diff options
Diffstat (limited to 'policy/modules/contrib/hadoop.if')
-rw-r--r-- | policy/modules/contrib/hadoop.if | 468 |
1 files changed, 0 insertions, 468 deletions
diff --git a/policy/modules/contrib/hadoop.if b/policy/modules/contrib/hadoop.if deleted file mode 100644 index d17a75fb6..000000000 --- a/policy/modules/contrib/hadoop.if +++ /dev/null @@ -1,468 +0,0 @@ -## <summary>Software for reliable, scalable, distributed computing.</summary> - -####################################### -## <summary> -## The template to define a hadoop domain. -## </summary> -## <param name="domain_prefix"> -## <summary> -## Domain prefix to be used. -## </summary> -## </param> -# -template(`hadoop_domain_template',` - gen_require(` - attribute hadoop_domain, hadoop_initrc_domain, hadoop_init_script_file; - attribute hadoop_pid_file, hadoop_lock_file, hadoop_log_file; - attribute hadoop_tmp_file, hadoop_var_lib_file; - type hadoop_log_t, hadoop_var_lib_t, hadoop_var_run_t; - type hadoop_exec_t, hadoop_hsperfdata_t; - ') - - ######################################## - # - # Declarations - # - - type hadoop_$1_t, hadoop_domain; - domain_type(hadoop_$1_t) - domain_entry_file(hadoop_$1_t, hadoop_exec_t) - role system_r types hadoop_$1_t; - - type hadoop_$1_initrc_t, hadoop_initrc_domain; - type hadoop_$1_initrc_exec_t, hadoop_init_script_file; - init_script_domain(hadoop_$1_initrc_t, hadoop_$1_initrc_exec_t) - role system_r types hadoop_$1_initrc_t; - - type hadoop_$1_initrc_var_run_t, hadoop_pid_file; - files_pid_file(hadoop_$1_initrc_var_run_t) - - type hadoop_$1_lock_t, hadoop_lock_file; - files_lock_file(hadoop_$1_lock_t) - - type hadoop_$1_log_t, hadoop_log_file; - logging_log_file(hadoop_$1_log_t) - - type hadoop_$1_tmp_t, hadoop_tmp_file; - files_tmp_file(hadoop_$1_tmp_t) - - type hadoop_$1_var_lib_t, hadoop_var_lib_file; - files_type(hadoop_$1_var_lib_t) - - #################################### - # - # hadoop_domain policy - # - - manage_files_pattern(hadoop_$1_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) - - manage_dirs_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - manage_files_pattern(hadoop_$1_t, hadoop_$1_var_lib_t, hadoop_$1_var_lib_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_lib_t, hadoop_$1_var_lib_t, file) - - manage_files_pattern(hadoop_$1_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) - - manage_files_pattern(hadoop_$1_t, hadoop_$1_tmp_t, hadoop_$1_tmp_t) - filetrans_pattern(hadoop_$1_t, hadoop_hsperfdata_t, hadoop_$1_tmp_t, file) - - auth_use_nsswitch(hadoop_$1_t) - - #################################### - # - # hadoop_initrc_domain policy - # - - allow hadoop_$1_initrc_t hadoop_$1_t:process { signal signull }; - - domtrans_pattern(hadoop_$1_initrc_t, hadoop_exec_t, hadoop_$1_t) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_lock_t, hadoop_$1_lock_t) - files_lock_filetrans(hadoop_$1_initrc_t, hadoop_$1_lock_t, file) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_initrc_var_run_t, hadoop_$1_initrc_var_run_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_var_run_t, hadoop_$1_initrc_var_run_t, file) - - manage_files_pattern(hadoop_$1_initrc_t, hadoop_$1_log_t, hadoop_$1_log_t) - filetrans_pattern(hadoop_$1_initrc_t, hadoop_log_t, hadoop_$1_log_t, { dir file }) -') - -######################################## -## <summary> -## Role access for hadoop. -## </summary> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`hadoop_role',` - gen_require(` - attribute_role hadoop_roles, zookeeper_roles; - type hadoop_t, zookeeper_t, hadoop_home_t; - type hadoop_tmp_t, hadoop_hsperfdata_t, zookeeper_tmp_t; - ') - - hadoop_domtrans($2) - roleattribute $1 hadoop_roles; - - hadoop_domtrans_zookeeper_client($2) - roleattribute $1 zookeeper_roles; - - allow $2 { hadoop_t zookeeper_t }:process { ptrace signal_perms }; - ps_process_pattern($2, { hadoop_t zookeeper_t }) - - allow $2 { hadoop_home_t hadoop_tmp_t hadoop_hsperfdata_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { hadoop_home_t hadoop_tmp_t zookeeper_tmp_t }:file { manage_file_perms relabel_file_perms }; - allow $2 hadoop_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; -') - -######################################## -## <summary> -## Execute hadoop in the -## hadoop domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_domtrans',` - gen_require(` - type hadoop_t, hadoop_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, hadoop_exec_t, hadoop_t) -') - -######################################## -## <summary> -## Receive from hadoop peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom',` - gen_require(` - type hadoop_t; - ') - - allow $1 hadoop_t:peer recv; -') - -######################################## -## <summary> -## Execute zookeeper client in the -## zookeeper client domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_domtrans_zookeeper_client',` - gen_require(` - type zookeeper_t, zookeeper_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_exec_t, zookeeper_t) -') - -######################################## -## <summary> -## Receive from zookeeper peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_zookeeper_client',` - gen_require(` - type zookeeper_t; - ') - - allow $1 zookeeper_t:peer recv; -') - -######################################## -## <summary> -## Execute zookeeper server in the -## zookeeper server domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_domtrans_zookeeper_server',` - gen_require(` - type zookeeper_server_t, zookeeper_server_exec_t; - ') - - corecmd_search_bin($1) - domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t) -') - -######################################## -## <summary> -## Receive from zookeeper server peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_zookeeper_server',` - gen_require(` - type zookeeper_server_t; - ') - - allow $1 zookeeper_server_t:peer recv; -') - -######################################## -## <summary> -## Execute zookeeper server in the -## zookeeper domain. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed to transition. -## </summary> -## </param> -# -interface(`hadoop_initrc_domtrans_zookeeper_server',` - gen_require(` - type zookeeper_server_initrc_exec_t; - ') - - init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t) -') - -######################################## -## <summary> -## Receive from datanode peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_datanode',` - gen_require(` - type hadoop_datanode_t; - ') - - allow $1 hadoop_datanode_t:peer recv; -') - -######################################## -## <summary> -## Read hadoop configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_read_config',` - gen_require(` - type hadoop_etc_t; - ') - - read_files_pattern($1, hadoop_etc_t, hadoop_etc_t) - read_lnk_files_pattern($1, hadoop_etc_t, hadoop_etc_t) -') - -######################################## -## <summary> -## Execute hadoop configuration files. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_exec_config',` - gen_require(` - type hadoop_etc_t; - ') - - hadoop_read_config($1) - allow $1 hadoop_etc_t:file exec_file_perms; -') - -######################################## -## <summary> -## Receive from jobtracker peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_jobtracker',` - gen_require(` - type hadoop_jobtracker_t; - ') - - allow $1 hadoop_jobtracker_t:peer recv; -') - -######################################## -## <summary> -## Match hadoop lan association. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_match_lan_spd',` - gen_require(` - type hadoop_lan_t; - ') - - allow $1 hadoop_lan_t:association polmatch; -') - -######################################## -## <summary> -## Receive from namenode peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_namenode',` - gen_require(` - type hadoop_namenode_t; - ') - - allow $1 hadoop_namenode_t:peer recv; -') - -######################################## -## <summary> -## Receive from secondary namenode peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_secondarynamenode',` - gen_require(` - type hadoop_secondarynamenode_t; - ') - - allow $1 hadoop_secondarynamenode_t:peer recv; -') - -######################################## -## <summary> -## Receive from tasktracker peer. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -# -interface(`hadoop_recvfrom_tasktracker',` - gen_require(` - type hadoop_tasktracker_t; - ') - - allow $1 hadoop_tasktracker_t:peer recv; -') - -######################################## -## <summary> -## All of the rules required to -## administrate an hadoop environment. -## </summary> -## <param name="domain"> -## <summary> -## Domain allowed access. -## </summary> -## </param> -## <param name="role"> -## <summary> -## Role allowed access. -## </summary> -## </param> -## <rolecap/> -# -interface(`hadoop_admin',` - gen_require(` - attribute hadoop_domain; - attribute hadoop_initrc_domain; - - attribute hadoop_init_script_file; - attribute hadoop_pid_file; - attribute hadoop_lock_file; - attribute hadoop_log_file; - attribute hadoop_tmp_file; - attribute hadoop_var_lib_file; - - type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t; - type zookeeper_t, zookeeper_etc_t, zookeeper_server_t; - type zookeeper_server_var_t; - ') - - allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; - ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) - - init_labeled_script_domtrans($1, hadoop_init_script_file) - domain_system_change_exemption($1) - role_transition $2 hadoop_init_script_file system_r; - allow $2 system_r; - - files_search_etc($1) - admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) - - logging_search_logs($1) - admin_pattern($1, hadoop_log_file) - - files_search_locks($1) - admin_pattern($1, hadoop_lock_file) - - files_search_pids($1) - admin_pattern($1, hadoop_pid_file) - - files_search_tmp($1) - admin_pattern($1, { hadoop_tmp_file hadoop_hsperfdata_t }) - - files_search_var_lib($1) - admin_pattern($1, { hadoop_var_lib_file zookeeper_server_var_t }) - - hadoop_role($2, $1) -') |