Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 389784 Details for
Bug 528516
selinux policy for net-p2p/bitcoind
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
3rd and i think final patch
bitcoin3.patch (text/plain), 7.65 KB, created by
Eric Gisse
on 2014-11-19 18:47:14 UTC
(
hide
)
Description:
3rd and i think final patch
Filename:
MIME Type:
Creator:
Eric Gisse
Created:
2014-11-19 18:47:14 UTC
Size:
7.65 KB
patch
obsolete
>diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc >index 7acd99e..fb80005 100644 >--- a/policy/modules/contrib/bitcoin.fc >+++ b/policy/modules/contrib/bitcoin.fc >@@ -8,3 +8,6 @@ > /var/lib/bitcoin/.* gen_context(system_u:object_r:bitcoin_var_lib_t,s0) > /etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0) > /var/lib/bitcoin/\.bitcoin/bitcoin\.conf gen_context(system_u:object_r:bitcoin_etc_t,s0) >+/var/lib/bitcoin/\.bitcoin/debug\.log gen_context(system_u:object_r:bitcoin_log_t,s0) >+/var/lib/bitcoin/\.bitcoin/log(/.*)? gen_context(system_u:object_r:bitcoin_log_t,s0) >+ >diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if >index f6fe436..aec4e7c 100644 >--- a/policy/modules/contrib/bitcoin.if >+++ b/policy/modules/contrib/bitcoin.if >@@ -14,14 +14,17 @@ > > interface(`bitcoin_admin',` > gen_require(` >- type bitcoin_t, bitcoin_initrc_exec_t, >- bitcoin_var_run_t, bitcoin_etc_t, >- bitcoin_var_lib_t; >+ type bitcoin_t, bitcoin_initrc_exec_t; >+ type bitcoin_var_run_t, bitcoin_etc_t; >+ type bitcoin_var_lib_t; > ') > >+ allow $1 bitcoin_t:process { ptrace signal_perms }; >+ ps_process_pattern($1, bitcoin_t) >+ > init_labeled_script_domtrans($1, bitcoin_initrc_exec_t) >- role_transition $2 bitcoin_initrc_exec_t system_r; > domain_system_change_exemption($1) >+ role_transition $2 bitcoin_initrc_exec_t system_r; > allow $2 system_r; > > rw_dirs_pattern($1, bitcoin_etc_t, bitcoin_etc_t); >@@ -34,3 +37,44 @@ interface(`bitcoin_admin',` > write_lnk_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t); > > ') >+ >+####################################### >+## <summary> >+## bitcoin configuration file read interface. >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed to transition. >+## </summary> >+## </param> >+# >+ >+interface(`bitcoin_read_conf_files',` >+ gen_require(` >+ type bitcoin_etc_t; >+ ') >+ >+ read_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t); >+ read_lnk_files_pattern($1, bitcoin_etc_t, bitcoin_etc_t); >+') >+ >+####################################### >+## <summary> >+## bitcoin log management >+## </summary> >+## <param name="domain"> >+## <summary> >+## Domain allowed to transition. >+## </summary> >+## </param> >+# >+ >+interface(`bitcoin_manage_log',` >+ >+ gen_require(` >+ type bitcoin_log_t; >+ ') >+ >+ write_files_pattern($1, bitcoin_log_t, bitcoin_log_t); >+ >+') >diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te >index edb8c5f..8893c0b 100644 >--- a/policy/modules/contrib/bitcoin.te >+++ b/policy/modules/contrib/bitcoin.te >@@ -22,36 +22,46 @@ type bitcoin_var_run_t; > type bitcoin_log_t; > type bitcoin_tmp_t; > >-files_type(bitcoin_var_lib_t) >-files_type(bitcoin_var_run_t) >-files_type(bitcoin_log_t) >-files_type(bitcoin_tmp_t) >-files_type(bitcoin_etc_t) >- >-domain_type(bitcoin_t) > init_daemon_domain(bitcoin_t, bitcoin_exec_t) >+files_type(bitcoin_exec_t) > init_script_file(bitcoin_initrc_exec_t) >+files_type(bitcoin_var_lib_t) >+files_pid_file(bitcoin_var_run_t) > logging_log_file(bitcoin_log_t) >+files_tmp_file(bitcoin_tmp_t) >+files_config_file(bitcoin_etc_t) >+files_read_etc_runtime_files(bitcoin_t) >+ >+domain_type(bitcoin_t) >+ >+files_read_etc_runtime_files(bitcoin_t) > >-files_pid_file(bitcoin_var_run_t) > miscfiles_read_localization(bitcoin_t) > fs_getattr_xattr_fs(bitcoin_t) > fs_associate(bitcoin_var_lib_t) > >-files_tmp_file(bitcoin_tmp_t) > allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms }; >-files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file) >- >- >-allow bitcoin_t self:process signal_perms; > allow bitcoin_t bitcoin_var_lib_t:file { read write append create getattr open unlink rename lock }; >+allow bitcoin_t bitcoin_log_t:file { read write append create getattr open unlink rename lock }; > allow bitcoin_t bitcoin_var_lib_t:dir { create write rmdir read open add_name remove_name search getattr }; > allow bitcoin_t bitcoin_etc_t:file read_file_perms; > >+allow bitcoin_t self:process signal_perms; >+ >+ >+allow bitcoin_t bitcoin_log_t:lnk_file read; >+allow bitcoin_t bitcoin_var_lib_t:file { read create }; >+ > read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); > read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); > list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t); > >+append_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) >+create_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) >+setattr_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) >+manage_sock_files_pattern(bitcoin_t, bitcoin_log_t, bitcoin_log_t) >+logging_log_filetrans(bitcoin_t, bitcoin_log_t, { sock_file file dir }) >+ > kernel_read_system_state(bitcoin_t) > kernel_read_vm_sysctls(bitcoin_t) > >@@ -61,43 +71,46 @@ domain_use_interactive_fds(bitcoin_t) > files_read_etc_runtime_files(bitcoin_t) > files_read_usr_files(bitcoin_t) > >+manage_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) >+filetrans_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t, file) >+can_exec(bitcoin_t, bitcoin_etc_t) > > # networking > >-tunable_policy(`bitcoin_bind_all_unreserved_ports',` >- corenet_sendrecv_all_server_packets(bitcoin_t) >- corenet_tcp_bind_all_unreserved_ports(bitcoin_t) >-') >- >+# privileges to setup the ports > > allow bitcoin_t bitcoin_port_t:tcp_socket { name_connect name_bind }; > allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; > allow bitcoin_t self:tcp_socket { connect accept listen }; > >- >+# dns > auth_use_nsswitch(bitcoin_t) >- >-corenet_sendrecv_bitcoin_server_packets(bitcoin_t) >-corenet_tcp_bind_bitcoin_port(bitcoin_t) >-corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) >-corenet_all_recvfrom_unlabeled(bitcoin_t) >-corenet_all_recvfrom_netlabel(bitcoin_t) >-corenet_tcp_sendrecv_generic_if(bitcoin_t) >-corenet_udp_sendrecv_generic_if(bitcoin_t) >-corenet_tcp_sendrecv_generic_node(bitcoin_t) >-corenet_udp_sendrecv_generic_node(bitcoin_t) >-corenet_tcp_bind_generic_node(bitcoin_t) >-corenet_udp_bind_generic_node(bitcoin_t) >- > corenet_sendrecv_dns_server_packets(bitcoin_t) > corenet_udp_bind_dns_port(bitcoin_t) > corenet_udp_sendrecv_dns_port(bitcoin_t) > >+# a boolean for binding to a non-standard high port >+ >+tunable_policy(`bitcoin_bind_all_unreserved_ports',` >+ corenet_sendrecv_all_server_packets(bitcoin_t) >+ corenet_tcp_bind_all_unreserved_ports(bitcoin_t) >+') >+ >+ >+# allow usage of the bitcoin tcp ports (8333 + 8332) >+ > corenet_sendrecv_bitcoin_server_packets(bitcoin_t) > corenet_tcp_bind_bitcoin_port(bitcoin_t) > corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) >-corenet_sendrecv_all_client_packets(bitcoin_t) >-corenet_tcp_connect_all_ports(bitcoin_t) >-corenet_tcp_connect_all_reserved_ports(bitcoin_t) >+ >+# allow tcp transit to people's random bitcoin ports >+ > corenet_tcp_sendrecv_all_ports(bitcoin_t) >-corenet_tcp_sendrecv_all_reserved_ports(bitcoin_t) >+corenet_tcp_connect_all_ports(bitcoin_t) >+ >+# allow the usage of tcp through network interfaces >+ >+corenet_tcp_sendrecv_generic_if(bitcoin_t) >+corenet_tcp_bind_generic_node(bitcoin_t) >+ >+ >diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te >index 62b05af..c1452f8 100644 >--- a/policy/modules/contrib/logrotate.te >+++ b/policy/modules/contrib/logrotate.te >@@ -152,6 +152,11 @@ optional_policy(` > ') > > optional_policy(` >+ bitcoin_manage_log(logrotate_t) >+') >+ >+ >+optional_policy(` > callweaver_exec(logrotate_t) > callweaver_stream_connect(logrotate_t) > ') >diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te >index cd2b0e4..3db640a 100644 >--- a/policy/modules/system/init.te >+++ b/policy/modules/system/init.te >@@ -528,6 +528,10 @@ ifdef(`distro_gentoo',` > optional_policy(` > dhcpd_setattr_state_files(initrc_t) > ') >+ >+ optional_policy(` >+ bitcoin_read_conf_files(initrc_t) >+ ') > ') > > ifdef(`distro_redhat',`
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=389784">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 528516
:
388712
|
389576
|
389784
|
390112
|
390114
|
390116
