Chris PeBenito [Thu, 7 Oct 2010 14:57:55 +0000 (10:57 -0400)]
Hadoop cleanup and module version bump.
* a pass cleaning up the style.
* adjusted some regular expressions in the file contexts: .* is the same as (.*)? since * means 0 or more matches.
* renamed a few interfaces
* two rules that I dropped as they require further explanation
> +files_read_all_files(hadoop_t)
A very big privilege.
and
> +fs_associate(hadoop_tasktracker_t)
This is a domain, so the only files with this type should be the /proc/pid ones, which don't require associate permissions.
Dan Walsh [Thu, 7 Oct 2010 13:06:56 +0000 (09:06 -0400)]
dontaudit sandbox sending signals to itself. This can happen when they are running at different mcs.
Disable transition from dbus_session_domain to telepathy for F14
Allow boinc_project to use shm
Allow certmonger to search through directories that contain certs
Allow fail2ban the DAC Override so it can read log files owned by non root users
Paul Nuzzi [Tue, 5 Oct 2010 19:59:29 +0000 (15:59 -0400)]
hadoop 1/10 -- unconfined
On 10/04/2010 02:18 PM, Christopher J. PeBenito wrote:
> On 10/04/10 13:15, Paul Nuzzi wrote:
>> On 10/01/2010 01:56 PM, Christopher J. PeBenito wrote:
>>> On 10/01/10 11:17, Paul Nuzzi wrote:
>>>> On 10/01/2010 08:02 AM, Dominick Grift wrote:
>>>>> On Thu, Sep 30, 2010 at 03:39:40PM -0400, Paul Nuzzi wrote:
>>>>>> I updated the patch based on recommendations from the mailing list.
>>>>>> All of hadoop's services are included in one module instead of
>>>>>> individual ones. Unconfined and sysadm roles are given access to
>>>>>> hadoop and zookeeper client domain transitions. The services are started
>>>>>> using run_init. Let me know what you think.
>>>>>
>>>>> Why do some hadoop domain need to manage generic tmp?
>>>>>
>>>>> files_manage_generic_tmp_dirs(zookeeper_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_initrc_t)
>>>>> files_manage_generic_tmp_files(hadoop_$1_t)
>>>>> files_manage_generic_tmp_dirs(hadoop_$1_t)
>>>>
>>>> This has to be done for Java JMX to work. All of the files are written to
>>>> /tmp/hsperfdata_(hadoop/zookeeper). /tmp/hsperfdata_ is labeled tmp_t while
>>>> all the files for each service are labeled with hadoop_*_tmp_t. The first service
>>>> will end up owning the directory if it is not labeled tmp_t.
>>>
>>> The hsperfdata dir in /tmp certainly the bane of policy writers. Based on a quick look through the policy, it looks like the only dir they create in /tmp is this hsperfdata dir. I suggest you do something like
>>>
>>> files_tmp_filetrans(hadoop_t, hadoop_hsperfdata_t, dir)
>>> files_tmp_filetrans(zookeeper_t, hadoop_hsperfdata_t, dir)
>>>
>>> filetrans_pattern(hadoop_t, hadoop_hsperfdata_t, hadoop_tmp_t, file)
>>> filetrans_pattern(zookeeper_t, hadoop_hsperfdata_t, zookeeper_tmp_t, file)
>>>
>>
>> That looks like a better way to handle the tmp_t problem.
>>
>> I changed the patch with your comments. Hopefully this will be one of the last updates.
>> Tested on a CDH3 cluster as a module without any problems.
>
> There are several little issues with style, but it'll be easier just to fix them when its committed.
>
> Other comments inline.
>
I did my best locking down the ports hadoop uses. Unfortunately the services use high, randomized ports making
tcp_connect_generic_port a must have. Hopefully one day hadoop will settle on static ports. I added hadoop_datanode port 50010 since it is important to lock down that service. I changed the patch based on the rest of the comments.
Signed-off-by: Paul Nuzzi <pjnuzzi@tycho.ncsc.mil>
Dan Walsh [Wed, 6 Oct 2010 13:03:28 +0000 (09:03 -0400)]
Fix fusefs handling
Do not allow sandbox to manage nsplugin_rw_t
Allow mozilla_plugin_t to connecto its parent
Allow init_t to connect to plymouthd running as kernel_t
Dan Walsh [Sun, 3 Oct 2010 11:48:01 +0000 (07:48 -0400)]
Allow unconfined_t to transition to alsa_t to make sure labels stay correct
Lots of fixes for mozilla_plugin nsplugin and mozilla_plugin are starting to merge
telepath_msn_t tries to read /proc/1/exe
Allow smokeping cgi scripts to create /var/lib/smokeping dirs.
Allow smbd_t to getquota on multiple file systems
Dan Walsh [Fri, 1 Oct 2010 15:58:15 +0000 (11:58 -0400)]
Allow sudo to send signals to any domains the user could have transitioned to.
Passwd in single user mode needs to talk to console_device_t
Mozilla_plugin_t needs to connect to web ports, needs to write to video device, and read alsa_home_t alsa setsup pulseaudio
locate tried to read a symbolic link, will dontaudit
New labels for telepathy-sunshine content in homedir
Google is storing other binaries under /opt/google/talkplugin
bluetooth/kernel is creating unlabeled_t socket that I will allow it to use until kernel fixes bug
Add boolean for unconfined_t transition to mozilla_plugin_t and telepathy domains, turned off in F14 on in F15
modemmanger and bluetooth send dbus messages to devicekit_power
Samba needs to getquota on filesystems labeld samba_share_t
Dan Walsh [Tue, 28 Sep 2010 20:24:56 +0000 (16:24 -0400)]
Allow mozilla_plugin to manage all gnome config files
Allow nsplugin_t to read lnk files in nsplugin_rw_t
New labeling for packagekit scripts to bin_t
Allow mount_t to delete etc_t
Allow fsdaemon_t to read usr_t files
Dan Walsh [Mon, 27 Sep 2010 14:21:54 +0000 (10:21 -0400)]
Fixes to allow mozilla_plugin_t to create nsplugin_home_t directory.
Allow mozilla_plugin_t to create tcp/udp/netlink_route sockets
Allow confined users to read xdm_etc_t files
Allow xdm_t to transition to xauth_t for lxdm program
Dan Walsh [Sun, 26 Sep 2010 10:42:14 +0000 (06:42 -0400)]
Rearrange firewallgui policy to be more easily updated to upstream, dontaudit search of /home
Allow clamd to send signals to itself
Allow mozilla_plugin_t to read user home content. And unlink pulseaudio shm.
Dan Walsh [Sat, 25 Sep 2010 10:23:04 +0000 (06:23 -0400)]
Allow firewallgui to sys_rawio which seems to be required to setup masqerading
Allow all domains to search through default_t directories, in order to find differnet labels. For example people serring up /foo/bar to be share via samba.
Add label for /var/log/slim.log
projects / people / stevee / selinux-policy.git / log
