diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
index 7acd99e..fb80005 100644
--- a/policy/modules/contrib/bitcoin.fc
+++ b/policy/modules/contrib/bitcoin.fc
@@ -8,3 +8,6 @@
/var/lib/bitcoin/.* gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0)
/var/lib/bitcoin/\.bitcoin/bitcoin\.conf gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/var/lib/bitcoin/\.bitcoin/debug\.log gen_context(system_u:object_r:bitcoin_log_t,s0)
+/var/lib/bitcoin/\.bitcoin/log(/.*)? gen_context(system_u:object_r:bitcoin_log_t,s0)
+
diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
index f6fe436..aec4e7c 100644
--- a/policy/modules/contrib/bitcoin.if
+++ b/policy/modules/contrib/bitcoin.if
@@ -14,14 +14,17 @@
interface(`bitcoin_admin',`
gen_require(`
- type bitcoin_t, bitcoin_initrc_exec_t,
- bitcoin_var_run_t, bitcoin_etc_t,
- bitcoin_var_lib_t;
+ type bitcoin_t, bitcoin_initrc_exec_t;
+ type bitcoin_var_run_t, bitcoin_etc_t;
+ type bitcoin_var_lib_t;
')
+ allow $1 bitcoin_t:process { ptrace signal_perms };
+ ps_process_pattern($1, bitcoin_t)
+
init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
- role_transition $2 bitcoin_initrc_exec_t system_r;
domain_system_change_exemption($1)
+ role_transition $2 bitcoin_initrc_exec_t system_r;
allow $2 system_r;
rw_dirs_pattern($1, bitcoin_etc_t, bitcoin_etc_t);
@@ -34,3 +37,44 @@ interface(`bitcoin_admin',`
write_lnk_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t);
')
+
+#######################################
+##
+## bitcoin configuration file read interface.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+
+interface(`bitcoin_read_conf_files',`
+ gen_require(`
+ type bitcoin_etc_t;
+ ')
+
+ read_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t);
+ read_lnk_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t);
+')
+
+#######################################
+##
+## bitcoin log management
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+
+interface(`bitcoin_manage_log',`
+
+ gen_require(`
+ type bitcoin_log_t;
+ ')
+
+ write_files_pattern($1, bitcoin_log_t, bitcoin_log_t);
+
+')
diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
index edb8c5f..8893c0b 100644
--- a/policy/modules/contrib/bitcoin.te
+++ b/policy/modules/contrib/bitcoin.te
@@ -22,36 +22,46 @@ type bitcoin_var_run_t;
type bitcoin_log_t;
type bitcoin_tmp_t;
-files_type(bitcoin_var_lib_t)
-files_type(bitcoin_var_run_t)
-files_type(bitcoin_log_t)
-files_type(bitcoin_tmp_t)
-files_type(bitcoin_etc_t)
-
-domain_type(bitcoin_t)
init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+files_type(bitcoin_exec_t)
init_script_file(bitcoin_initrc_exec_t)
+files_type(bitcoin_var_lib_t)
+files_pid_file(bitcoin_var_run_t)
logging_log_file(bitcoin_log_t)
+files_tmp_file(bitcoin_tmp_t)
+files_config_file(bitcoin_etc_t)
+files_read_etc_runtime_files(bitcoin_t)
+
+domain_type(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
-files_pid_file(bitcoin_var_run_t)
miscfiles_read_localization(bitcoin_t)
fs_getattr_xattr_fs(bitcoin_t)
fs_associate(bitcoin_var_lib_t)
-files_tmp_file(bitcoin_tmp_t)
allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
-files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
-
-
-allow bitcoin_t self:process signal_perms;
allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock };
+allow bitcoin_t bitcoin_log_t:file { read write append create getattr open unlink rename lock };
allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr };
allow bitcoin_t bitcoin_etc_t:file read_file_perms;
+allow bitcoin_t self:process signal_perms;
+
+
+allow bitcoin_t bitcoin_log_t:lnk_file read;
+allow bitcoin_t bitcoin_var_lib_t:file { read create };
+
read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t);
read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t);
list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t);
+append_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t)
+create_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t)
+setattr_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t)
+manage_sock_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t)
+logging_log_filetrans(bitcoin_t, bitcoin_log_t, { sock_file file dir })
+
kernel_read_system_state(bitcoin_t)
kernel_read_vm_sysctls(bitcoin_t)
@@ -61,43 +71,46 @@ domain_use_interactive_fds(bitcoin_t)
files_read_etc_runtime_files(bitcoin_t)
files_read_usr_files(bitcoin_t)
+manage_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+filetrans_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t, file)
+can_exec(bitcoin_t, bitcoin_etc_t)
# networking
-tunable_policy(`bitcoin_bind_all_unreserved_ports',`
- corenet_sendrecv_all_server_packets(bitcoin_t)
- corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
-')
-
+# privileges to setup the ports
allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind };
allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
allow bitcoin_t self:tcp_socket { connect accept listen };
-
+# dns
auth_use_nsswitch(bitcoin_t)
-
-corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
-corenet_tcp_bind_bitcoin_port(bitcoin_t)
-corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
-corenet_all_recvfrom_unlabeled(bitcoin_t)
-corenet_all_recvfrom_netlabel(bitcoin_t)
-corenet_tcp_sendrecv_generic_if(bitcoin_t)
-corenet_udp_sendrecv_generic_if(bitcoin_t)
-corenet_tcp_sendrecv_generic_node(bitcoin_t)
-corenet_udp_sendrecv_generic_node(bitcoin_t)
-corenet_tcp_bind_generic_node(bitcoin_t)
-corenet_udp_bind_generic_node(bitcoin_t)
-
corenet_sendrecv_dns_server_packets(bitcoin_t)
corenet_udp_bind_dns_port(bitcoin_t)
corenet_udp_sendrecv_dns_port(bitcoin_t)
+# a boolean for binding to a non-standard high port
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+ corenet_sendrecv_all_server_packets(bitcoin_t)
+ corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')
+
+
+# allow usage of the bitcoin tcp ports (8333 + 8332)
+
corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
corenet_tcp_bind_bitcoin_port(bitcoin_t)
corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
-corenet_sendrecv_all_client_packets(bitcoin_t)
-corenet_tcp_connect_all_ports(bitcoin_t)
-corenet_tcp_connect_all_reserved_ports(bitcoin_t)
+
+# allow tcp transit to people's random bitcoin ports
+
corenet_tcp_sendrecv_all_ports(bitcoin_t)
-corenet_tcp_sendrecv_all_reserved_ports(bitcoin_t)
+corenet_tcp_connect_all_ports(bitcoin_t)
+
+# allow the usage of tcp through network interfaces
+
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_bind_generic_node(bitcoin_t)
+
+
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index 62b05af..c1452f8 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -152,6 +152,11 @@ optional_policy(`
')
optional_policy(`
+ bitcoin_manage_log(logrotate_t)
+')
+
+
+optional_policy(`
callweaver_exec(logrotate_t)
callweaver_stream_connect(logrotate_t)
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd2b0e4..3db640a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -528,6 +528,10 @@ ifdef(`distro_gentoo',`
optional_policy(`
dhcpd_setattr_state_files(initrc_t)
')
+
+ optional_policy(`
+ bitcoin_read_conf_files(initrc_t)
+ ')
')
ifdef(`distro_redhat',`