[people/stevee/selinux-policy.git] / policy / modules / services / hadoop.if

## <summary>Software for reliable, scalable, distributed computing.</summary>

#######################################
## <summary>
##	The template to define a hadoop domain.
## </summary>
## <param name="domain_prefix">
##	<summary>
##	Domain prefix to be used.
##	</summary>
## </param>
#
template(`hadoop_domain_template',`
	gen_require(`
		attribute hadoop_domain;
		type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
		type hadoop_exec_t, hadoop_hsperfdata_t;
	')

	########################################
	#
	# Shared declarations.
	#

	type hadoop_$1_t, hadoop_domain;
	domain_type(hadoop_$1_t)
	domain_entry_file(hadoop_$1_t, hadoop_exec_t)
	role system_r types hadoop_$1_t;

	type hadoop_$1_initrc_t;
	type hadoop_$1_initrc_exec_t;
	init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
	role system_r types hadoop_$1_initrc_t;

	type hadoop_$1_initrc_var_run_t;
	files_pid_file(hadoop_$1_initrc_var_run_t)

	type hadoop_$1_lock_t;
	files_lock_file(hadoop_$1_lock_t)

	type hadoop_$1_log_t;
	logging_log_file(hadoop_$1_log_t)

	type hadoop_$1_tmp_t;
	files_tmp_file(hadoop_$1_tmp_t)

	type hadoop_$1_var_lib_t;
	files_type(hadoop_$1_var_lib_t)

	####################################
	#
	# Shared hadoop_$1 policy.
	#

	allow hadoop_$1_t self:capability { chown kill setgid setuid };
	allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
	allow hadoop_$1_t self:key search;
	allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
	allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
	allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
	allow hadoop_$1_t self:udp_socket create_socket_perms;
	dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;

	allow hadoop_$1_t hadoop_domain:process signull;

	manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
	filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
	logging_search_logs(hadoop_$1_t)

	manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
	manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
	files_search_var_lib(hadoop_$1_t)

	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
	filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
	files_search_pids(hadoop_$1_t)

	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
	filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
	files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir)

	kernel_read_kernel_sysctls(hadoop_$1_t)
	kernel_read_sysctl(hadoop_$1_t)
	kernel_read_network_state(hadoop_$1_t)
	kernel_read_system_state(hadoop_$1_t)

	corecmd_exec_bin(hadoop_$1_t)
	corecmd_exec_shell(hadoop_$1_t)

	corenet_all_recvfrom_unlabeled(hadoop_$1_t)
	corenet_all_recvfrom_netlabel(hadoop_$1_t)
	corenet_tcp_bind_generic_node(hadoop_$1_t)
	corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
	corenet_udp_sendrecv_generic_if(hadoop_$1_t)
	corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
	corenet_udp_sendrecv_generic_node(hadoop_$1_t)
	corenet_tcp_sendrecv_all_ports(hadoop_$1_t)
	corenet_udp_bind_generic_node(hadoop_$1_t)
	# Hadoop uses high ordered random ports for services
	# If permanent ports are chosen, remove line below and lock down
	corenet_tcp_connect_generic_port(hadoop_$1_t)

	dev_read_rand(hadoop_$1_t)
	dev_read_urand(hadoop_$1_t)
	dev_read_sysfs(hadoop_$1_t)

	files_read_etc_files(hadoop_$1_t)

	auth_domtrans_chkpwd(hadoop_$1_t)
	auth_use_nsswitch(hadoop_$1_t)

	hadoop_match_lan_spd(hadoop_$1_t)

	init_read_utmp(hadoop_$1_t)
	init_use_fds(hadoop_$1_t)
	init_use_script_fds(hadoop_$1_t)
	init_use_script_ptys(hadoop_$1_t)

	logging_send_audit_msgs(hadoop_$1_t)
	logging_send_syslog_msg(hadoop_$1_t)

	miscfiles_read_localization(hadoop_$1_t)

	sysnet_read_config(hadoop_$1_t)

	hadoop_exec_config(hadoop_$1_t)

	optional_policy(`
		java_exec(hadoop_$1_t)
	')

	kerberos_use(hadoop_$1_t)

	su_exec(hadoop_$1_t)

	####################################
	#
	# Shared hadoop_$1 initrc policy.
	#

	allow hadoop_$1_initrc_t self:capability { setuid setgid };
	dontaudit hadoop_$1_initrc_t self:capability sys_tty_config;
	allow hadoop_$1_initrc_t self:process setsched;
	allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms;

	allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };

	domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
	files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)
	files_search_locks(hadoop_$1_initrc_t)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
	filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
	files_search_pids(hadoop_$1_initrc_t)

	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
	filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
	logging_search_logs(hadoop_$1_initrc_t)

	manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
	manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)

	kernel_read_kernel_sysctls(hadoop_$1_initrc_t)
	kernel_read_sysctl(hadoop_$1_initrc_t)
	kernel_read_system_state(hadoop_$1_initrc_t)

	corecmd_exec_bin(hadoop_$1_initrc_t)
	corecmd_exec_shell(hadoop_$1_initrc_t)

	files_read_etc_files(hadoop_$1_initrc_t)
	files_read_usr_files(hadoop_$1_initrc_t)

	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
	fs_search_cgroup_dirs(hadoop_$1_initrc_t)

	term_use_generic_ptys(hadoop_$1_initrc_t)

	hadoop_exec_config(hadoop_$1_initrc_t)

	auth_domtrans_chkpwd(hadoop_$1_initrc_t)

	init_rw_utmp(hadoop_$1_initrc_t)
	init_use_fds(hadoop_$1_initrc_t)
	init_use_script_ptys(hadoop_$1_initrc_t)

	logging_send_syslog_msg(hadoop_$1_initrc_t)
	logging_send_audit_msgs(hadoop_$1_initrc_t)

	miscfiles_read_localization(hadoop_$1_initrc_t)

	userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)

	optional_policy(`
		consoletype_exec(hadoop_$1_initrc_t)
	')

')

########################################
## <summary>
##	Role access for hadoop.
## </summary>
## <param name="role">
##	<summary>
##	Role allowed access.
##	</summary>
## </param>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <rolecap/>
#
interface(`hadoop_role',`
	gen_require(`
		type hadoop_t;
	')

	hadoop_domtrans($2)
	role $1 types hadoop_t;

	allow $2 hadoop_t:process signal_perms;
	ps_process_pattern($2, hadoop_t)
	tunable_policy(`deny_ptrace',`',`
		allow $2 hadoop_t:process ptrace;
	')

	hadoop_domtrans_zookeeper_client($2)
	role $1 types zookeeper_t;

	allow $2 zookeeper_t:process signal_perms;
	ps_process_pattern($2, zookeeper_t)
	tunable_policy(`deny_ptrace',`',`
		allow $2 zookeeper_t:process ptrace;
	')

')

########################################
## <summary>
##	Execute hadoop in the
##	hadoop domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans',`
	gen_require(`
		type hadoop_t, hadoop_exec_t;
	')

	domtrans_pattern($1, hadoop_exec_t, hadoop_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom',`
	gen_require(`
		type hadoop_t;
	')

	allow $1 hadoop_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper client in the
##	zookeeper client domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans_zookeeper_client',`
	gen_require(`
		type zookeeper_t, zookeeper_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom zookeeper_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_zookeeper_client',`
	gen_require(`
		type zookeeper_t;
	')

	allow $1 zookeeper_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper server in the
##	zookeeper server domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_domtrans_zookeeper_server',`
	gen_require(`
		type zookeeper_server_t, zookeeper_server_exec_t;
	')

	corecmd_search_bin($1)
	domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom zookeeper_server_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_zookeeper_server',`
	gen_require(`
		type zookeeper_server_t;
	')

	allow $1 zookeeper_server_t:peer recv;
')

########################################
## <summary>
##	Execute zookeeper server in the
##	zookeeper domain.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed to transition.
##	</summary>
## </param>
#
interface(`hadoop_initrc_domtrans_zookeeper_server',`
	gen_require(`
		type zookeeper_server_initrc_exec_t;
	')

	init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_datanode_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_datanode',`
	gen_require(`
		type hadoop_datanode_t;
	')

	allow $1 hadoop_datanode_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to read
##	hadoop_etc_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing read permission
##	</summary>
## </param>
#
interface(`hadoop_read_config',`
	gen_require(`
		type hadoop_etc_t;
	')

	read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
	read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
')

########################################
## <summary>
##	Give permission to a domain to
##	execute hadoop_etc_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing read and execute
##	permission
##	</summary>
## </param>
#
interface(`hadoop_exec_config',`
	gen_require(`
		type hadoop_etc_t;
	')

	hadoop_read_config($1)
	allow $1 hadoop_etc_t:file exec_file_perms;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_jobtracker_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_jobtracker',`
	gen_require(`
		type hadoop_jobtracker_t;
	')

	allow $1 hadoop_jobtracker_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to
##	polmatch on hadoop_lan_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing polmatch
##	permission
##	</summary>
## </param>
#
interface(`hadoop_match_lan_spd',`
	gen_require(`
		type hadoop_lan_t;
	')

	allow $1 hadoop_lan_t:association polmatch;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_namenode_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_namenode',`
	gen_require(`
		type hadoop_namenode_t;
	')

	allow $1 hadoop_namenode_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_secondarynamenode_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_secondarynamenode',`
	gen_require(`
		type hadoop_secondarynamenode_t;
	')

	allow $1 hadoop_secondarynamenode_t:peer recv;
')

########################################
## <summary>
##	Give permission to a domain to
##	recvfrom hadoop_tasktracker_t
## </summary>
## <param name="domain">
##	<summary>
##	Domain needing recvfrom
##	permission
##	</summary>
## </param>
#
interface(`hadoop_recvfrom_tasktracker',`
	gen_require(`
		type hadoop_tasktracker_t;
	')

	allow $1 hadoop_tasktracker_t:peer recv;
')
Commit	Line	Data
bc71a042 PN	1	## <summary>Software for reliable, scalable, distributed computing.</summary>
	2
	3	#######################################
	4	## <summary>
	5	## The template to define a hadoop domain.
	6	## </summary>
	7	## <param name="domain_prefix">
	8	## <summary>
	9	## Domain prefix to be used.
	10	## </summary>
	11	## </param>
	12	#
	13	template(`hadoop_domain_template',`
	14	gen_require(`
	15	attribute hadoop_domain;
	16	type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
	17	type hadoop_exec_t, hadoop_hsperfdata_t;
	18	')
	19
	20	########################################
	21	#
	22	# Shared declarations.
	23	#
	24
	25	type hadoop_$1_t, hadoop_domain;
	26	domain_type(hadoop_$1_t)
	27	domain_entry_file(hadoop_$1_t, hadoop_exec_t)
641ac054	28	role system_r types hadoop_$1_t;
bc71a042 PN	29
	30	type hadoop_$1_initrc_t;
	31	type hadoop_$1_initrc_exec_t;
	32	init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
641ac054	33	role system_r types hadoop_$1_initrc_t;
bc71a042	34
641ac054 CP	35	type hadoop_$1_initrc_var_run_t;
641ac054 CP	36	files_pid_file(hadoop_$1_initrc_var_run_t)
bc71a042 PN	37
	38	type hadoop_$1_lock_t;
	39	files_lock_file(hadoop_$1_lock_t)
bc71a042 PN	40
	41	type hadoop_$1_log_t;
	42	logging_log_file(hadoop_$1_log_t)
641ac054 CP	43
	44	type hadoop_$1_tmp_t;
	45	files_tmp_file(hadoop_$1_tmp_t)
bc71a042 PN	46
	47	type hadoop_$1_var_lib_t;
	48	files_type(hadoop_$1_var_lib_t)
641ac054 CP	49
	50	####################################
	51	#
	52	# Shared hadoop_$1 policy.
	53	#
	54
fcb67e8c	55	allow hadoop_$1_t self:capability { chown kill setgid setuid };
fcb67e8c	56	allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal };
60ca2bd8	57	allow hadoop_$1_t self:key search;
641ac054	58	allow hadoop_$1_t self:fifo_file rw_fifo_file_perms;
fcb67e8c	59	allow hadoop_$1_t self:unix_dgram_socket create_socket_perms;
60ca2bd8	60	allow hadoop_$1_t self:tcp_socket create_stream_socket_perms;
641ac054 CP	61	allow hadoop_$1_t self:udp_socket create_socket_perms;
	62	dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms;
	63
	64	allow hadoop_$1_t hadoop_domain:process signull;
	65
	66	manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
	67	filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
	68	logging_search_logs(hadoop_$1_t)
	69
	70	manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
	71	manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
bc71a042	72	filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
641ac054	73	files_search_var_lib(hadoop_$1_t)
bc71a042	74
fcb67e8c	75	manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
a4565740 CP	76	filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
a4565740 CP	77	files_search_pids(hadoop_$1_t)
bc71a042	78
641ac054 CP	79	allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms;
641ac054 CP	80	manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
bc71a042	81	filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
641ac054 CP	82	files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir)
641ac054 CP	83
60ca2bd8 CP	84	kernel_read_kernel_sysctls(hadoop_$1_t)
60ca2bd8 CP	85	kernel_read_sysctl(hadoop_$1_t)
641ac054 CP	86	kernel_read_network_state(hadoop_$1_t)
	87	kernel_read_system_state(hadoop_$1_t)
	88
	89	corecmd_exec_bin(hadoop_$1_t)
	90	corecmd_exec_shell(hadoop_$1_t)
	91
	92	corenet_all_recvfrom_unlabeled(hadoop_$1_t)
	93	corenet_all_recvfrom_netlabel(hadoop_$1_t)
a90706ef	94	corenet_tcp_bind_generic_node(hadoop_$1_t)
641ac054 CP	95	corenet_tcp_sendrecv_generic_if(hadoop_$1_t)
	96	corenet_udp_sendrecv_generic_if(hadoop_$1_t)
	97	corenet_tcp_sendrecv_generic_node(hadoop_$1_t)
	98	corenet_udp_sendrecv_generic_node(hadoop_$1_t)
	99	corenet_tcp_sendrecv_all_ports(hadoop_$1_t)
	100	corenet_udp_bind_generic_node(hadoop_$1_t)
	101	# Hadoop uses high ordered random ports for services
	102	# If permanent ports are chosen, remove line below and lock down
	103	corenet_tcp_connect_generic_port(hadoop_$1_t)
	104
	105	dev_read_rand(hadoop_$1_t)
	106	dev_read_urand(hadoop_$1_t)
	107	dev_read_sysfs(hadoop_$1_t)
	108
	109	files_read_etc_files(hadoop_$1_t)
	110
60ca2bd8	111	auth_domtrans_chkpwd(hadoop_$1_t)
25a3cf10	112	auth_use_nsswitch(hadoop_$1_t)
60ca2bd8	113
371908d1	114	hadoop_match_lan_spd(hadoop_$1_t)
6237b724	115
fcb67e8c PN	116	init_read_utmp(hadoop_$1_t)
	117	init_use_fds(hadoop_$1_t)
	118	init_use_script_fds(hadoop_$1_t)
	119	init_use_script_ptys(hadoop_$1_t)
	120
fcb67e8c PN	121	logging_send_audit_msgs(hadoop_$1_t)
	122	logging_send_syslog_msg(hadoop_$1_t)
	123
641ac054 CP	124	miscfiles_read_localization(hadoop_$1_t)
	125
	126	sysnet_read_config(hadoop_$1_t)
	127
	128	hadoop_exec_config(hadoop_$1_t)
	129
4a093096	130	optional_policy(`
	131	java_exec(hadoop_$1_t)
	132	')
641ac054	133
60ca2bd8 CP	134	kerberos_use(hadoop_$1_t)
	135
	136	su_exec(hadoop_$1_t)
fcb67e8c	137
bc71a042 PN	138	####################################
	139	#
	140	# Shared hadoop_$1 initrc policy.
	141	#
	142
bc71a042	143	allow hadoop_$1_initrc_t self:capability { setuid setgid };
641ac054	144	dontaudit hadoop_$1_initrc_t self:capability sys_tty_config;
bc71a042	145	allow hadoop_$1_initrc_t self:process setsched;
641ac054	146	allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms;
bc71a042	147
641ac054	148	allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };
bc71a042 PN	149
bc71a042 PN	150	domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)
bc71a042	151
641ac054 CP	152	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
641ac054 CP	153	files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)
bc71a042	154	files_search_locks(hadoop_$1_initrc_t)
bc71a042	155
641ac054 CP	156	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
	157	filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
	158	files_search_pids(hadoop_$1_initrc_t)
bc71a042	159
641ac054 CP	160	manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
641ac054 CP	161	filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
bc71a042 PN	162	logging_search_logs(hadoop_$1_initrc_t)
bc71a042 PN	163
bc71a042 PN	164	manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
	165	manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t)
	166
641ac054 CP	167	kernel_read_kernel_sysctls(hadoop_$1_initrc_t)
	168	kernel_read_sysctl(hadoop_$1_initrc_t)
	169	kernel_read_system_state(hadoop_$1_initrc_t)
bc71a042	170
641ac054 CP	171	corecmd_exec_bin(hadoop_$1_initrc_t)
641ac054 CP	172	corecmd_exec_shell(hadoop_$1_initrc_t)
bc71a042	173
641ac054 CP	174	files_read_etc_files(hadoop_$1_initrc_t)
641ac054 CP	175	files_read_usr_files(hadoop_$1_initrc_t)
bc71a042	176
641ac054	177	fs_getattr_xattr_fs(hadoop_$1_initrc_t)
fcb67e8c	178	fs_search_cgroup_dirs(hadoop_$1_initrc_t)
bc71a042	179
641ac054	180	term_use_generic_ptys(hadoop_$1_initrc_t)
bc71a042	181
641ac054	182	hadoop_exec_config(hadoop_$1_initrc_t)
bc71a042	183
25a3cf10 DW	184	auth_domtrans_chkpwd(hadoop_$1_initrc_t)
25a3cf10 DW	185
641ac054	186	init_rw_utmp(hadoop_$1_initrc_t)
fcb67e8c	187	init_use_fds(hadoop_$1_initrc_t)
641ac054	188	init_use_script_ptys(hadoop_$1_initrc_t)
bc71a042	189
641ac054 CP	190	logging_send_syslog_msg(hadoop_$1_initrc_t)
641ac054 CP	191	logging_send_audit_msgs(hadoop_$1_initrc_t)
bc71a042	192
641ac054	193	miscfiles_read_localization(hadoop_$1_initrc_t)
bc71a042	194
641ac054	195	userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t)
bc71a042	196
46107d62 MG	197	optional_policy(`
	198	consoletype_exec(hadoop_$1_initrc_t)
	199	')
	200
bc71a042 PN	201	')
	202
	203	########################################
	204	## <summary>
641ac054	205	## Role access for hadoop.
bc71a042	206	## </summary>
641ac054 CP	207	## <param name="role">
	208	## <summary>
	209	## Role allowed access.
	210	## </summary>
	211	## </param>
bc71a042 PN	212	## <param name="domain">
bc71a042 PN	213	## <summary>
641ac054	214	## Domain allowed access.
bc71a042 PN	215	## </summary>
bc71a042 PN	216	## </param>
641ac054	217	## <rolecap/>
bc71a042	218	#
641ac054	219	interface(`hadoop_role',`
bc71a042	220	gen_require(`
641ac054	221	type hadoop_t;
bc71a042 PN	222	')
bc71a042 PN	223
641ac054 CP	224	hadoop_domtrans($2)
	225	role $1 types hadoop_t;
	226
995bdbb1	227	allow $2 hadoop_t:process signal_perms;
641ac054	228	ps_process_pattern($2, hadoop_t)
995bdbb1	229	tunable_policy(`deny_ptrace',`',`
	230	allow $2 hadoop_t:process ptrace;
	231	')
641ac054 CP	232
	233	hadoop_domtrans_zookeeper_client($2)
	234	role $1 types zookeeper_t;
	235
995bdbb1	236	allow $2 zookeeper_t:process signal_perms;
641ac054	237	ps_process_pattern($2, zookeeper_t)
995bdbb1	238	tunable_policy(`deny_ptrace',`',`
	239	allow $2 zookeeper_t:process ptrace;
	240	')
	241
bc71a042 PN	242	')
	243
	244	########################################
	245	## <summary>
641ac054	246	## Execute hadoop in the
bc71a042 PN	247	## hadoop domain.
	248	## </summary>
	249	## <param name="domain">
	250	## <summary>
	251	## Domain allowed to transition.
	252	## </summary>
	253	## </param>
bc71a042	254	#
641ac054	255	interface(`hadoop_domtrans',`
bc71a042	256	gen_require(`
641ac054	257	type hadoop_t, hadoop_exec_t;
bc71a042 PN	258	')
bc71a042 PN	259
641ac054	260	domtrans_pattern($1, hadoop_exec_t, hadoop_t)
bc71a042 PN	261	')
	262
	263	########################################
	264	## <summary>
2810bc14 CP	265	## Give permission to a domain to
2810bc14 CP	266	## recvfrom hadoop_t
bc71a042 PN	267	## </summary>
	268	## <param name="domain">
	269	## <summary>
2810bc14 CP	270	## Domain needing recvfrom
2810bc14 CP	271	## permission
bc71a042 PN	272	## </summary>
	273	## </param>
	274	#
2810bc14	275	interface(`hadoop_recvfrom',`
bc71a042	276	gen_require(`
2810bc14	277	type hadoop_t;
bc71a042 PN	278	')
bc71a042 PN	279
2810bc14	280	allow $1 hadoop_t:peer recv;
bc71a042 PN	281	')
	282
	283	########################################
	284	## <summary>
2810bc14 CP	285	## Execute zookeeper client in the
2810bc14 CP	286	## zookeeper client domain.
bc71a042 PN	287	## </summary>
	288	## <param name="domain">
	289	## <summary>
	290	## Domain allowed to transition.
	291	## </summary>
	292	## </param>
	293	#
2810bc14	294	interface(`hadoop_domtrans_zookeeper_client',`
bc71a042	295	gen_require(`
2810bc14	296	type zookeeper_t, zookeeper_exec_t;
bc71a042 PN	297	')
	298
	299	corecmd_search_bin($1)
2810bc14	300	domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
bc71a042 PN	301	')
	302
	303	########################################
	304	## <summary>
2810bc14 CP	305	## Give permission to a domain to
2810bc14 CP	306	## recvfrom zookeeper_t
bc71a042 PN	307	## </summary>
	308	## <param name="domain">
	309	## <summary>
2810bc14 CP	310	## Domain needing recvfrom
2810bc14 CP	311	## permission
bc71a042 PN	312	## </summary>
	313	## </param>
	314	#
2810bc14	315	interface(`hadoop_recvfrom_zookeeper_client',`
bc71a042	316	gen_require(`
2810bc14	317	type zookeeper_t;
bc71a042 PN	318	')
bc71a042 PN	319
2810bc14	320	allow $1 zookeeper_t:peer recv;
bc71a042 PN	321	')
	322
	323	########################################
	324	## <summary>
2810bc14 CP	325	## Execute zookeeper server in the
2810bc14 CP	326	## zookeeper server domain.
bc71a042 PN	327	## </summary>
	328	## <param name="domain">
	329	## <summary>
2810bc14	330	## Domain allowed to transition.
bc71a042 PN	331	## </summary>
bc71a042 PN	332	## </param>
bc71a042	333	#
2810bc14	334	interface(`hadoop_domtrans_zookeeper_server',`
bc71a042	335	gen_require(`
2810bc14	336	type zookeeper_server_t, zookeeper_server_exec_t;
bc71a042 PN	337	')
bc71a042 PN	338
2810bc14 CP	339	corecmd_search_bin($1)
2810bc14 CP	340	domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
bc71a042 PN	341	')
	342
	343	########################################
	344	## <summary>
641ac054	345	## Give permission to a domain to
2810bc14	346	## recvfrom zookeeper_server_t
bc71a042 PN	347	## </summary>
bc71a042 PN	348	## <param name="domain">
641ac054	349	## <summary>
2810bc14	350	## Domain needing recvfrom
641ac054 CP	351	## permission
641ac054 CP	352	## </summary>
bc71a042 PN	353	## </param>
bc71a042 PN	354	#
2810bc14	355	interface(`hadoop_recvfrom_zookeeper_server',`
bc71a042	356	gen_require(`
2810bc14	357	type zookeeper_server_t;
bc71a042 PN	358	')
bc71a042 PN	359
2810bc14	360	allow $1 zookeeper_server_t:peer recv;
bc71a042	361	')
6237b724 PN	362
	363	########################################
	364	## <summary>
2810bc14 CP	365	## Execute zookeeper server in the
2810bc14 CP	366	## zookeeper domain.
6237b724 PN	367	## </summary>
	368	## <param name="domain">
	369	## <summary>
2810bc14	370	## Domain allowed to transition.
6237b724 PN	371	## </summary>
	372	## </param>
	373	#
2810bc14	374	interface(`hadoop_initrc_domtrans_zookeeper_server',`
6237b724	375	gen_require(`
2810bc14	376	type zookeeper_server_initrc_exec_t;
6237b724 PN	377	')
6237b724 PN	378
2810bc14	379	init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
6237b724 PN	380	')
	381
	382	########################################
	383	## <summary>
	384	## Give permission to a domain to
	385	## recvfrom hadoop_datanode_t
	386	## </summary>
	387	## <param name="domain">
	388	## <summary>
	389	## Domain needing recvfrom
	390	## permission
	391	## </summary>
	392	## </param>
	393	#
	394	interface(`hadoop_recvfrom_datanode',`
	395	gen_require(`
	396	type hadoop_datanode_t;
	397	')
	398
	399	allow $1 hadoop_datanode_t:peer recv;
	400	')
	401
	402	########################################
	403	## <summary>
2810bc14 CP	404	## Give permission to a domain to read
2810bc14 CP	405	## hadoop_etc_t
6237b724 PN	406	## </summary>
	407	## <param name="domain">
	408	## <summary>
2810bc14	409	## Domain needing read permission
6237b724 PN	410	## </summary>
	411	## </param>
	412	#
2810bc14	413	interface(`hadoop_read_config',`
6237b724	414	gen_require(`
2810bc14	415	type hadoop_etc_t;
6237b724 PN	416	')
6237b724 PN	417
2810bc14 CP	418	read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
2810bc14 CP	419	read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
6237b724 PN	420	')
	421
	422	########################################
	423	## <summary>
	424	## Give permission to a domain to
2810bc14	425	## execute hadoop_etc_t
6237b724 PN	426	## </summary>
	427	## <param name="domain">
	428	## <summary>
2810bc14	429	## Domain needing read and execute
6237b724 PN	430	## permission
	431	## </summary>
	432	## </param>
	433	#
2810bc14	434	interface(`hadoop_exec_config',`
6237b724	435	gen_require(`
2810bc14	436	type hadoop_etc_t;
6237b724 PN	437	')
6237b724 PN	438
2810bc14 CP	439	hadoop_read_config($1)
2810bc14 CP	440	allow $1 hadoop_etc_t:file exec_file_perms;
6237b724 PN	441	')
	442
	443	########################################
	444	## <summary>
	445	## Give permission to a domain to
2810bc14	446	## recvfrom hadoop_jobtracker_t
6237b724 PN	447	## </summary>
	448	## <param name="domain">
	449	## <summary>
	450	## Domain needing recvfrom
	451	## permission
	452	## </summary>
	453	## </param>
	454	#
2810bc14	455	interface(`hadoop_recvfrom_jobtracker',`
6237b724	456	gen_require(`
2810bc14	457	type hadoop_jobtracker_t;
6237b724 PN	458	')
6237b724 PN	459
2810bc14	460	allow $1 hadoop_jobtracker_t:peer recv;
6237b724 PN	461	')
	462
	463	########################################
	464	## <summary>
	465	## Give permission to a domain to
2810bc14	466	## polmatch on hadoop_lan_t
6237b724 PN	467	## </summary>
	468	## <param name="domain">
	469	## <summary>
2810bc14	470	## Domain needing polmatch
6237b724 PN	471	## permission
	472	## </summary>
	473	## </param>
	474	#
2810bc14	475	interface(`hadoop_match_lan_spd',`
6237b724	476	gen_require(`
2810bc14	477	type hadoop_lan_t;
6237b724 PN	478	')
6237b724 PN	479
2810bc14	480	allow $1 hadoop_lan_t:association polmatch;
6237b724 PN	481	')
	482
	483	########################################
	484	## <summary>
	485	## Give permission to a domain to
2810bc14	486	## recvfrom hadoop_namenode_t
6237b724 PN	487	## </summary>
	488	## <param name="domain">
	489	## <summary>
	490	## Domain needing recvfrom
	491	## permission
	492	## </summary>
	493	## </param>
	494	#
2810bc14	495	interface(`hadoop_recvfrom_namenode',`
6237b724	496	gen_require(`
2810bc14	497	type hadoop_namenode_t;
6237b724 PN	498	')
6237b724 PN	499
2810bc14	500	allow $1 hadoop_namenode_t:peer recv;
6237b724 PN	501	')
	502
	503	########################################
	504	## <summary>
	505	## Give permission to a domain to
2810bc14	506	## recvfrom hadoop_secondarynamenode_t
6237b724 PN	507	## </summary>
	508	## <param name="domain">
	509	## <summary>
	510	## Domain needing recvfrom
	511	## permission
	512	## </summary>
	513	## </param>
	514	#
2810bc14	515	interface(`hadoop_recvfrom_secondarynamenode',`
6237b724	516	gen_require(`
2810bc14	517	type hadoop_secondarynamenode_t;
6237b724 PN	518	')
6237b724 PN	519
2810bc14	520	allow $1 hadoop_secondarynamenode_t:peer recv;
6237b724 PN	521	')
	522
	523	########################################
	524	## <summary>
	525	## Give permission to a domain to
2810bc14	526	## recvfrom hadoop_tasktracker_t
6237b724 PN	527	## </summary>
	528	## <param name="domain">
	529	## <summary>
	530	## Domain needing recvfrom
	531	## permission
	532	## </summary>
	533	## </param>
	534	#
2810bc14	535	interface(`hadoop_recvfrom_tasktracker',`
6237b724	536	gen_require(`
2810bc14	537	type hadoop_tasktracker_t;
6237b724 PN	538	')
6237b724 PN	539
2810bc14	540	allow $1 hadoop_tasktracker_t:peer recv;
6237b724	541	')