commit 1bbf44c87468f212f09b75d390fca17f52f17e0d
Author: Eric Gisse <eric.gisse@gmail.com>
Date:   Thu Nov 6 16:38:18 2014 -0600

    net-p2p/bitcoin policy

diff --git a/policy/booleans.conf b/policy/booleans.conf
index e0e9d40..a578b07 100644
--- a/policy/booleans.conf
+++ b/policy/booleans.conf
@@ -534,6 +534,13 @@ tftp_anon_write = false
 tor_bind_all_unreserved_ports = false
 
 #
+# Allow bitcoind daemon to bind
+# tcp sockets to all unreserved ports.
+# 
+bitcoin_bind_all_unreserved_ports = false
+
+
+#
 # Allow varnishd to connect to all ports,
 # not just HTTP.
 # 
diff --git a/policy/modules.conf b/policy/modules.conf
index b9b41d9..3092361 100644
--- a/policy/modules.conf
+++ b/policy/modules.conf
@@ -357,6 +357,14 @@ bcfg2 = module
 bind = module
 
 # Layer: contrib
+# Module: bitcoin
+#
+# bitcoin service
+
+bitcoin = module
+
+
+# Layer: contrib
 # Module: bitlbee
 #
 # Bitlbee service
diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..0505a39
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,4 @@
+/usr/bin/bitcoind					gen_context(system_u:object_r:bitcoin_exec_t,s0)
+/etc/init.d/bitcoind					gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+/var/lib/bitcoin(/.*)?					gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+/etc/bitcoin(/.*)?					gen_context(system_u:object_r:bitcoin_etc_t,s0)
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..39b2f59
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,15 @@
+## <summary>bitcoin</summary>
+
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t, bitcoin_initrc_exec_t, bitcoin_var_run_t;
+	')
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	domain_system_change_exemption($1)
+	allow $2 system_r;
+
+
+	
+')
diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..c22003f
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,86 @@
+policy_module(bitcoin,0.1)
+
+# declarations
+
+type bitcoin_t;
+type bitcoin_exec_t;
+type bitcoin_initrc_exec_t;
+type bitcoin_etc_t;
+type bitcoin_var_lib_t;
+type bitcoin_var_run_t;
+type bitcoin_log_t;
+type bitcoin_tmp_t;
+
+domain_type(bitcoin_t)
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+init_script_file(bitcoin_initrc_exec_t)
+logging_log_file(bitcoin_log_t)
+
+files_pid_file(bitcoin_var_run_t)
+miscfiles_read_localization(bitcoin_t)
+fs_getattr_xattr_fs(bitcoin_t)
+fs_associate(bitcoin_var_lib_t)
+
+files_tmp_file(bitcoin_tmp_t)
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+
+allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock };
+allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr };
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read;
+allow bitcoin_t bitcoin_etc_t:dir { getattr search open };
+allow bitcoin_t bitcoin_etc_t:file { read getattr open };
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+domain_use_interactive_fds(bitcoin_t)
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+
+## networking 
+
+# allow bitcoin to bind to non-standard ports
+
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_sendrecv_all_server_packets(bitcoin_t)
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')
+
+
+allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind };
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket { connect accept listen };
+
+
+auth_use_nsswitch(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_udp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+corenet_udp_sendrecv_generic_node(bitcoin_t)
+corenet_tcp_bind_generic_node(bitcoin_t)
+corenet_udp_bind_generic_node(bitcoin_t)
+
+corenet_sendrecv_dns_server_packets(bitcoin_t)
+corenet_udp_bind_dns_port(bitcoin_t)
+corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_sendrecv_all_client_packets(bitcoin_t)
+corenet_tcp_connect_all_ports(bitcoin_t)
+corenet_tcp_connect_all_reserved_ports(bitcoin_t)
+corenet_tcp_sendrecv_all_ports(bitcoin_t)
+corenet_tcp_sendrecv_all_reserved_ports(bitcoin_t)
+
diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if
index 3385d83..ff067c9 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -13350,6 +13350,449 @@ interface(`corenet_relabelto_biff_server_packets',`
 
 ########################################
 ## <summary>
+##	Send and receive TCP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_tcp_sendrecv_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	allow $1 bitcoin_port_t:tcp_socket { send_msg recv_msg };
+')
+
+########################################
+## <summary>
+##	Send UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_udp_send_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	allow $1 bitcoin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_send_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	dontaudit $1 bitcoin_port_t:udp_socket send_msg;
+')
+
+########################################
+## <summary>
+##	Receive UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_udp_receive_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	allow $1 bitcoin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_receive_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	dontaudit $1 bitcoin_port_t:udp_socket recv_msg;
+')
+
+########################################
+## <summary>
+##	Send and receive UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_udp_sendrecv_bitcoin_port',`
+	corenet_udp_send_bitcoin_port($1)
+	corenet_udp_receive_bitcoin_port($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive
+##	UDP traffic on the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_udp_sendrecv_bitcoin_port',`
+	corenet_dontaudit_udp_send_bitcoin_port($1)
+	corenet_dontaudit_udp_receive_bitcoin_port($1)
+')
+
+########################################
+## <summary>
+##	Bind TCP sockets to the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_tcp_bind_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	allow $1 bitcoin_port_t:tcp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Bind UDP sockets to the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_udp_bind_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	allow $1 bitcoin_port_t:udp_socket name_bind;
+	
+')
+
+########################################
+## <summary>
+##	Make a TCP connection to the bitcoin port.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_connect_bitcoin_port',`
+	gen_require(`
+		type bitcoin_port_t;
+	')
+
+	allow $1 bitcoin_port_t:tcp_socket name_connect;
+')
+
+
+########################################
+## <summary>
+##	Send bitcoin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_bitcoin_client_packets',`
+	gen_require(`
+		type bitcoin_client_packet_t;
+	')
+
+	allow $1 bitcoin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send bitcoin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_bitcoin_client_packets',`
+	gen_require(`
+		type bitcoin_client_packet_t;
+	')
+
+	dontaudit $1 bitcoin_client_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_bitcoin_client_packets',`
+	gen_require(`
+		type bitcoin_client_packet_t;
+	')
+
+	allow $1 bitcoin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_bitcoin_client_packets',`
+	gen_require(`
+		type bitcoin_client_packet_t;
+	')
+
+	dontaudit $1 bitcoin_client_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_bitcoin_client_packets',`
+	corenet_send_bitcoin_client_packets($1)
+	corenet_receive_bitcoin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive bitcoin_client packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_bitcoin_client_packets',`
+	corenet_dontaudit_send_bitcoin_client_packets($1)
+	corenet_dontaudit_receive_bitcoin_client_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to bitcoin_client the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_bitcoin_client_packets',`
+	gen_require(`
+		type bitcoin_client_packet_t;
+	')
+
+	allow $1 bitcoin_client_packet_t:packet relabelto;
+')
+
+
+########################################
+## <summary>
+##	Send bitcoin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="write" weight="10"/>
+#
+interface(`corenet_send_bitcoin_server_packets',`
+	gen_require(`
+		type bitcoin_server_packet_t;
+	')
+
+	allow $1 bitcoin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send bitcoin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_send_bitcoin_server_packets',`
+	gen_require(`
+		type bitcoin_server_packet_t;
+	')
+
+	dontaudit $1 bitcoin_server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`corenet_receive_bitcoin_server_packets',`
+	gen_require(`
+		type bitcoin_server_packet_t;
+	')
+
+	allow $1 bitcoin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_receive_bitcoin_server_packets',`
+	gen_require(`
+		type bitcoin_server_packet_t;
+	')
+
+	dontaudit $1 bitcoin_server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <infoflow type="both" weight="10"/>
+#
+interface(`corenet_sendrecv_bitcoin_server_packets',`
+	corenet_send_bitcoin_server_packets($1)
+	corenet_receive_bitcoin_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to send and receive bitcoin_server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <infoflow type="none"/>
+#
+interface(`corenet_dontaudit_sendrecv_bitcoin_server_packets',`
+	corenet_dontaudit_send_bitcoin_server_packets($1)
+	corenet_dontaudit_receive_bitcoin_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to bitcoin_server the packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_bitcoin_server_packets',`
+	gen_require(`
+		type bitcoin_server_packet_t;
+	')
+
+	allow $1 bitcoin_server_packet_t:packet relabelto;
+')
+
+
+
+
+########################################
+## <summary>
 ##	Send and receive TCP traffic on the certmaster port.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
index 1bbf3c5..3b5702b 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -2,7 +2,7 @@
 # This is a generated file!  Instead of modifying this file, the
 # corenetwork.te.in or corenetwork.te.m4 file should be modified.
 #
-policy_module(corenetwork, 1.20.2)
+policy_module(corenetwork, 1.20.3)
 
 ########################################
 #
@@ -256,6 +256,14 @@ type biff_client_packet_t, packet_type, client_packet_type;
 type biff_server_packet_t, packet_type, server_packet_type;
  # no defined portcon
 
+type bitcoin_port_t, port_type, defined_port_type;
+type bitcoin_client_packet_t, packet_type, client_packet_type;
+type bitcoin_server_packet_t, packet_type, server_packet_type;
+typeattribute bitcoin_port_t unreserved_port_type;
+portcon tcp 8332 gen_context(system_u:object_r:bitcoin_port_t,s0)
+portcon tcp 8333 gen_context(system_u:object_r:bitcoin_port_t,s0)
+
+
 type certmaster_port_t, port_type, defined_port_type;
 type certmaster_client_packet_t, packet_type, client_packet_type;
 type certmaster_server_packet_t, packet_type, server_packet_type;
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index a118109..be64af8 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,4 +1,4 @@
-policy_module(corenetwork, 1.20.2)
+policy_module(corenetwork, 1.20.3)
 
 ########################################
 #
@@ -96,6 +96,7 @@ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0)
 network_port(boinc, tcp,31416,s0)
 network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
 network_port(biff) # no defined portcon
+network_port(bitcoin, tcp,8332,s0, tcp,8333,s0)
 network_port(certmaster, tcp,51235,s0)
 network_port(chronyd, udp,323,s0)
 network_port(clamd, tcp,3310,s0)