]>
Commit | Line | Data |
---|---|---|
bc71a042 PN |
1 | ## <summary>Software for reliable, scalable, distributed computing.</summary> |
2 | ||
3 | ####################################### | |
4 | ## <summary> | |
5 | ## The template to define a hadoop domain. | |
6 | ## </summary> | |
7 | ## <param name="domain_prefix"> | |
8 | ## <summary> | |
9 | ## Domain prefix to be used. | |
10 | ## </summary> | |
11 | ## </param> | |
12 | # | |
13 | template(`hadoop_domain_template',` | |
14 | gen_require(` | |
15 | attribute hadoop_domain; | |
16 | type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; | |
17 | type hadoop_exec_t, hadoop_hsperfdata_t; | |
18 | ') | |
19 | ||
20 | ######################################## | |
21 | # | |
22 | # Shared declarations. | |
23 | # | |
24 | ||
25 | type hadoop_$1_t, hadoop_domain; | |
26 | domain_type(hadoop_$1_t) | |
27 | domain_entry_file(hadoop_$1_t, hadoop_exec_t) | |
641ac054 | 28 | role system_r types hadoop_$1_t; |
bc71a042 PN |
29 | |
30 | type hadoop_$1_initrc_t; | |
31 | type hadoop_$1_initrc_exec_t; | |
32 | init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) | |
641ac054 | 33 | role system_r types hadoop_$1_initrc_t; |
bc71a042 | 34 | |
641ac054 CP |
35 | type hadoop_$1_initrc_var_run_t; |
36 | files_pid_file(hadoop_$1_initrc_var_run_t) | |
bc71a042 PN |
37 | |
38 | type hadoop_$1_lock_t; | |
39 | files_lock_file(hadoop_$1_lock_t) | |
bc71a042 PN |
40 | |
41 | type hadoop_$1_log_t; | |
42 | logging_log_file(hadoop_$1_log_t) | |
641ac054 CP |
43 | |
44 | type hadoop_$1_tmp_t; | |
45 | files_tmp_file(hadoop_$1_tmp_t) | |
bc71a042 PN |
46 | |
47 | type hadoop_$1_var_lib_t; | |
48 | files_type(hadoop_$1_var_lib_t) | |
641ac054 CP |
49 | |
50 | #################################### | |
51 | # | |
52 | # Shared hadoop_$1 policy. | |
53 | # | |
54 | ||
fcb67e8c | 55 | allow hadoop_$1_t self:capability { chown kill setgid setuid }; |
fcb67e8c | 56 | allow hadoop_$1_t self:process { execmem getsched setsched sigkill signal }; |
60ca2bd8 | 57 | allow hadoop_$1_t self:key search; |
641ac054 | 58 | allow hadoop_$1_t self:fifo_file rw_fifo_file_perms; |
fcb67e8c | 59 | allow hadoop_$1_t self:unix_dgram_socket create_socket_perms; |
60ca2bd8 | 60 | allow hadoop_$1_t self:tcp_socket create_stream_socket_perms; |
641ac054 CP |
61 | allow hadoop_$1_t self:udp_socket create_socket_perms; |
62 | dontaudit hadoop_$1_t self:netlink_route_socket rw_netlink_socket_perms; | |
63 | ||
64 | allow hadoop_$1_t hadoop_domain:process signull; | |
65 | ||
66 | manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) | |
67 | filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) | |
68 | logging_search_logs(hadoop_$1_t) | |
69 | ||
70 | manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) | |
71 | manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) | |
bc71a042 | 72 | filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) |
641ac054 | 73 | files_search_var_lib(hadoop_$1_t) |
bc71a042 | 74 | |
fcb67e8c | 75 | manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) |
a4565740 CP |
76 | filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) |
77 | files_search_pids(hadoop_$1_t) | |
bc71a042 | 78 | |
641ac054 CP |
79 | allow hadoop_$1_t hadoop_hsperfdata_t:dir manage_dir_perms; |
80 | manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) | |
bc71a042 | 81 | filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) |
641ac054 CP |
82 | files_tmp_filetrans(hadoop_$1_t, hadoop_hsperfdata_t, dir) |
83 | ||
60ca2bd8 CP |
84 | kernel_read_kernel_sysctls(hadoop_$1_t) |
85 | kernel_read_sysctl(hadoop_$1_t) | |
641ac054 CP |
86 | kernel_read_network_state(hadoop_$1_t) |
87 | kernel_read_system_state(hadoop_$1_t) | |
88 | ||
89 | corecmd_exec_bin(hadoop_$1_t) | |
90 | corecmd_exec_shell(hadoop_$1_t) | |
91 | ||
92 | corenet_all_recvfrom_unlabeled(hadoop_$1_t) | |
93 | corenet_all_recvfrom_netlabel(hadoop_$1_t) | |
a90706ef | 94 | corenet_tcp_bind_generic_node(hadoop_$1_t) |
641ac054 CP |
95 | corenet_tcp_sendrecv_generic_if(hadoop_$1_t) |
96 | corenet_udp_sendrecv_generic_if(hadoop_$1_t) | |
97 | corenet_tcp_sendrecv_generic_node(hadoop_$1_t) | |
98 | corenet_udp_sendrecv_generic_node(hadoop_$1_t) | |
99 | corenet_tcp_sendrecv_all_ports(hadoop_$1_t) | |
100 | corenet_udp_bind_generic_node(hadoop_$1_t) | |
101 | # Hadoop uses high ordered random ports for services | |
102 | # If permanent ports are chosen, remove line below and lock down | |
103 | corenet_tcp_connect_generic_port(hadoop_$1_t) | |
104 | ||
105 | dev_read_rand(hadoop_$1_t) | |
106 | dev_read_urand(hadoop_$1_t) | |
107 | dev_read_sysfs(hadoop_$1_t) | |
108 | ||
109 | files_read_etc_files(hadoop_$1_t) | |
110 | ||
60ca2bd8 | 111 | auth_domtrans_chkpwd(hadoop_$1_t) |
25a3cf10 | 112 | auth_use_nsswitch(hadoop_$1_t) |
60ca2bd8 | 113 | |
371908d1 | 114 | hadoop_match_lan_spd(hadoop_$1_t) |
6237b724 | 115 | |
fcb67e8c PN |
116 | init_read_utmp(hadoop_$1_t) |
117 | init_use_fds(hadoop_$1_t) | |
118 | init_use_script_fds(hadoop_$1_t) | |
119 | init_use_script_ptys(hadoop_$1_t) | |
120 | ||
fcb67e8c PN |
121 | logging_send_audit_msgs(hadoop_$1_t) |
122 | logging_send_syslog_msg(hadoop_$1_t) | |
123 | ||
641ac054 CP |
124 | miscfiles_read_localization(hadoop_$1_t) |
125 | ||
126 | sysnet_read_config(hadoop_$1_t) | |
127 | ||
128 | hadoop_exec_config(hadoop_$1_t) | |
129 | ||
4a093096 | 130 | optional_policy(` |
131 | java_exec(hadoop_$1_t) | |
132 | ') | |
641ac054 | 133 | |
60ca2bd8 CP |
134 | kerberos_use(hadoop_$1_t) |
135 | ||
136 | su_exec(hadoop_$1_t) | |
fcb67e8c | 137 | |
bc71a042 PN |
138 | #################################### |
139 | # | |
140 | # Shared hadoop_$1 initrc policy. | |
141 | # | |
142 | ||
bc71a042 | 143 | allow hadoop_$1_initrc_t self:capability { setuid setgid }; |
641ac054 | 144 | dontaudit hadoop_$1_initrc_t self:capability sys_tty_config; |
bc71a042 | 145 | allow hadoop_$1_initrc_t self:process setsched; |
641ac054 | 146 | allow hadoop_$1_initrc_t self:fifo_file rw_fifo_file_perms; |
bc71a042 | 147 | |
641ac054 | 148 | allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; |
bc71a042 PN |
149 | |
150 | domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) | |
bc71a042 | 151 | |
641ac054 CP |
152 | manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) |
153 | files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) | |
bc71a042 | 154 | files_search_locks(hadoop_$1_initrc_t) |
bc71a042 | 155 | |
641ac054 CP |
156 | manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) |
157 | filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) | |
158 | files_search_pids(hadoop_$1_initrc_t) | |
bc71a042 | 159 | |
641ac054 CP |
160 | manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) |
161 | filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) | |
bc71a042 PN |
162 | logging_search_logs(hadoop_$1_initrc_t) |
163 | ||
bc71a042 PN |
164 | manage_dirs_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t) |
165 | manage_files_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_var_run_t) | |
166 | ||
641ac054 CP |
167 | kernel_read_kernel_sysctls(hadoop_$1_initrc_t) |
168 | kernel_read_sysctl(hadoop_$1_initrc_t) | |
169 | kernel_read_system_state(hadoop_$1_initrc_t) | |
bc71a042 | 170 | |
641ac054 CP |
171 | corecmd_exec_bin(hadoop_$1_initrc_t) |
172 | corecmd_exec_shell(hadoop_$1_initrc_t) | |
bc71a042 | 173 | |
641ac054 CP |
174 | files_read_etc_files(hadoop_$1_initrc_t) |
175 | files_read_usr_files(hadoop_$1_initrc_t) | |
bc71a042 | 176 | |
641ac054 | 177 | fs_getattr_xattr_fs(hadoop_$1_initrc_t) |
fcb67e8c | 178 | fs_search_cgroup_dirs(hadoop_$1_initrc_t) |
bc71a042 | 179 | |
641ac054 | 180 | term_use_generic_ptys(hadoop_$1_initrc_t) |
bc71a042 | 181 | |
641ac054 | 182 | hadoop_exec_config(hadoop_$1_initrc_t) |
bc71a042 | 183 | |
25a3cf10 DW |
184 | auth_domtrans_chkpwd(hadoop_$1_initrc_t) |
185 | ||
641ac054 | 186 | init_rw_utmp(hadoop_$1_initrc_t) |
fcb67e8c | 187 | init_use_fds(hadoop_$1_initrc_t) |
641ac054 | 188 | init_use_script_ptys(hadoop_$1_initrc_t) |
bc71a042 | 189 | |
641ac054 CP |
190 | logging_send_syslog_msg(hadoop_$1_initrc_t) |
191 | logging_send_audit_msgs(hadoop_$1_initrc_t) | |
bc71a042 | 192 | |
641ac054 | 193 | miscfiles_read_localization(hadoop_$1_initrc_t) |
bc71a042 | 194 | |
641ac054 | 195 | userdom_dontaudit_search_user_home_dirs(hadoop_$1_initrc_t) |
bc71a042 | 196 | |
46107d62 MG |
197 | optional_policy(` |
198 | consoletype_exec(hadoop_$1_initrc_t) | |
199 | ') | |
200 | ||
bc71a042 PN |
201 | ') |
202 | ||
203 | ######################################## | |
204 | ## <summary> | |
641ac054 | 205 | ## Role access for hadoop. |
bc71a042 | 206 | ## </summary> |
641ac054 CP |
207 | ## <param name="role"> |
208 | ## <summary> | |
209 | ## Role allowed access. | |
210 | ## </summary> | |
211 | ## </param> | |
bc71a042 PN |
212 | ## <param name="domain"> |
213 | ## <summary> | |
641ac054 | 214 | ## Domain allowed access. |
bc71a042 PN |
215 | ## </summary> |
216 | ## </param> | |
641ac054 | 217 | ## <rolecap/> |
bc71a042 | 218 | # |
641ac054 | 219 | interface(`hadoop_role',` |
bc71a042 | 220 | gen_require(` |
641ac054 | 221 | type hadoop_t; |
bc71a042 PN |
222 | ') |
223 | ||
641ac054 CP |
224 | hadoop_domtrans($2) |
225 | role $1 types hadoop_t; | |
226 | ||
995bdbb1 | 227 | allow $2 hadoop_t:process signal_perms; |
641ac054 | 228 | ps_process_pattern($2, hadoop_t) |
995bdbb1 | 229 | tunable_policy(`deny_ptrace',`',` |
230 | allow $2 hadoop_t:process ptrace; | |
231 | ') | |
641ac054 CP |
232 | |
233 | hadoop_domtrans_zookeeper_client($2) | |
234 | role $1 types zookeeper_t; | |
235 | ||
995bdbb1 | 236 | allow $2 zookeeper_t:process signal_perms; |
641ac054 | 237 | ps_process_pattern($2, zookeeper_t) |
995bdbb1 | 238 | tunable_policy(`deny_ptrace',`',` |
239 | allow $2 zookeeper_t:process ptrace; | |
240 | ') | |
241 | ||
bc71a042 PN |
242 | ') |
243 | ||
244 | ######################################## | |
245 | ## <summary> | |
641ac054 | 246 | ## Execute hadoop in the |
bc71a042 PN |
247 | ## hadoop domain. |
248 | ## </summary> | |
249 | ## <param name="domain"> | |
250 | ## <summary> | |
251 | ## Domain allowed to transition. | |
252 | ## </summary> | |
253 | ## </param> | |
bc71a042 | 254 | # |
641ac054 | 255 | interface(`hadoop_domtrans',` |
bc71a042 | 256 | gen_require(` |
641ac054 | 257 | type hadoop_t, hadoop_exec_t; |
bc71a042 PN |
258 | ') |
259 | ||
641ac054 | 260 | domtrans_pattern($1, hadoop_exec_t, hadoop_t) |
bc71a042 PN |
261 | ') |
262 | ||
263 | ######################################## | |
264 | ## <summary> | |
2810bc14 CP |
265 | ## Give permission to a domain to |
266 | ## recvfrom hadoop_t | |
bc71a042 PN |
267 | ## </summary> |
268 | ## <param name="domain"> | |
269 | ## <summary> | |
2810bc14 CP |
270 | ## Domain needing recvfrom |
271 | ## permission | |
bc71a042 PN |
272 | ## </summary> |
273 | ## </param> | |
274 | # | |
2810bc14 | 275 | interface(`hadoop_recvfrom',` |
bc71a042 | 276 | gen_require(` |
2810bc14 | 277 | type hadoop_t; |
bc71a042 PN |
278 | ') |
279 | ||
2810bc14 | 280 | allow $1 hadoop_t:peer recv; |
bc71a042 PN |
281 | ') |
282 | ||
283 | ######################################## | |
284 | ## <summary> | |
2810bc14 CP |
285 | ## Execute zookeeper client in the |
286 | ## zookeeper client domain. | |
bc71a042 PN |
287 | ## </summary> |
288 | ## <param name="domain"> | |
289 | ## <summary> | |
290 | ## Domain allowed to transition. | |
291 | ## </summary> | |
292 | ## </param> | |
293 | # | |
2810bc14 | 294 | interface(`hadoop_domtrans_zookeeper_client',` |
bc71a042 | 295 | gen_require(` |
2810bc14 | 296 | type zookeeper_t, zookeeper_exec_t; |
bc71a042 PN |
297 | ') |
298 | ||
299 | corecmd_search_bin($1) | |
2810bc14 | 300 | domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) |
bc71a042 PN |
301 | ') |
302 | ||
303 | ######################################## | |
304 | ## <summary> | |
2810bc14 CP |
305 | ## Give permission to a domain to |
306 | ## recvfrom zookeeper_t | |
bc71a042 PN |
307 | ## </summary> |
308 | ## <param name="domain"> | |
309 | ## <summary> | |
2810bc14 CP |
310 | ## Domain needing recvfrom |
311 | ## permission | |
bc71a042 PN |
312 | ## </summary> |
313 | ## </param> | |
314 | # | |
2810bc14 | 315 | interface(`hadoop_recvfrom_zookeeper_client',` |
bc71a042 | 316 | gen_require(` |
2810bc14 | 317 | type zookeeper_t; |
bc71a042 PN |
318 | ') |
319 | ||
2810bc14 | 320 | allow $1 zookeeper_t:peer recv; |
bc71a042 PN |
321 | ') |
322 | ||
323 | ######################################## | |
324 | ## <summary> | |
2810bc14 CP |
325 | ## Execute zookeeper server in the |
326 | ## zookeeper server domain. | |
bc71a042 PN |
327 | ## </summary> |
328 | ## <param name="domain"> | |
329 | ## <summary> | |
2810bc14 | 330 | ## Domain allowed to transition. |
bc71a042 PN |
331 | ## </summary> |
332 | ## </param> | |
bc71a042 | 333 | # |
2810bc14 | 334 | interface(`hadoop_domtrans_zookeeper_server',` |
bc71a042 | 335 | gen_require(` |
2810bc14 | 336 | type zookeeper_server_t, zookeeper_server_exec_t; |
bc71a042 PN |
337 | ') |
338 | ||
2810bc14 CP |
339 | corecmd_search_bin($1) |
340 | domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) | |
bc71a042 PN |
341 | ') |
342 | ||
343 | ######################################## | |
344 | ## <summary> | |
641ac054 | 345 | ## Give permission to a domain to |
2810bc14 | 346 | ## recvfrom zookeeper_server_t |
bc71a042 PN |
347 | ## </summary> |
348 | ## <param name="domain"> | |
641ac054 | 349 | ## <summary> |
2810bc14 | 350 | ## Domain needing recvfrom |
641ac054 CP |
351 | ## permission |
352 | ## </summary> | |
bc71a042 PN |
353 | ## </param> |
354 | # | |
2810bc14 | 355 | interface(`hadoop_recvfrom_zookeeper_server',` |
bc71a042 | 356 | gen_require(` |
2810bc14 | 357 | type zookeeper_server_t; |
bc71a042 PN |
358 | ') |
359 | ||
2810bc14 | 360 | allow $1 zookeeper_server_t:peer recv; |
bc71a042 | 361 | ') |
6237b724 PN |
362 | |
363 | ######################################## | |
364 | ## <summary> | |
2810bc14 CP |
365 | ## Execute zookeeper server in the |
366 | ## zookeeper domain. | |
6237b724 PN |
367 | ## </summary> |
368 | ## <param name="domain"> | |
369 | ## <summary> | |
2810bc14 | 370 | ## Domain allowed to transition. |
6237b724 PN |
371 | ## </summary> |
372 | ## </param> | |
373 | # | |
2810bc14 | 374 | interface(`hadoop_initrc_domtrans_zookeeper_server',` |
6237b724 | 375 | gen_require(` |
2810bc14 | 376 | type zookeeper_server_initrc_exec_t; |
6237b724 PN |
377 | ') |
378 | ||
2810bc14 | 379 | init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) |
6237b724 PN |
380 | ') |
381 | ||
382 | ######################################## | |
383 | ## <summary> | |
384 | ## Give permission to a domain to | |
385 | ## recvfrom hadoop_datanode_t | |
386 | ## </summary> | |
387 | ## <param name="domain"> | |
388 | ## <summary> | |
389 | ## Domain needing recvfrom | |
390 | ## permission | |
391 | ## </summary> | |
392 | ## </param> | |
393 | # | |
394 | interface(`hadoop_recvfrom_datanode',` | |
395 | gen_require(` | |
396 | type hadoop_datanode_t; | |
397 | ') | |
398 | ||
399 | allow $1 hadoop_datanode_t:peer recv; | |
400 | ') | |
401 | ||
402 | ######################################## | |
403 | ## <summary> | |
2810bc14 CP |
404 | ## Give permission to a domain to read |
405 | ## hadoop_etc_t | |
6237b724 PN |
406 | ## </summary> |
407 | ## <param name="domain"> | |
408 | ## <summary> | |
2810bc14 | 409 | ## Domain needing read permission |
6237b724 PN |
410 | ## </summary> |
411 | ## </param> | |
412 | # | |
2810bc14 | 413 | interface(`hadoop_read_config',` |
6237b724 | 414 | gen_require(` |
2810bc14 | 415 | type hadoop_etc_t; |
6237b724 PN |
416 | ') |
417 | ||
2810bc14 CP |
418 | read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) |
419 | read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) | |
6237b724 PN |
420 | ') |
421 | ||
422 | ######################################## | |
423 | ## <summary> | |
424 | ## Give permission to a domain to | |
2810bc14 | 425 | ## execute hadoop_etc_t |
6237b724 PN |
426 | ## </summary> |
427 | ## <param name="domain"> | |
428 | ## <summary> | |
2810bc14 | 429 | ## Domain needing read and execute |
6237b724 PN |
430 | ## permission |
431 | ## </summary> | |
432 | ## </param> | |
433 | # | |
2810bc14 | 434 | interface(`hadoop_exec_config',` |
6237b724 | 435 | gen_require(` |
2810bc14 | 436 | type hadoop_etc_t; |
6237b724 PN |
437 | ') |
438 | ||
2810bc14 CP |
439 | hadoop_read_config($1) |
440 | allow $1 hadoop_etc_t:file exec_file_perms; | |
6237b724 PN |
441 | ') |
442 | ||
443 | ######################################## | |
444 | ## <summary> | |
445 | ## Give permission to a domain to | |
2810bc14 | 446 | ## recvfrom hadoop_jobtracker_t |
6237b724 PN |
447 | ## </summary> |
448 | ## <param name="domain"> | |
449 | ## <summary> | |
450 | ## Domain needing recvfrom | |
451 | ## permission | |
452 | ## </summary> | |
453 | ## </param> | |
454 | # | |
2810bc14 | 455 | interface(`hadoop_recvfrom_jobtracker',` |
6237b724 | 456 | gen_require(` |
2810bc14 | 457 | type hadoop_jobtracker_t; |
6237b724 PN |
458 | ') |
459 | ||
2810bc14 | 460 | allow $1 hadoop_jobtracker_t:peer recv; |
6237b724 PN |
461 | ') |
462 | ||
463 | ######################################## | |
464 | ## <summary> | |
465 | ## Give permission to a domain to | |
2810bc14 | 466 | ## polmatch on hadoop_lan_t |
6237b724 PN |
467 | ## </summary> |
468 | ## <param name="domain"> | |
469 | ## <summary> | |
2810bc14 | 470 | ## Domain needing polmatch |
6237b724 PN |
471 | ## permission |
472 | ## </summary> | |
473 | ## </param> | |
474 | # | |
2810bc14 | 475 | interface(`hadoop_match_lan_spd',` |
6237b724 | 476 | gen_require(` |
2810bc14 | 477 | type hadoop_lan_t; |
6237b724 PN |
478 | ') |
479 | ||
2810bc14 | 480 | allow $1 hadoop_lan_t:association polmatch; |
6237b724 PN |
481 | ') |
482 | ||
483 | ######################################## | |
484 | ## <summary> | |
485 | ## Give permission to a domain to | |
2810bc14 | 486 | ## recvfrom hadoop_namenode_t |
6237b724 PN |
487 | ## </summary> |
488 | ## <param name="domain"> | |
489 | ## <summary> | |
490 | ## Domain needing recvfrom | |
491 | ## permission | |
492 | ## </summary> | |
493 | ## </param> | |
494 | # | |
2810bc14 | 495 | interface(`hadoop_recvfrom_namenode',` |
6237b724 | 496 | gen_require(` |
2810bc14 | 497 | type hadoop_namenode_t; |
6237b724 PN |
498 | ') |
499 | ||
2810bc14 | 500 | allow $1 hadoop_namenode_t:peer recv; |
6237b724 PN |
501 | ') |
502 | ||
503 | ######################################## | |
504 | ## <summary> | |
505 | ## Give permission to a domain to | |
2810bc14 | 506 | ## recvfrom hadoop_secondarynamenode_t |
6237b724 PN |
507 | ## </summary> |
508 | ## <param name="domain"> | |
509 | ## <summary> | |
510 | ## Domain needing recvfrom | |
511 | ## permission | |
512 | ## </summary> | |
513 | ## </param> | |
514 | # | |
2810bc14 | 515 | interface(`hadoop_recvfrom_secondarynamenode',` |
6237b724 | 516 | gen_require(` |
2810bc14 | 517 | type hadoop_secondarynamenode_t; |
6237b724 PN |
518 | ') |
519 | ||
2810bc14 | 520 | allow $1 hadoop_secondarynamenode_t:peer recv; |
6237b724 PN |
521 | ') |
522 | ||
523 | ######################################## | |
524 | ## <summary> | |
525 | ## Give permission to a domain to | |
2810bc14 | 526 | ## recvfrom hadoop_tasktracker_t |
6237b724 PN |
527 | ## </summary> |
528 | ## <param name="domain"> | |
529 | ## <summary> | |
530 | ## Domain needing recvfrom | |
531 | ## permission | |
532 | ## </summary> | |
533 | ## </param> | |
534 | # | |
2810bc14 | 535 | interface(`hadoop_recvfrom_tasktracker',` |
6237b724 | 536 | gen_require(` |
2810bc14 | 537 | type hadoop_tasktracker_t; |
6237b724 PN |
538 | ') |
539 | ||
2810bc14 | 540 | allow $1 hadoop_tasktracker_t:peer recv; |
6237b724 | 541 | ') |