Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 388712 Details for
Bug 528516
selinux policy for net-p2p/bitcoind
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
bitcoin selinux policy
bitcoin.patch (text/plain), 16.82 KB, created by
Eric Gisse
on 2014-11-06 23:07:43 UTC
(
hide
)
Description:
bitcoin selinux policy
Filename:
MIME Type:
Creator:
Eric Gisse
Created:
2014-11-06 23:07:43 UTC
Size:
16.82 KB
patch
obsolete
>commit 1bbf44c87468f212f09b75d390fca17f52f17e0d >Author: Eric Gisse <eric.gisse@gmail.com> >Date: Thu Nov 6 16:38:18 2014 -0600 > > net-p2p/bitcoin policy > >diff --git a/policy/booleans.conf b/policy/booleans.conf >index e0e9d40..a578b07 100644 >--- a/policy/booleans.conf >+++ b/policy/booleans.conf >@@ -534,6 +534,13 @@ tftp_anon_write = false > tor_bind_all_unreserved_ports = false > > # >+# Allow bitcoind daemon to bind >+# tcp sockets to all unreserved ports. >+# >+bitcoin_bind_all_unreserved_ports = false >+ >+ >+# > # Allow varnishd to connect to all ports, > # not just HTTP. > # >diff --git a/policy/modules.conf b/policy/modules.conf >index b9b41d9..3092361 100644 >--- a/policy/modules.conf >+++ b/policy/modules.conf >@@ -357,6 +357,14 @@ bcfg2 = module > bind = module > > # Layer: contrib >+# Module: bitcoin >+# >+# bitcoin service >+ >+bitcoin = module >+ >+ >+# Layer: contrib > # Module: bitlbee > # > # Bitlbee service >diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc >new file mode 100644 >index 0000000..0505a39 >--- /dev/null >+++ b/policy/modules/contrib/bitcoin.fc >@@ -0,0 +1,4 @@ >+/usr/bin/bitcoind gen_context(system_u:object_r:bitcoin_exec_t,s0) >+/etc/init.d/bitcoind gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0) >+/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0) >+/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0) >diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if >new file mode 100644 >index 0000000..39b2f59 >--- /dev/null >+++ b/policy/modules/contrib/bitcoin.if >@@ -0,0 +1,15 @@ >+## <summary>bitcoin</summary> >+ >+interface(`bitcoin_admin',` >+ gen_require(` >+ type bitcoin_t, bitcoin_initrc_exec_t, bitcoin_var_run_t; >+ ') >+ >+ init_labeled_script_domtrans($1, bitcoin_initrc_exec_t) >+ role_transition $2 bitcoin_initrc_exec_t system_r; >+ domain_system_change_exemption($1) >+ allow $2 system_r; >+ >+ >+ >+') >diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te >new file mode 100644 >index 0000000..c22003f >--- /dev/null >+++ b/policy/modules/contrib/bitcoin.te >@@ -0,0 +1,86 @@ >+policy_module(bitcoin,0.1) >+ >+# declarations >+ >+type bitcoin_t; >+type bitcoin_exec_t; >+type bitcoin_initrc_exec_t; >+type bitcoin_etc_t; >+type bitcoin_var_lib_t; >+type bitcoin_var_run_t; >+type bitcoin_log_t; >+type bitcoin_tmp_t; >+ >+domain_type(bitcoin_t) >+init_daemon_domain(bitcoin_t, bitcoin_exec_t) >+init_script_file(bitcoin_initrc_exec_t) >+logging_log_file(bitcoin_log_t) >+ >+files_pid_file(bitcoin_var_run_t) >+miscfiles_read_localization(bitcoin_t) >+fs_getattr_xattr_fs(bitcoin_t) >+fs_associate(bitcoin_var_lib_t) >+ >+files_tmp_file(bitcoin_tmp_t) >+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms }; >+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file) >+ >+ >+allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock }; >+allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr }; >+allow bitcoin_t bitcoin_var_lib_t:lnk_file read; >+allow bitcoin_t bitcoin_etc_t:dir { getattr search open }; >+allow bitcoin_t bitcoin_etc_t:file { read getattr open }; >+ >+kernel_read_vm_sysctls(bitcoin_t) >+ >+dev_read_sysfs(bitcoin_t) >+dev_read_urand(bitcoin_t) >+domain_use_interactive_fds(bitcoin_t) >+files_read_etc_runtime_files(bitcoin_t) >+files_read_usr_files(bitcoin_t) >+ >+ >+## networking >+ >+# allow bitcoin to bind to non-standard ports >+ >+gen_tunable(bitcoin_bind_all_unreserved_ports, false) >+tunable_policy(`bitcoin_bind_all_unreserved_ports',` >+ corenet_sendrecv_all_server_packets(bitcoin_t) >+ corenet_tcp_bind_all_unreserved_ports(bitcoin_t) >+') >+ >+ >+allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind }; >+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; >+allow bitcoin_t self:tcp_socket { connect accept listen }; >+ >+ >+auth_use_nsswitch(bitcoin_t) >+ >+corenet_sendrecv_bitcoin_server_packets(bitcoin_t) >+corenet_tcp_bind_bitcoin_port(bitcoin_t) >+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) >+corenet_all_recvfrom_unlabeled(bitcoin_t) >+corenet_all_recvfrom_netlabel(bitcoin_t) >+corenet_tcp_sendrecv_generic_if(bitcoin_t) >+corenet_udp_sendrecv_generic_if(bitcoin_t) >+corenet_tcp_sendrecv_generic_node(bitcoin_t) >+corenet_udp_sendrecv_generic_node(bitcoin_t) >+corenet_tcp_bind_generic_node(bitcoin_t) >+corenet_udp_bind_generic_node(bitcoin_t) >+ >+corenet_sendrecv_dns_server_packets(bitcoin_t) >+corenet_udp_bind_dns_port(bitcoin_t) >+corenet_udp_sendrecv_dns_port(bitcoin_t) >+ >+corenet_sendrecv_bitcoin_server_packets(bitcoin_t) >+corenet_tcp_bind_bitcoin_port(bitcoin_t) >+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) >+corenet_sendrecv_all_client_packets(bitcoin_t) >+corenet_tcp_connect_all_ports(bitcoin_t) >+corenet_tcp_connect_all_reserved_ports(bitcoin_t) >+corenet_tcp_sendrecv_all_ports(bitcoin_t) >+corenet_tcp_sendrecv_all_reserved_ports(bitcoin_t) >+ >diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if >index 3385d83..ff067c9 100644 >--- a/policy/modules/kernel/corenetwork.if >+++ b/policy/modules/kernel/corenetwork.if >@@ -13350,6 +13350,449 @@ interface(`corenet_relabelto_biff_server_packets',` > > ######################################## > ## <summary> >+## Send and receive TCP traffic on the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="both" weight="10"/> >+# >+interface(`corenet_tcp_sendrecv_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ allow $1 bitcoin_port_t:tcp_socket { send_msg recv_msg }; >+') >+ >+######################################## >+## <summary> >+## Send UDP traffic on the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="write" weight="10"/> >+# >+interface(`corenet_udp_send_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ allow $1 bitcoin_port_t:udp_socket send_msg; >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to send UDP traffic on the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_udp_send_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ dontaudit $1 bitcoin_port_t:udp_socket send_msg; >+') >+ >+######################################## >+## <summary> >+## Receive UDP traffic on the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="read" weight="10"/> >+# >+interface(`corenet_udp_receive_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ allow $1 bitcoin_port_t:udp_socket recv_msg; >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to receive UDP traffic on the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_udp_receive_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ dontaudit $1 bitcoin_port_t:udp_socket recv_msg; >+') >+ >+######################################## >+## <summary> >+## Send and receive UDP traffic on the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="both" weight="10"/> >+# >+interface(`corenet_udp_sendrecv_bitcoin_port',` >+ corenet_udp_send_bitcoin_port($1) >+ corenet_udp_receive_bitcoin_port($1) >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to send and receive >+## UDP traffic on the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_udp_sendrecv_bitcoin_port',` >+ corenet_dontaudit_udp_send_bitcoin_port($1) >+ corenet_dontaudit_udp_receive_bitcoin_port($1) >+') >+ >+######################################## >+## <summary> >+## Bind TCP sockets to the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_tcp_bind_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ allow $1 bitcoin_port_t:tcp_socket name_bind; >+ >+') >+ >+######################################## >+## <summary> >+## Bind UDP sockets to the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_udp_bind_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ allow $1 bitcoin_port_t:udp_socket name_bind; >+ >+') >+ >+######################################## >+## <summary> >+## Make a TCP connection to the bitcoin port. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`corenet_tcp_connect_bitcoin_port',` >+ gen_require(` >+ type bitcoin_port_t; >+ ') >+ >+ allow $1 bitcoin_port_t:tcp_socket name_connect; >+') >+ >+ >+######################################## >+## <summary> >+## Send bitcoin_client packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="write" weight="10"/> >+# >+interface(`corenet_send_bitcoin_client_packets',` >+ gen_require(` >+ type bitcoin_client_packet_t; >+ ') >+ >+ allow $1 bitcoin_client_packet_t:packet send; >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to send bitcoin_client packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_send_bitcoin_client_packets',` >+ gen_require(` >+ type bitcoin_client_packet_t; >+ ') >+ >+ dontaudit $1 bitcoin_client_packet_t:packet send; >+') >+ >+######################################## >+## <summary> >+## Receive bitcoin_client packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="read" weight="10"/> >+# >+interface(`corenet_receive_bitcoin_client_packets',` >+ gen_require(` >+ type bitcoin_client_packet_t; >+ ') >+ >+ allow $1 bitcoin_client_packet_t:packet recv; >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to receive bitcoin_client packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_receive_bitcoin_client_packets',` >+ gen_require(` >+ type bitcoin_client_packet_t; >+ ') >+ >+ dontaudit $1 bitcoin_client_packet_t:packet recv; >+') >+ >+######################################## >+## <summary> >+## Send and receive bitcoin_client packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="both" weight="10"/> >+# >+interface(`corenet_sendrecv_bitcoin_client_packets',` >+ corenet_send_bitcoin_client_packets($1) >+ corenet_receive_bitcoin_client_packets($1) >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to send and receive bitcoin_client packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_sendrecv_bitcoin_client_packets',` >+ corenet_dontaudit_send_bitcoin_client_packets($1) >+ corenet_dontaudit_receive_bitcoin_client_packets($1) >+') >+ >+######################################## >+## <summary> >+## Relabel packets to bitcoin_client the packet type. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`corenet_relabelto_bitcoin_client_packets',` >+ gen_require(` >+ type bitcoin_client_packet_t; >+ ') >+ >+ allow $1 bitcoin_client_packet_t:packet relabelto; >+') >+ >+ >+######################################## >+## <summary> >+## Send bitcoin_server packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="write" weight="10"/> >+# >+interface(`corenet_send_bitcoin_server_packets',` >+ gen_require(` >+ type bitcoin_server_packet_t; >+ ') >+ >+ allow $1 bitcoin_server_packet_t:packet send; >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to send bitcoin_server packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_send_bitcoin_server_packets',` >+ gen_require(` >+ type bitcoin_server_packet_t; >+ ') >+ >+ dontaudit $1 bitcoin_server_packet_t:packet send; >+') >+ >+######################################## >+## <summary> >+## Receive bitcoin_server packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="read" weight="10"/> >+# >+interface(`corenet_receive_bitcoin_server_packets',` >+ gen_require(` >+ type bitcoin_server_packet_t; >+ ') >+ >+ allow $1 bitcoin_server_packet_t:packet recv; >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to receive bitcoin_server packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_receive_bitcoin_server_packets',` >+ gen_require(` >+ type bitcoin_server_packet_t; >+ ') >+ >+ dontaudit $1 bitcoin_server_packet_t:packet recv; >+') >+ >+######################################## >+## <summary> >+## Send and receive bitcoin_server packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+## <infoflow type="both" weight="10"/> >+# >+interface(`corenet_sendrecv_bitcoin_server_packets',` >+ corenet_send_bitcoin_server_packets($1) >+ corenet_receive_bitcoin_server_packets($1) >+') >+ >+######################################## >+## <summary> >+## Do not audit attempts to send and receive bitcoin_server packets. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain to not audit. >+## </summary> >+## </param> >+## <infoflow type="none"/> >+# >+interface(`corenet_dontaudit_sendrecv_bitcoin_server_packets',` >+ corenet_dontaudit_send_bitcoin_server_packets($1) >+ corenet_dontaudit_receive_bitcoin_server_packets($1) >+') >+ >+######################################## >+## <summary> >+## Relabel packets to bitcoin_server the packet type. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed access. >+## </summary> >+## </param> >+# >+interface(`corenet_relabelto_bitcoin_server_packets',` >+ gen_require(` >+ type bitcoin_server_packet_t; >+ ') >+ >+ allow $1 bitcoin_server_packet_t:packet relabelto; >+') >+ >+ >+ >+ >+######################################## >+## <summary> > ## Send and receive TCP traffic on the certmaster port. > ## </summary> > ## <param name="domain"> >diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te >index 1bbf3c5..3b5702b 100644 >--- a/policy/modules/kernel/corenetwork.te >+++ b/policy/modules/kernel/corenetwork.te >@@ -2,7 +2,7 @@ > # This is a generated file! Instead of modifying this file, the > # corenetwork.te.in or corenetwork.te.m4 file should be modified. > # >-policy_module(corenetwork, 1.20.2) >+policy_module(corenetwork, 1.20.3) > > ######################################## > # >@@ -256,6 +256,14 @@ type biff_client_packet_t, packet_type, client_packet_type; > type biff_server_packet_t, packet_type, server_packet_type; > # no defined portcon > >+type bitcoin_port_t, port_type, defined_port_type; >+type bitcoin_client_packet_t, packet_type, client_packet_type; >+type bitcoin_server_packet_t, packet_type, server_packet_type; >+typeattribute bitcoin_port_t unreserved_port_type; >+portcon tcp 8332 gen_context(system_u:object_r:bitcoin_port_t,s0) >+portcon tcp 8333 gen_context(system_u:object_r:bitcoin_port_t,s0) >+ >+ > type certmaster_port_t, port_type, defined_port_type; > type certmaster_client_packet_t, packet_type, client_packet_type; > type certmaster_server_packet_t, packet_type, server_packet_type; >diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in >index a118109..be64af8 100644 >--- a/policy/modules/kernel/corenetwork.te.in >+++ b/policy/modules/kernel/corenetwork.te.in >@@ -1,4 +1,4 @@ >-policy_module(corenetwork, 1.20.2) >+policy_module(corenetwork, 1.20.3) > > ######################################## > # >@@ -96,6 +96,7 @@ network_port(bgp, tcp,179,s0, udp,179,s0, tcp,2605,s0, udp,2605,s0) > network_port(boinc, tcp,31416,s0) > network_port(boinc_client, tcp,1043,s0, udp,1034,s0) > network_port(biff) # no defined portcon >+network_port(bitcoin, tcp,8332,s0, tcp,8333,s0) > network_port(certmaster, tcp,51235,s0) > network_port(chronyd, udp,323,s0) > network_port(clamd, tcp,3310,s0)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=388712">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 528516
:
388712
|
389576
|
389784
|
390112
|
390114
|
390116
