Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy/modules/contrib/hadoop.if
diff options
context:
space:
mode:
Diffstat (limited to 'policy/modules/contrib/hadoop.if')
-rw-r--r--policy/modules/contrib/hadoop.if468
1 files changed, 0 insertions, 468 deletions
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if
deleted file mode 100644
index d17a75fb6..000000000
--- a/policy/modules/contrib/hadoop.if
+++ /dev/null
@@ -1,468 +0,0 @@
-## <summary>Software for reliable, scalable, distributed computing.</summary>
-
-#######################################
-## <summary>
-## The template to define a hadoop domain.
-## </summary>
-## <param name="domain_prefix">
-## <summary>
-## Domain prefix to be used.
-## </summary>
-## </param>
-#
-template(`hadoop_domain_template',`
- gen_require(`
- attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file;
- attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file;
- attribute hadoop_tmp_file, hadoop_var_lib_file;
- type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t;
- type hadoop_exec_t, hadoop_hsperfdata_t;
- ')
-
- ########################################
- #
- # Declarations
- #
-
- type hadoop_$1_t, hadoop_domain;
- domain_type(hadoop_$1_t)
- domain_entry_file(hadoop_$1_t, hadoop_exec_t)
- role system_r types hadoop_$1_t;
-
- type hadoop_$1_initrc_t, hadoop_initrc_domain;
- type hadoop_$1_initrc_exec_t, hadoop_init_script_file;
- init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t)
- role system_r types hadoop_$1_initrc_t;
-
- type hadoop_$1_initrc_var_run_t, hadoop_pid_file;
- files_pid_file(hadoop_$1_initrc_var_run_t)
-
- type hadoop_$1_lock_t, hadoop_lock_file;
- files_lock_file(hadoop_$1_lock_t)
-
- type hadoop_$1_log_t, hadoop_log_file;
- logging_log_file(hadoop_$1_log_t)
-
- type hadoop_$1_tmp_t, hadoop_tmp_file;
- files_tmp_file(hadoop_$1_tmp_t)
-
- type hadoop_$1_var_lib_t, hadoop_var_lib_file;
- files_type(hadoop_$1_var_lib_t)
-
- ####################################
- #
- # hadoop_domain policy
- #
-
- manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t)
- filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
-
- manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
- manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t)
- filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file)
-
- manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
- filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
-
- manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t)
- filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file)
-
- auth_use_nsswitch(hadoop_$1_t)
-
- ####################################
- #
- # hadoop_initrc_domain policy
- #
-
- allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull };
-
- domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t)
-
- manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t)
- files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file)
-
- manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t)
- filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file)
-
- manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t)
- filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file })
-')
-
-########################################
-## <summary>
-## Role access for hadoop.
-## </summary>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`hadoop_role',`
- gen_require(`
- attribute_role hadoop_roles, zookeeper_roles;
- type hadoop_t, zookeeper_t, hadoop_home_t;
- type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t;
- ')
-
- hadoop_domtrans($2)
- roleattribute $1 hadoop_roles;
-
- hadoop_domtrans_zookeeper_client($2)
- roleattribute $1 zookeeper_roles;
-
- allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms };
- ps_process_pattern($2, { hadoop_t zookeeper_t })
-
- allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms };
- allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms };
- allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
-')
-
-########################################
-## <summary>
-## Execute hadoop in the
-## hadoop domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`hadoop_domtrans',`
- gen_require(`
- type hadoop_t, hadoop_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, hadoop_exec_t, hadoop_t)
-')
-
-########################################
-## <summary>
-## Receive from hadoop peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom',`
- gen_require(`
- type hadoop_t;
- ')
-
- allow $1 hadoop_t:peer recv;
-')
-
-########################################
-## <summary>
-## Execute zookeeper client in the
-## zookeeper client domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`hadoop_domtrans_zookeeper_client',`
- gen_require(`
- type zookeeper_t, zookeeper_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
-')
-
-########################################
-## <summary>
-## Receive from zookeeper peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom_zookeeper_client',`
- gen_require(`
- type zookeeper_t;
- ')
-
- allow $1 zookeeper_t:peer recv;
-')
-
-########################################
-## <summary>
-## Execute zookeeper server in the
-## zookeeper server domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`hadoop_domtrans_zookeeper_server',`
- gen_require(`
- type zookeeper_server_t, zookeeper_server_exec_t;
- ')
-
- corecmd_search_bin($1)
- domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
-')
-
-########################################
-## <summary>
-## Receive from zookeeper server peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom_zookeeper_server',`
- gen_require(`
- type zookeeper_server_t;
- ')
-
- allow $1 zookeeper_server_t:peer recv;
-')
-
-########################################
-## <summary>
-## Execute zookeeper server in the
-## zookeeper domain.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`hadoop_initrc_domtrans_zookeeper_server',`
- gen_require(`
- type zookeeper_server_initrc_exec_t;
- ')
-
- init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
-')
-
-########################################
-## <summary>
-## Receive from datanode peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom_datanode',`
- gen_require(`
- type hadoop_datanode_t;
- ')
-
- allow $1 hadoop_datanode_t:peer recv;
-')
-
-########################################
-## <summary>
-## Read hadoop configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_read_config',`
- gen_require(`
- type hadoop_etc_t;
- ')
-
- read_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
- read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t)
-')
-
-########################################
-## <summary>
-## Execute hadoop configuration files.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_exec_config',`
- gen_require(`
- type hadoop_etc_t;
- ')
-
- hadoop_read_config($1)
- allow $1 hadoop_etc_t:file exec_file_perms;
-')
-
-########################################
-## <summary>
-## Receive from jobtracker peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom_jobtracker',`
- gen_require(`
- type hadoop_jobtracker_t;
- ')
-
- allow $1 hadoop_jobtracker_t:peer recv;
-')
-
-########################################
-## <summary>
-## Match hadoop lan association.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_match_lan_spd',`
- gen_require(`
- type hadoop_lan_t;
- ')
-
- allow $1 hadoop_lan_t:association polmatch;
-')
-
-########################################
-## <summary>
-## Receive from namenode peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom_namenode',`
- gen_require(`
- type hadoop_namenode_t;
- ')
-
- allow $1 hadoop_namenode_t:peer recv;
-')
-
-########################################
-## <summary>
-## Receive from secondary namenode peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom_secondarynamenode',`
- gen_require(`
- type hadoop_secondarynamenode_t;
- ')
-
- allow $1 hadoop_secondarynamenode_t:peer recv;
-')
-
-########################################
-## <summary>
-## Receive from tasktracker peer.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-#
-interface(`hadoop_recvfrom_tasktracker',`
- gen_require(`
- type hadoop_tasktracker_t;
- ')
-
- allow $1 hadoop_tasktracker_t:peer recv;
-')
-
-########################################
-## <summary>
-## All of the rules required to
-## administrate an hadoop environment.
-## </summary>
-## <param name="domain">
-## <summary>
-## Domain allowed access.
-## </summary>
-## </param>
-## <param name="role">
-## <summary>
-## Role allowed access.
-## </summary>
-## </param>
-## <rolecap/>
-#
-interface(`hadoop_admin',`
- gen_require(`
- attribute hadoop_domain;
- attribute hadoop_initrc_domain;
-
- attribute hadoop_init_script_file;
- attribute hadoop_pid_file;
- attribute hadoop_lock_file;
- attribute hadoop_log_file;
- attribute hadoop_tmp_file;
- attribute hadoop_var_lib_file;
-
- type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
- type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
- type zookeeper_server_var_t;
- ')
-
- allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
- ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
-
- init_labeled_script_domtrans($1, hadoop_init_script_file)
- domain_system_change_exemption($1)
- role_transition $2 hadoop_init_script_file system_r;
- allow $2 system_r;
-
- files_search_etc($1)
- admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
-
- logging_search_logs($1)
- admin_pattern($1, hadoop_log_file)
-
- files_search_locks($1)
- admin_pattern($1, hadoop_lock_file)
-
- files_search_pids($1)
- admin_pattern($1, hadoop_pid_file)
-
- files_search_tmp($1)
- admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t })
-
- files_search_var_lib($1)
- admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t })
-
- hadoop_role($2, $1)
-')