Attachment #388712 for bug #528516

Lines 534-539 tftp_anon_write = false Link Here

(-)a/policy/booleans.conf (+7 lines)
534	tor_bind_all_unreserved_ports = false	534	tor_bind_all_unreserved_ports = false
535		535
536	#	536	#
		537	# Allow bitcoind daemon to bind
		538	# tcp sockets to all unreserved ports.
		539	#
		540	bitcoin_bind_all_unreserved_ports = false
		541
		542
		543	#
537	# Allow varnishd to connect to all ports,	544	# Allow varnishd to connect to all ports,
538	# not just HTTP.	545	# not just HTTP.
539	#	546	#

Lines 357-362 bcfg2 = module Link Here

(-)a/policy/modules.conf (+8 lines)
357	bind = module	357	bind = module
358		358
359	# Layer: contrib	359	# Layer: contrib
		360	# Module: bitcoin
		361	#
		362	# bitcoin service
		363
		364	bitcoin = module
		365
		366
		367	# Layer: contrib
360	# Module: bitlbee	368	# Module: bitlbee
361	#	369	#
362	# Bitlbee service	370	# Bitlbee service

Line 0 Link Here

(-)a/policy/modules/contrib/bitcoin.fc (+4 lines)
	1	/usr/bin/bitcoind gen_context(system_u:object_r:bitcoin_exec_t,s0)
	2	/etc/init.d/bitcoind gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
	3	/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
	4	/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)




## <summary>bitcoin</summary>

interface(`bitcoin_admin',`
	gen_require(`
		type bitcoin_t, bitcoin_initrc_exec_t, bitcoin_var_run_t;
	')

	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
	role_transition $2 bitcoin_initrc_exec_t system_r;
	domain_system_change_exemption($1)
	allow $2 system_r;


	
')




policy_module(bitcoin,0.1)

# declarations

type bitcoin_t;
type bitcoin_exec_t;
type bitcoin_initrc_exec_t;
type bitcoin_etc_t;
type bitcoin_var_lib_t;
type bitcoin_var_run_t;
type bitcoin_log_t;
type bitcoin_tmp_t;

domain_type(bitcoin_t)
init_daemon_domain(bitcoin_t, bitcoin_exec_t)
init_script_file(bitcoin_initrc_exec_t)
logging_log_file(bitcoin_log_t)

files_pid_file(bitcoin_var_run_t)
miscfiles_read_localization(bitcoin_t)
fs_getattr_xattr_fs(bitcoin_t)
fs_associate(bitcoin_var_lib_t)

files_tmp_file(bitcoin_tmp_t)
allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)


allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock };
allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr };
allow bitcoin_t bitcoin_var_lib_t:lnk_file read;
allow bitcoin_t bitcoin_etc_t:dir { getattr search open };
allow bitcoin_t bitcoin_etc_t:file { read getattr open };

kernel_read_vm_sysctls(bitcoin_t)

dev_read_sysfs(bitcoin_t)
dev_read_urand(bitcoin_t)
domain_use_interactive_fds(bitcoin_t)
files_read_etc_runtime_files(bitcoin_t)
files_read_usr_files(bitcoin_t)


## networking 

# allow bitcoin to bind to non-standard ports

gen_tunable(bitcoin_bind_all_unreserved_ports, false)
tunable_policy(`bitcoin_bind_all_unreserved_ports',`
        corenet_sendrecv_all_server_packets(bitcoin_t)
        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
')


allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind };
allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow bitcoin_t self:tcp_socket { connect accept listen };


auth_use_nsswitch(bitcoin_t)

corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
corenet_tcp_bind_bitcoin_port(bitcoin_t)
corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
corenet_all_recvfrom_unlabeled(bitcoin_t)
corenet_all_recvfrom_netlabel(bitcoin_t)
corenet_tcp_sendrecv_generic_if(bitcoin_t)
corenet_udp_sendrecv_generic_if(bitcoin_t)
corenet_tcp_sendrecv_generic_node(bitcoin_t)
corenet_udp_sendrecv_generic_node(bitcoin_t)
corenet_tcp_bind_generic_node(bitcoin_t)
corenet_udp_bind_generic_node(bitcoin_t)

corenet_sendrecv_dns_server_packets(bitcoin_t)
corenet_udp_bind_dns_port(bitcoin_t)
corenet_udp_sendrecv_dns_port(bitcoin_t)

corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
corenet_tcp_bind_bitcoin_port(bitcoin_t)
corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
corenet_sendrecv_all_client_packets(bitcoin_t)
corenet_tcp_connect_all_ports(bitcoin_t)
corenet_tcp_connect_all_reserved_ports(bitcoin_t)
corenet_tcp_sendrecv_all_ports(bitcoin_t)
corenet_tcp_sendrecv_all_reserved_ports(bitcoin_t)






########################################
## <summary>
##	Send and receive TCP traffic on the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_tcp_sendrecv_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	allow $1 bitcoin_port_t:tcp_socket { send_msg recv_msg };
')

########################################
## <summary>
##	Send UDP traffic on the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_udp_send_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	allow $1 bitcoin_port_t:udp_socket send_msg;
')

########################################
## <summary>
##	Do not audit attempts to send UDP traffic on the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_udp_send_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	dontaudit $1 bitcoin_port_t:udp_socket send_msg;
')

########################################
## <summary>
##	Receive UDP traffic on the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_udp_receive_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	allow $1 bitcoin_port_t:udp_socket recv_msg;
')

########################################
## <summary>
##	Do not audit attempts to receive UDP traffic on the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_udp_receive_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	dontaudit $1 bitcoin_port_t:udp_socket recv_msg;
')

########################################
## <summary>
##	Send and receive UDP traffic on the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_udp_sendrecv_bitcoin_port',`
	corenet_udp_send_bitcoin_port($1)
	corenet_udp_receive_bitcoin_port($1)
')

########################################
## <summary>
##	Do not audit attempts to send and receive
##	UDP traffic on the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_udp_sendrecv_bitcoin_port',`
	corenet_dontaudit_udp_send_bitcoin_port($1)
	corenet_dontaudit_udp_receive_bitcoin_port($1)
')

########################################
## <summary>
##	Bind TCP sockets to the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_tcp_bind_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	allow $1 bitcoin_port_t:tcp_socket name_bind;
	
')

########################################
## <summary>
##	Bind UDP sockets to the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_udp_bind_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	allow $1 bitcoin_port_t:udp_socket name_bind;
	
')

########################################
## <summary>
##	Make a TCP connection to the bitcoin port.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`corenet_tcp_connect_bitcoin_port',`
	gen_require(`
		type bitcoin_port_t;
	')

	allow $1 bitcoin_port_t:tcp_socket name_connect;
')


########################################
## <summary>
##	Send bitcoin_client packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_send_bitcoin_client_packets',`
	gen_require(`
		type bitcoin_client_packet_t;
	')

	allow $1 bitcoin_client_packet_t:packet send;
')

########################################
## <summary>
##	Do not audit attempts to send bitcoin_client packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_send_bitcoin_client_packets',`
	gen_require(`
		type bitcoin_client_packet_t;
	')

	dontaudit $1 bitcoin_client_packet_t:packet send;
')

########################################
## <summary>
##	Receive bitcoin_client packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_receive_bitcoin_client_packets',`
	gen_require(`
		type bitcoin_client_packet_t;
	')

	allow $1 bitcoin_client_packet_t:packet recv;
')

########################################
## <summary>
##	Do not audit attempts to receive bitcoin_client packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_receive_bitcoin_client_packets',`
	gen_require(`
		type bitcoin_client_packet_t;
	')

	dontaudit $1 bitcoin_client_packet_t:packet recv;
')

########################################
## <summary>
##	Send and receive bitcoin_client packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_sendrecv_bitcoin_client_packets',`
	corenet_send_bitcoin_client_packets($1)
	corenet_receive_bitcoin_client_packets($1)
')

########################################
## <summary>
##	Do not audit attempts to send and receive bitcoin_client packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_sendrecv_bitcoin_client_packets',`
	corenet_dontaudit_send_bitcoin_client_packets($1)
	corenet_dontaudit_receive_bitcoin_client_packets($1)
')

########################################
## <summary>
##	Relabel packets to bitcoin_client the packet type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`corenet_relabelto_bitcoin_client_packets',`
	gen_require(`
		type bitcoin_client_packet_t;
	')

	allow $1 bitcoin_client_packet_t:packet relabelto;
')


########################################
## <summary>
##	Send bitcoin_server packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="write" weight="10"/>
#
interface(`corenet_send_bitcoin_server_packets',`
	gen_require(`
		type bitcoin_server_packet_t;
	')

	allow $1 bitcoin_server_packet_t:packet send;
')

########################################
## <summary>
##	Do not audit attempts to send bitcoin_server packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_send_bitcoin_server_packets',`
	gen_require(`
		type bitcoin_server_packet_t;
	')

	dontaudit $1 bitcoin_server_packet_t:packet send;
')

########################################
## <summary>
##	Receive bitcoin_server packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="read" weight="10"/>
#
interface(`corenet_receive_bitcoin_server_packets',`
	gen_require(`
		type bitcoin_server_packet_t;
	')

	allow $1 bitcoin_server_packet_t:packet recv;
')

########################################
## <summary>
##	Do not audit attempts to receive bitcoin_server packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_receive_bitcoin_server_packets',`
	gen_require(`
		type bitcoin_server_packet_t;
	')

	dontaudit $1 bitcoin_server_packet_t:packet recv;
')

########################################
## <summary>
##	Send and receive bitcoin_server packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
## <infoflow type="both" weight="10"/>
#
interface(`corenet_sendrecv_bitcoin_server_packets',`
	corenet_send_bitcoin_server_packets($1)
	corenet_receive_bitcoin_server_packets($1)
')

########################################
## <summary>
##	Do not audit attempts to send and receive bitcoin_server packets.
## </summary>
## <param name="domain">
##	<summary>
##	Domain to not audit.
##	</summary>
## </param>
## <infoflow type="none"/>
#
interface(`corenet_dontaudit_sendrecv_bitcoin_server_packets',`
	corenet_dontaudit_send_bitcoin_server_packets($1)
	corenet_dontaudit_receive_bitcoin_server_packets($1)
')

########################################
## <summary>
##	Relabel packets to bitcoin_server the packet type.
## </summary>
## <param name="domain">
##	<summary>
##	Domain allowed access.
##	</summary>
## </param>
#
interface(`corenet_relabelto_bitcoin_server_packets',`
	gen_require(`
		type bitcoin_server_packet_t;
	')

	allow $1 bitcoin_server_packet_t:packet relabelto;
')




########################################
## <summary>
##	Send and receive TCP traffic on the certmaster port.
## </summary>
## <param name="domain">




# This is a generated file!  Instead of modifying this file, the
# corenetwork.te.in or corenetwork.te.m4 file should be modified.
#
policy_module(corenetwork, 1.20.3)

########################################
#

type biff_server_packet_t, packet_type, server_packet_type;
 # no defined portcon

type bitcoin_port_t, port_type, defined_port_type;
type bitcoin_client_packet_t, packet_type, client_packet_type;
type bitcoin_server_packet_t, packet_type, server_packet_type;
typeattribute bitcoin_port_t unreserved_port_type;
portcon tcp 8332 gen_context(system_u:object_r:bitcoin_port_t,s0)
portcon tcp 8333 gen_context(system_u:object_r:bitcoin_port_t,s0)


type certmaster_port_t, port_type, defined_port_type;
type certmaster_client_packet_t, packet_type, client_packet_type;
type certmaster_server_packet_t, packet_type, server_packet_type;

Lines 1-4 Link Here

(-)a/policy/modules/kernel/corenetwork.te.in (-1 / +2 lines)
1	policy_module(corenetwork, 1.20.2)	1	policy_module(corenetwork, 1.20.3)
2		2
3	########################################	3	########################################
4	#	4	#
Lines 96-101 network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) Link Here
96	network_port(boinc, tcp,31416,s0)	96	network_port(boinc, tcp,31416,s0)
97	network_port(boinc_client, tcp,1043,s0, udp,1034,s0)	97	network_port(boinc_client, tcp,1043,s0, udp,1034,s0)
98	network_port(biff) # no defined portcon	98	network_port(biff) # no defined portcon
		99	network_port(bitcoin, tcp,8332,s0, tcp,8333,s0)
99	network_port(certmaster, tcp,51235,s0)	100	network_port(certmaster, tcp,51235,s0)
100	network_port(chronyd, udp,323,s0)	101	network_port(chronyd, udp,323,s0)
101	network_port(clamd, tcp,3310,s0)	102	network_port(clamd, tcp,3310,s0)

Return to bug 528516

Line 0 Link Here

(-)a/policy/modules/contrib/bitcoin.if (+15 lines)
	1	## <summary>bitcoin</summary>
	2
	3	interface(`bitcoin_admin',`
	4	gen_require(`
	5	type bitcoin_t, bitcoin_initrc_exec_t, bitcoin_var_run_t;
	6	')
	7
	8	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
	9	role_transition $2 bitcoin_initrc_exec_t system_r;
	10	domain_system_change_exemption($1)
	11	allow $2 system_r;
	12
	13
	14
	15	')

Line 0 Link Here

(-)a/policy/modules/contrib/bitcoin.te (+86 lines)
		1	policy_module(bitcoin,0.1)
		2
		3	# declarations
		4
		5	type bitcoin_t;
		6	type bitcoin_exec_t;
		7	type bitcoin_initrc_exec_t;
		8	type bitcoin_etc_t;
		9	type bitcoin_var_lib_t;
		10	type bitcoin_var_run_t;
		11	type bitcoin_log_t;
		12	type bitcoin_tmp_t;
		13
		14	domain_type(bitcoin_t)
		15	init_daemon_domain(bitcoin_t, bitcoin_exec_t)
		16	init_script_file(bitcoin_initrc_exec_t)
		17	logging_log_file(bitcoin_log_t)
		18
		19	files_pid_file(bitcoin_var_run_t)
		20	miscfiles_read_localization(bitcoin_t)
		21	fs_getattr_xattr_fs(bitcoin_t)
		22	fs_associate(bitcoin_var_lib_t)
		23
		24	files_tmp_file(bitcoin_tmp_t)
		25	allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
		26	files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
		27
		28
		29	allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock };
		30	allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr };
		31	allow bitcoin_t bitcoin_var_lib_t:lnk_file read;
		32	allow bitcoin_t bitcoin_etc_t:dir { getattr search open };
		33	allow bitcoin_t bitcoin_etc_t:file { read getattr open };
		34
		35	kernel_read_vm_sysctls(bitcoin_t)
		36
		37	dev_read_sysfs(bitcoin_t)
		38	dev_read_urand(bitcoin_t)
		39	domain_use_interactive_fds(bitcoin_t)
		40	files_read_etc_runtime_files(bitcoin_t)
		41	files_read_usr_files(bitcoin_t)
		42
		43
		44	## networking
		45
		46	# allow bitcoin to bind to non-standard ports
		47
		48	gen_tunable(bitcoin_bind_all_unreserved_ports, false)
		49	tunable_policy(`bitcoin_bind_all_unreserved_ports',`
		50	corenet_sendrecv_all_server_packets(bitcoin_t)
		51	corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
		52	')
		53
		54
		55	allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind };
		56	allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
		57	allow bitcoin_t self:tcp_socket { connect accept listen };
		58
		59
		60	auth_use_nsswitch(bitcoin_t)
		61
		62	corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
		63	corenet_tcp_bind_bitcoin_port(bitcoin_t)
		64	corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
65	corenet_all_recvfrom_unlabeled(bitcoin_t)
66	corenet_all_recvfrom_netlabel(bitcoin_t)
67	corenet_tcp_sendrecv_generic_if(bitcoin_t)
68	corenet_udp_sendrecv_generic_if(bitcoin_t)
69	corenet_tcp_sendrecv_generic_node(bitcoin_t)
70	corenet_udp_sendrecv_generic_node(bitcoin_t)
71	corenet_tcp_bind_generic_node(bitcoin_t)
72	corenet_udp_bind_generic_node(bitcoin_t)
73
74	corenet_sendrecv_dns_server_packets(bitcoin_t)
75	corenet_udp_bind_dns_port(bitcoin_t)
76	corenet_udp_sendrecv_dns_port(bitcoin_t)
77
78	corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
79	corenet_tcp_bind_bitcoin_port(bitcoin_t)
80	corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
81	corenet_sendrecv_all_client_packets(bitcoin_t)
82	corenet_tcp_connect_all_ports(bitcoin_t)
83	corenet_tcp_connect_all_reserved_ports(bitcoin_t)
84	corenet_tcp_sendrecv_all_ports(bitcoin_t)
85	corenet_tcp_sendrecv_all_reserved_ports(bitcoin_t)
86

Lines 13350-13355 interface(`corenet_relabelto_biff_server_packets',` Link Here

(-)a/policy/modules/kernel/corenetwork.if (+443 lines)
13350		13350
13351	########################################	13351	########################################
13352	## <summary>	13352	## <summary>
		13353	## Send and receive TCP traffic on the bitcoin port.
		13354	## </summary>
		13355	## <param name="domain">
		13356	## <summary>
		13357	## Domain allowed access.
		13358	## </summary>
		13359	## </param>
		13360	## <infoflow type="both" weight="10"/>
		13361	#
		13362	interface(`corenet_tcp_sendrecv_bitcoin_port',`
		13363	gen_require(`
		13364	type bitcoin_port_t;
		13365	')
		13366
		13367	allow $1 bitcoin_port_t:tcp_socket { send_msg recv_msg };
		13368	')
		13369
		13370	########################################
		13371	## <summary>
		13372	## Send UDP traffic on the bitcoin port.
		13373	## </summary>
		13374	## <param name="domain">
		13375	## <summary>
		13376	## Domain allowed access.
		13377	## </summary>
		13378	## </param>
		13379	## <infoflow type="write" weight="10"/>
		13380	#
		13381	interface(`corenet_udp_send_bitcoin_port',`
		13382	gen_require(`
		13383	type bitcoin_port_t;
		13384	')
		13385
		13386	allow $1 bitcoin_port_t:udp_socket send_msg;
		13387	')
		13388
		13389	########################################
		13390	## <summary>
		13391	## Do not audit attempts to send UDP traffic on the bitcoin port.
		13392	## </summary>
		13393	## <param name="domain">
		13394	## <summary>
		13395	## Domain to not audit.
		13396	## </summary>
		13397	## </param>
		13398	## <infoflow type="none"/>
		13399	#
		13400	interface(`corenet_dontaudit_udp_send_bitcoin_port',`
		13401	gen_require(`
		13402	type bitcoin_port_t;
		13403	')
		13404
		13405	dontaudit $1 bitcoin_port_t:udp_socket send_msg;
		13406	')
		13407
		13408	########################################
		13409	## <summary>
		13410	## Receive UDP traffic on the bitcoin port.
		13411	## </summary>
		13412	## <param name="domain">
		13413	## <summary>
		13414	## Domain allowed access.
		13415	## </summary>
		13416	## </param>
13417	## <infoflow type="read" weight="10"/>
13418	#
13419	interface(`corenet_udp_receive_bitcoin_port',`
13420	gen_require(`
13421	type bitcoin_port_t;
13422	')
13423
13424	allow $1 bitcoin_port_t:udp_socket recv_msg;
13425	')
13426
13427	########################################
13428	## <summary>
13429	## Do not audit attempts to receive UDP traffic on the bitcoin port.
13430	## </summary>
13431	## <param name="domain">
13432	## <summary>
13433	## Domain to not audit.
13434	## </summary>
13435	## </param>
13436	## <infoflow type="none"/>
13437	#
13438	interface(`corenet_dontaudit_udp_receive_bitcoin_port',`
13439	gen_require(`
13440	type bitcoin_port_t;
13441	')
13442
13443	dontaudit $1 bitcoin_port_t:udp_socket recv_msg;
13444	')
13445
13446	########################################
13447	## <summary>
13448	## Send and receive UDP traffic on the bitcoin port.
13449	## </summary>
13450	## <param name="domain">
13451	## <summary>
13452	## Domain allowed access.
13453	## </summary>
13454	## </param>
13455	## <infoflow type="both" weight="10"/>
13456	#
13457	interface(`corenet_udp_sendrecv_bitcoin_port',`
13458	corenet_udp_send_bitcoin_port($1)
13459	corenet_udp_receive_bitcoin_port($1)
13460	')
13461
13462	########################################
13463	## <summary>
13464	## Do not audit attempts to send and receive
13465	## UDP traffic on the bitcoin port.
13466	## </summary>
13467	## <param name="domain">
13468	## <summary>
13469	## Domain to not audit.
13470	## </summary>
13471	## </param>
13472	## <infoflow type="none"/>
13473	#
13474	interface(`corenet_dontaudit_udp_sendrecv_bitcoin_port',`
13475	corenet_dontaudit_udp_send_bitcoin_port($1)
13476	corenet_dontaudit_udp_receive_bitcoin_port($1)
13477	')
13478
13479	########################################
13480	## <summary>
13481	## Bind TCP sockets to the bitcoin port.
13482	## </summary>
13483	## <param name="domain">
13484	## <summary>
13485	## Domain allowed access.
13486	## </summary>
13487	## </param>
13488	## <infoflow type="none"/>
13489	#
13490	interface(`corenet_tcp_bind_bitcoin_port',`
13491	gen_require(`
13492	type bitcoin_port_t;
13493	')
13494
13495	allow $1 bitcoin_port_t:tcp_socket name_bind;
13496
13497	')
13498
13499	########################################
13500	## <summary>
13501	## Bind UDP sockets to the bitcoin port.
13502	## </summary>
13503	## <param name="domain">
13504	## <summary>
13505	## Domain allowed access.
13506	## </summary>
13507	## </param>
13508	## <infoflow type="none"/>
13509	#
13510	interface(`corenet_udp_bind_bitcoin_port',`
13511	gen_require(`
13512	type bitcoin_port_t;
13513	')
13514
13515	allow $1 bitcoin_port_t:udp_socket name_bind;
13516
13517	')
13518
13519	########################################
13520	## <summary>
13521	## Make a TCP connection to the bitcoin port.
13522	## </summary>
13523	## <param name="domain">
13524	## <summary>
13525	## Domain allowed access.
13526	## </summary>
13527	## </param>
13528	#
13529	interface(`corenet_tcp_connect_bitcoin_port',`
13530	gen_require(`
13531	type bitcoin_port_t;
13532	')
13533
13534	allow $1 bitcoin_port_t:tcp_socket name_connect;
13535	')
13536
13537
13538	########################################
13539	## <summary>
13540	## Send bitcoin_client packets.
13541	## </summary>
13542	## <param name="domain">
13543	## <summary>
13544	## Domain allowed access.
13545	## </summary>
13546	## </param>
13547	## <infoflow type="write" weight="10"/>
13548	#
13549	interface(`corenet_send_bitcoin_client_packets',`
13550	gen_require(`
13551	type bitcoin_client_packet_t;
13552	')
13553
13554	allow $1 bitcoin_client_packet_t:packet send;
13555	')
13556
13557	########################################
13558	## <summary>
13559	## Do not audit attempts to send bitcoin_client packets.
13560	## </summary>
13561	## <param name="domain">
13562	## <summary>
13563	## Domain to not audit.
13564	## </summary>
13565	## </param>
13566	## <infoflow type="none"/>
13567	#
13568	interface(`corenet_dontaudit_send_bitcoin_client_packets',`
13569	gen_require(`
13570	type bitcoin_client_packet_t;
13571	')
13572
13573	dontaudit $1 bitcoin_client_packet_t:packet send;
13574	')
13575
13576	########################################
13577	## <summary>
13578	## Receive bitcoin_client packets.
13579	## </summary>
13580	## <param name="domain">
13581	## <summary>
13582	## Domain allowed access.
13583	## </summary>
13584	## </param>
13585	## <infoflow type="read" weight="10"/>
13586	#
13587	interface(`corenet_receive_bitcoin_client_packets',`
13588	gen_require(`
13589	type bitcoin_client_packet_t;
13590	')
13591
13592	allow $1 bitcoin_client_packet_t:packet recv;
13593	')
13594
13595	########################################
13596	## <summary>
13597	## Do not audit attempts to receive bitcoin_client packets.
13598	## </summary>
13599	## <param name="domain">
13600	## <summary>
13601	## Domain allowed access.
13602	## </summary>
13603	## </param>
13604	## <infoflow type="none"/>
13605	#
13606	interface(`corenet_dontaudit_receive_bitcoin_client_packets',`
13607	gen_require(`
13608	type bitcoin_client_packet_t;
13609	')
13610
13611	dontaudit $1 bitcoin_client_packet_t:packet recv;
13612	')
13613
13614	########################################
13615	## <summary>
13616	## Send and receive bitcoin_client packets.
13617	## </summary>
13618	## <param name="domain">
13619	## <summary>
13620	## Domain allowed access.
13621	## </summary>
13622	## </param>
13623	## <infoflow type="both" weight="10"/>
13624	#
13625	interface(`corenet_sendrecv_bitcoin_client_packets',`
13626	corenet_send_bitcoin_client_packets($1)
13627	corenet_receive_bitcoin_client_packets($1)
13628	')
13629
13630	########################################
13631	## <summary>
13632	## Do not audit attempts to send and receive bitcoin_client packets.
13633	## </summary>
13634	## <param name="domain">
13635	## <summary>
13636	## Domain to not audit.
13637	## </summary>
13638	## </param>
13639	## <infoflow type="none"/>
13640	#
13641	interface(`corenet_dontaudit_sendrecv_bitcoin_client_packets',`
13642	corenet_dontaudit_send_bitcoin_client_packets($1)
13643	corenet_dontaudit_receive_bitcoin_client_packets($1)
13644	')
13645
13646	########################################
13647	## <summary>
13648	## Relabel packets to bitcoin_client the packet type.
13649	## </summary>
13650	## <param name="domain">
13651	## <summary>
13652	## Domain allowed access.
13653	## </summary>
13654	## </param>
13655	#
13656	interface(`corenet_relabelto_bitcoin_client_packets',`
13657	gen_require(`
13658	type bitcoin_client_packet_t;
13659	')
13660
13661	allow $1 bitcoin_client_packet_t:packet relabelto;
13662	')
13663
13664
13665	########################################
13666	## <summary>
13667	## Send bitcoin_server packets.
13668	## </summary>
13669	## <param name="domain">
13670	## <summary>
13671	## Domain allowed access.
13672	## </summary>
13673	## </param>
13674	## <infoflow type="write" weight="10"/>
13675	#
13676	interface(`corenet_send_bitcoin_server_packets',`
13677	gen_require(`
13678	type bitcoin_server_packet_t;
13679	')
13680
13681	allow $1 bitcoin_server_packet_t:packet send;
13682	')
13683
13684	########################################
13685	## <summary>
13686	## Do not audit attempts to send bitcoin_server packets.
13687	## </summary>
13688	## <param name="domain">
13689	## <summary>
13690	## Domain to not audit.
13691	## </summary>
13692	## </param>
13693	## <infoflow type="none"/>
13694	#
13695	interface(`corenet_dontaudit_send_bitcoin_server_packets',`
13696	gen_require(`
13697	type bitcoin_server_packet_t;
13698	')
13699
13700	dontaudit $1 bitcoin_server_packet_t:packet send;
13701	')
13702
13703	########################################
13704	## <summary>
13705	## Receive bitcoin_server packets.
13706	## </summary>
13707	## <param name="domain">
13708	## <summary>
13709	## Domain allowed access.
13710	## </summary>
13711	## </param>
13712	## <infoflow type="read" weight="10"/>
13713	#
13714	interface(`corenet_receive_bitcoin_server_packets',`
13715	gen_require(`
13716	type bitcoin_server_packet_t;
13717	')
13718
13719	allow $1 bitcoin_server_packet_t:packet recv;
13720	')
13721
13722	########################################
13723	## <summary>
13724	## Do not audit attempts to receive bitcoin_server packets.
13725	## </summary>
13726	## <param name="domain">
13727	## <summary>
13728	## Domain allowed access.
13729	## </summary>
13730	## </param>
13731	## <infoflow type="none"/>
13732	#
13733	interface(`corenet_dontaudit_receive_bitcoin_server_packets',`
13734	gen_require(`
13735	type bitcoin_server_packet_t;
13736	')
13737
13738	dontaudit $1 bitcoin_server_packet_t:packet recv;
13739	')
13740
13741	########################################
13742	## <summary>
13743	## Send and receive bitcoin_server packets.
13744	## </summary>
13745	## <param name="domain">
13746	## <summary>
13747	## Domain allowed access.
13748	## </summary>
13749	## </param>
13750	## <infoflow type="both" weight="10"/>
13751	#
13752	interface(`corenet_sendrecv_bitcoin_server_packets',`
13753	corenet_send_bitcoin_server_packets($1)
13754	corenet_receive_bitcoin_server_packets($1)
13755	')
13756
13757	########################################
13758	## <summary>
13759	## Do not audit attempts to send and receive bitcoin_server packets.
13760	## </summary>
13761	## <param name="domain">
13762	## <summary>
13763	## Domain to not audit.
13764	## </summary>
13765	## </param>
13766	## <infoflow type="none"/>
13767	#
13768	interface(`corenet_dontaudit_sendrecv_bitcoin_server_packets',`
13769	corenet_dontaudit_send_bitcoin_server_packets($1)
13770	corenet_dontaudit_receive_bitcoin_server_packets($1)
13771	')
13772
13773	########################################
13774	## <summary>
13775	## Relabel packets to bitcoin_server the packet type.
13776	## </summary>
13777	## <param name="domain">
13778	## <summary>
13779	## Domain allowed access.
13780	## </summary>
13781	## </param>
13782	#
13783	interface(`corenet_relabelto_bitcoin_server_packets',`
13784	gen_require(`
13785	type bitcoin_server_packet_t;
13786	')
13787
13788	allow $1 bitcoin_server_packet_t:packet relabelto;
13789	')
13790
13791
13792
13793
13794	########################################
13795	## <summary>
13353	## Send and receive TCP traffic on the certmaster port.	13796	## Send and receive TCP traffic on the certmaster port.
13354	## </summary>	13797	## </summary>
13355	## <param name="domain">	13798	## <param name="domain">

Lines 2-8 Link Here

(-)a/policy/modules/kernel/corenetwork.te (-1 / +9 lines)
2	# This is a generated file! Instead of modifying this file, the	2	# This is a generated file! Instead of modifying this file, the
3	# corenetwork.te.in or corenetwork.te.m4 file should be modified.	3	# corenetwork.te.in or corenetwork.te.m4 file should be modified.
4	#	4	#
5	policy_module(corenetwork, 1.20.2)	5	policy_module(corenetwork, 1.20.3)
6		6
7	########################################	7	########################################
8	#	8	#
Lines 256-261 type biff_client_packet_t, packet_type, client_packet_type; Link Here
256	type biff_server_packet_t, packet_type, server_packet_type;	256	type biff_server_packet_t, packet_type, server_packet_type;
257	# no defined portcon	257	# no defined portcon
258		258
		259	type bitcoin_port_t, port_type, defined_port_type;
		260	type bitcoin_client_packet_t, packet_type, client_packet_type;
		261	type bitcoin_server_packet_t, packet_type, server_packet_type;
		262	typeattribute bitcoin_port_t unreserved_port_type;
		263	portcon tcp 8332 gen_context(system_u:object_r:bitcoin_port_t,s0)
		264	portcon tcp 8333 gen_context(system_u:object_r:bitcoin_port_t,s0)
		265
		266
259	type certmaster_port_t, port_type, defined_port_type;	267	type certmaster_port_t, port_type, defined_port_type;
260	type certmaster_client_packet_t, packet_type, client_packet_type;	268	type certmaster_client_packet_t, packet_type, client_packet_type;
261	type certmaster_server_packet_t, packet_type, server_packet_type;	269	type certmaster_server_packet_t, packet_type, server_packet_type;