On 09/09/2010 05:01 PM, Paul Nuzzi wrote: > Added policy for the hadoop stack to refpolicy. All major components > of hadoop have been separated and confined (namenode, datanode, > jobtracker, tasktracker, secondarynamenode, zookeeper). Since many of > the domains use the same executable to transfer into their domain, the > init scripts were labelled with a custom initrc domain. From there a > domain transfer can occur using the same executable. Since the domains > share the same directory for logging and data files, type transfers were > only done on files not directories. JMX and the rest of hadoop can > continue to run without a problem. The policy was tested against > Cloudera's version of hadoop CDH2 and CDH3. An unconfined role > transition was also needed to get hadoop in the correct domain. Not > sure if we want to add the zookeeper and namenode ports to refpolicy or > use semanage. I added them to refpolicy. > > Signed-off-by: Paul Nuzzi <pjnuzzi@xxxxxxxxxxxxxx> > Was this policy developed on and for the EL5 system? I am wondering why unconfined_t is in the mix here. Remember that strict and mls policy do not ship with the unconfined domain, and that in recent refpolicy, the interaction with the unconfined domain should be optional, so that it can be de-installed. I am wondering why it is unconfined_t that is domain transitioning to the rc script domains and not init. I guess the transition from unconfined_t to initrc_t is not happening automatically. In that case i would use the run_init command to domain transition to initrc first and then let that domain transition to your rc script domain, probably using the init_script_domain() interface.
Attachment:
signature.asc
Description: OpenPGP digital signature
