diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
index 0505a39..7acd99e 100644
--- a/policy/modules/contrib/bitcoin.fc
+++ b/policy/modules/contrib/bitcoin.fc
@@ -1,4 +1,10 @@
/usr/bin/bitcoind gen_context(system_u:object_r:bitcoin_exec_t,s0)
-/etc/init.d/bitcoind gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
-/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+/etc/rc\.d/init\.d/bitcoind gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+# not labeling /var/lib/bitcoin itself is a conceit to allow mounting
+# of that directory to have bitcoin located elsewhere, without having
+# to give bitcoin types mount privileges.
+
+/var/lib/bitcoin/.* gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/var/lib/bitcoin/\.bitcoin/bitcoin\.conf gen_context(system_u:object_r:bitcoin_etc_t,s0)
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
index 39b2f59..f6fe436 100644
--- a/policy/modules/contrib/bitcoin.if
+++ b/policy/modules/contrib/bitcoin.if
@@ -1,8 +1,22 @@
## bitcoin
+#######################################
+##
+## bitcoin administrative interface
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+
+
interface(`bitcoin_admin',`
gen_require(`
- type bitcoin_t, bitcoin_initrc_exec_t, bitcoin_var_run_t;
+ type bitcoin_t, bitcoin_initrc_exec_t,
+ bitcoin_var_run_t, bitcoin_etc_t,
+ bitcoin_var_lib_t;
')
init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
@@ -10,6 +24,13 @@ interface(`bitcoin_admin',`
domain_system_change_exemption($1)
allow $2 system_r;
+ rw_dirs_pattern($1, bitcoin_etc_t, bitcoin_etc_t);
+ rw_dirs_pattern($1, bitcoin_var_lib_t, bitcoin_var_lib_t);
+
+ write_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t);
+ write_files_pattern($1, bitcoin_var_lib_t, bitcoin_var_lib_t);
+
+ # bitcoin.conf is a symlink
+ write_lnk_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t);
-
')
diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
index c22003f..7bab17d 100644
--- a/policy/modules/contrib/bitcoin.te
+++ b/policy/modules/contrib/bitcoin.te
@@ -11,6 +11,12 @@ type bitcoin_var_run_t;
type bitcoin_log_t;
type bitcoin_tmp_t;
+files_type(bitcoin_var_lib_t)
+files_type(bitcoin_var_run_t)
+files_type(bitcoin_log_t)
+files_type(bitcoin_tmp_t)
+files_type(bitcoin_etc_t)
+
domain_type(bitcoin_t)
init_daemon_domain(bitcoin_t, bitcoin_exec_t)
init_script_file(bitcoin_initrc_exec_t)
@@ -26,12 +32,16 @@ allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+allow bitcoin_t self:process signal_perms;
allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock };
allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr };
-allow bitcoin_t bitcoin_var_lib_t:lnk_file read;
-allow bitcoin_t bitcoin_etc_t:dir { getattr search open };
-allow bitcoin_t bitcoin_etc_t:file { read getattr open };
+allow bitcoin_t bitcoin_etc_t:file read_file_perms;
+
+read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t);
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t);
+list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t);
+kernel_read_system_state(bitcoin_t)
kernel_read_vm_sysctls(bitcoin_t)
dev_read_sysfs(bitcoin_t)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 8f442dc..369f9a2 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -112,6 +112,10 @@ optional_policy(`
')
optional_policy(`
+ bitcoin_admin(sysadm_t, sysadm_r)
+')
+
+optional_policy(`
bootloader_run(sysadm_t, sysadm_r)
')