Lines 22-57
type bitcoin_var_run_t;
Link Here
|
22 |
type bitcoin_log_t; |
22 |
type bitcoin_log_t; |
23 |
type bitcoin_tmp_t; |
23 |
type bitcoin_tmp_t; |
24 |
|
24 |
|
25 |
files_type(bitcoin_var_lib_t) |
|
|
26 |
files_type(bitcoin_var_run_t) |
27 |
files_type(bitcoin_log_t) |
28 |
files_type(bitcoin_tmp_t) |
29 |
files_type(bitcoin_etc_t) |
30 |
|
31 |
domain_type(bitcoin_t) |
32 |
init_daemon_domain(bitcoin_t, bitcoin_exec_t) |
25 |
init_daemon_domain(bitcoin_t, bitcoin_exec_t) |
|
|
26 |
files_type(bitcoin_exec_t) |
33 |
init_script_file(bitcoin_initrc_exec_t) |
27 |
init_script_file(bitcoin_initrc_exec_t) |
|
|
28 |
files_type(bitcoin_var_lib_t) |
29 |
files_pid_file(bitcoin_var_run_t) |
34 |
logging_log_file(bitcoin_log_t) |
30 |
logging_log_file(bitcoin_log_t) |
|
|
31 |
files_tmp_file(bitcoin_tmp_t) |
32 |
files_config_file(bitcoin_etc_t) |
33 |
files_read_etc_runtime_files(bitcoin_t) |
34 |
|
35 |
domain_type(bitcoin_t) |
36 |
|
37 |
files_read_etc_runtime_files(bitcoin_t) |
35 |
|
38 |
|
36 |
files_pid_file(bitcoin_var_run_t) |
|
|
37 |
miscfiles_read_localization(bitcoin_t) |
39 |
miscfiles_read_localization(bitcoin_t) |
38 |
fs_getattr_xattr_fs(bitcoin_t) |
40 |
fs_getattr_xattr_fs(bitcoin_t) |
39 |
fs_associate(bitcoin_var_lib_t) |
41 |
fs_associate(bitcoin_var_lib_t) |
40 |
|
42 |
|
41 |
files_tmp_file(bitcoin_tmp_t) |
|
|
42 |
allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms }; |
43 |
allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms }; |
43 |
files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file) |
|
|
44 |
|
45 |
|
46 |
allow bitcoin_t self:process signal_perms; |
47 |
allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock }; |
44 |
allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock }; |
|
|
45 |
allow bitcoin_t bitcoin_log_t:file { read write append create getattr open unlink rename lock }; |
48 |
allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr }; |
46 |
allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr }; |
49 |
allow bitcoin_t bitcoin_etc_t:file read_file_perms; |
47 |
allow bitcoin_t bitcoin_etc_t:file read_file_perms; |
50 |
|
48 |
|
|
|
49 |
allow bitcoin_t self:process signal_perms; |
50 |
|
51 |
|
52 |
allow bitcoin_t bitcoin_log_t:lnk_file read; |
53 |
allow bitcoin_t bitcoin_var_lib_t:file { read create }; |
54 |
|
51 |
read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); |
55 |
read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); |
52 |
read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); |
56 |
read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); |
53 |
list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); |
57 |
list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); |
54 |
|
58 |
|
|
|
59 |
append_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) |
60 |
create_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) |
61 |
setattr_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) |
62 |
manage_sock_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) |
63 |
logging_log_filetrans(bitcoin_t, bitcoin_log_t, { sock_file file dir }) |
64 |
|
55 |
kernel_read_system_state(bitcoin_t) |
65 |
kernel_read_system_state(bitcoin_t) |
56 |
kernel_read_vm_sysctls(bitcoin_t) |
66 |
kernel_read_vm_sysctls(bitcoin_t) |
57 |
|
67 |
|
Lines 61-103
domain_use_interactive_fds(bitcoin_t)
Link Here
|
61 |
files_read_etc_runtime_files(bitcoin_t) |
71 |
files_read_etc_runtime_files(bitcoin_t) |
62 |
files_read_usr_files(bitcoin_t) |
72 |
files_read_usr_files(bitcoin_t) |
63 |
|
73 |
|
|
|
74 |
manage_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) |
75 |
filetrans_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t, file) |
76 |
can_exec(bitcoin_t, bitcoin_etc_t) |
64 |
|
77 |
|
65 |
# networking |
78 |
# networking |
66 |
|
79 |
|
67 |
tunable_policy(`bitcoin_bind_all_unreserved_ports',` |
80 |
# privileges to setup the ports |
68 |
corenet_sendrecv_all_server_packets(bitcoin_t) |
|
|
69 |
corenet_tcp_bind_all_unreserved_ports(bitcoin_t) |
70 |
') |
71 |
|
72 |
|
81 |
|
73 |
allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind }; |
82 |
allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind }; |
74 |
allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; |
83 |
allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; |
75 |
allow bitcoin_t self:tcp_socket { connect accept listen }; |
84 |
allow bitcoin_t self:tcp_socket { connect accept listen }; |
76 |
|
85 |
|
77 |
|
86 |
# dns |
78 |
auth_use_nsswitch(bitcoin_t) |
87 |
auth_use_nsswitch(bitcoin_t) |
79 |
|
|
|
80 |
corenet_sendrecv_bitcoin_server_packets(bitcoin_t) |
81 |
corenet_tcp_bind_bitcoin_port(bitcoin_t) |
82 |
corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) |
83 |
corenet_all_recvfrom_unlabeled(bitcoin_t) |
84 |
corenet_all_recvfrom_netlabel(bitcoin_t) |
85 |
corenet_tcp_sendrecv_generic_if(bitcoin_t) |
86 |
corenet_udp_sendrecv_generic_if(bitcoin_t) |
87 |
corenet_tcp_sendrecv_generic_node(bitcoin_t) |
88 |
corenet_udp_sendrecv_generic_node(bitcoin_t) |
89 |
corenet_tcp_bind_generic_node(bitcoin_t) |
90 |
corenet_udp_bind_generic_node(bitcoin_t) |
91 |
|
92 |
corenet_sendrecv_dns_server_packets(bitcoin_t) |
88 |
corenet_sendrecv_dns_server_packets(bitcoin_t) |
93 |
corenet_udp_bind_dns_port(bitcoin_t) |
89 |
corenet_udp_bind_dns_port(bitcoin_t) |
94 |
corenet_udp_sendrecv_dns_port(bitcoin_t) |
90 |
corenet_udp_sendrecv_dns_port(bitcoin_t) |
95 |
|
91 |
|
|
|
92 |
# a boolean for binding to a non-standard high port |
93 |
|
94 |
tunable_policy(`bitcoin_bind_all_unreserved_ports',` |
95 |
corenet_sendrecv_all_server_packets(bitcoin_t) |
96 |
corenet_tcp_bind_all_unreserved_ports(bitcoin_t) |
97 |
') |
98 |
|
99 |
|
100 |
# allow usage of the bitcoin tcp ports (8333 + 8332) |
101 |
|
96 |
corenet_sendrecv_bitcoin_server_packets(bitcoin_t) |
102 |
corenet_sendrecv_bitcoin_server_packets(bitcoin_t) |
97 |
corenet_tcp_bind_bitcoin_port(bitcoin_t) |
103 |
corenet_tcp_bind_bitcoin_port(bitcoin_t) |
98 |
corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) |
104 |
corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) |
99 |
corenet_sendrecv_all_client_packets(bitcoin_t) |
105 |
|
100 |
corenet_tcp_connect_all_ports(bitcoin_t) |
106 |
# allow tcp transit to people's random bitcoin ports |
101 |
corenet_tcp_connect_all_reserved_ports(bitcoin_t) |
107 |
|
102 |
corenet_tcp_sendrecv_all_ports(bitcoin_t) |
108 |
corenet_tcp_sendrecv_all_ports(bitcoin_t) |
103 |
corenet_tcp_sendrecv_all_reserved_ports(bitcoin_t) |
109 |
corenet_tcp_connect_all_ports(bitcoin_t) |
|
|
110 |
|
111 |
# allow the usage of tcp through network interfaces |
112 |
|
113 |
corenet_tcp_sendrecv_generic_if(bitcoin_t) |
114 |
corenet_tcp_bind_generic_node(bitcoin_t) |
115 |
|
116 |
|