attribute hadoop_tmp_file, hadoop_var_lib_file;
		type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
		type hadoop_exec_t, hadoop_hsperfdata_t;
	')

	########################################
	#
	# Declarations
	#

	type hadoop_$1_t, hadoop_domain;
	domain_type(hadoop_$1_t)
	domain_entry_file(hadoop_$1_t, hadoop_exec_t)
	role system_r types hadoop_$1_t;

	type hadoop_$1_initrc_t, hadoop_initrc_domain;
	type hadoop_$1_initrc_exec_t, hadoop_init_script_file;
	init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
	role system_r types hadoop_$1_initrc_t;

	type hadoop_$1_initrc_var_run_t, hadoop_pid_file;
	files_pid_file(hadoop_$1_initrc_var_run_t)

	type hadoop_$1_lock_t, hadoop_lock_file;
	files_lock_file(hadoop_$1_lock_t)

	type hadoop_$1_log_t, hadoop_log_file;
	logging_log_file(hadoop_$1_log_t)

	type hadoop_$1_tmp_t, hadoop_tmp_file;
	files_tmp_file(hadoop_$1_tmp_t)

	type hadoop_$1_var_lib_t, hadoop_var_lib_file;
	files_type(hadoop_$1_var_lib_t)

	####################################
	#
	# hadoop_domain policy
	#

	manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
	filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })

	manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
	manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)

	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
	filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)

	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
	filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)

	auth_use_nsswitch(hadoop_$1_t)

	####################################
	#
	# hadoop_initrc_domain policy
	#

	allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };

	domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
	files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
	filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
	filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
')

########################################
## <summary>
##	Role access for hadoop.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`hadoop_role',`
	gen_require(`
		attribute_role hadoop_roles, zookeeper_roles;
		type hadoop_t, zookeeper_t, hadoop_home_t;
		type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t;
	')

	hadoop_domtrans($2)
	roleattribute $1 hadoop_roles;

	hadoop_domtrans_zookeeper_client($2)
	roleattribute $1 zookeeper_roles;

	allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms };
	ps_process_pattern($2, { hadoop_t zookeeper_t })

	allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms };
	allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms };
	allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
')

########################################
## <summary>
##	Execute hadoop in the
##	hadoop domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans',`
	gen_require(`
		type hadoop_t, hadoop_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, hadoop_exec_t, hadoop_t)
')

########################################
## <summary>
##	Receive from hadoop peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom',`
	gen_require(`
		type hadoop_t;
	')

	allow $1 hadoop_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper client in the
##	zookeeper client domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans_zookeeper_client',`
	gen_require(`
		type zookeeper_t, zookeeper_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
')

########################################
## <summary>
##	Receive from zookeeper peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_zookeeper_client',`
	gen_require(`
		type zookeeper_t;
	')

	allow $1 zookeeper_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper server in the
##	zookeeper server domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans_zookeeper_server',`
	gen_require(`
		type zookeeper_server_t, zookeeper_server_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
')

########################################
## <summary>
##	Receive from zookeeper server peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_zookeeper_server',`
	gen_require(`
		type zookeeper_server_t;
	')

	allow $1 zookeeper_server_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper server in the
##	zookeeper domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_initrc_domtrans_zookeeper_server',`
	gen_require(`
		type zookeeper_server_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
')

########################################
## <summary>
##	Receive from datanode peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_datanode',`
	gen_require(`
		type hadoop_datanode_t;
	')

	allow $1 hadoop_datanode_t:peer recv;
')

########################################
## <summary>
##	Read hadoop configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_read_config',`
	gen_require(`
		type hadoop_etc_t;
	')

	read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
	read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
')

########################################
## <summary>
##	Execute hadoop configuration files.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_exec_config',`
	gen_require(`
		type hadoop_etc_t;
	')

	hadoop_read_config($1)
	allow $1 hadoop_etc_t:file exec_file_perms;
')

########################################
## <summary>
##	Receive from jobtracker peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_jobtracker',`
	gen_require(`
		type hadoop_jobtracker_t;
	')

	allow $1 hadoop_jobtracker_t:peer recv;
')

########################################
## <summary>
##	Match hadoop lan association.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_match_lan_spd',`
	gen_require(`
		type hadoop_lan_t;
	')

	allow $1 hadoop_lan_t:association polmatch;
')

########################################
## <summary>
##	Receive from namenode peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_namenode',`
	gen_require(`
		type hadoop_namenode_t;
	')

	allow $1 hadoop_namenode_t:peer recv;
')

########################################
## <summary>
##	Receive from secondary namenode peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_secondarynamenode',`
	gen_require(`
		type hadoop_secondarynamenode_t;
	')

	allow $1 hadoop_secondarynamenode_t:peer recv;
')

########################################
## <summary>
##	Receive from tasktracker peer.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_tasktracker',`
	gen_require(`
		type hadoop_tasktracker_t;
	')

	allow $1 hadoop_tasktracker_t:peer recv;
')

########################################
## <summary>
##	All of the rules required to
##	administrate an hadoop environment.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`hadoop_admin',`
	gen_require(`
		attribute hadoop_domain;
		attribute hadoop_initrc_domain;

		attribute hadoop_init_script_file;
		attribute hadoop_pid_file;
		attribute hadoop_lock_file;
		attribute hadoop_log_file;
		attribute hadoop_tmp_file;
		attribute hadoop_var_lib_file;

		type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
		type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
		type zookeeper_server_var_t;
	')

	allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
	ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })

	init_labeled_script_domtrans($1, hadoop_init_script_file)
	domain_system_change_exemption($1)
	role_transition $2 hadoop_init_script_file system_r;
	allow $2 system_r;

	files_search_etc($1)
	admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })

	logging_search_logs($1)
	admin_pattern($1, hadoop_log_file)

	files_search_locks($1)
	admin_pattern($1, hadoop_lock_file)

	files_search_pids($1)
	admin_pattern($1, hadoop_pid_file)

	files_search_tmp($1)
	admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t })

	files_search_var_lib($1)
	admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t })

	hadoop_role($2, $1)
')
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.