| Summary: | selinux policy for net-p2p/bitcoind | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Eric Gisse <jowr.pi> |
| Component: | SELinux | Assignee: | Sven Vermeulen (RETIRED) <swift> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | selinux |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: | https://bugs.gentoo.org/show_bug.cgi?id=553868 | ||
| Whiteboard: | sec-policy r2 | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 529896 | ||
| Attachments: |
bitcoin selinux policy
more work 3rd and i think final patch bitcoin.fc bitcoin.if bitcoin.te |
||
Hi Eric I'll test your policy soon and, with your permission (if you give it ;-) send it upstream as well for review. The reason of the networking stuff to be in the corenetwork instead of the bitcoin module is because some of the networking definitions cannot be in a loadable module (which the bitcoin code will be). Instead, it has to reside in the base module (of which corenetwork is a part of). Created attachment 389576 [details, diff]
more work
Had to do some more work on this in order to make it build right on 2.3 userspace, which meant writing commenting docu better. Plus some misc things had to be fixed, along with remembering to give access to sysadm_r.
Might have to do a bit more work on logging and rotation, but this policy is a bit more stable now.
Created attachment 389784 [details, diff]
3rd and i think final patch
A bit more work had to be done to make this work properly in enforcing.
Network macros reduced to the minimum, logrotate works now, and will actually start in 2.3 userspace enforcing mode!
Had to build some interfaces and tie in properly with init and logrotate to make everything work smoothly.
Log location adjustment as per Luke Jr. diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc index fb80005..e705c89 100644 --- a/policy/modules/contrib/bitcoin.fc +++ b/policy/modules/contrib/bitcoin.fc @@ -9,5 +9,5 @@ /etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0) /var/lib/bitcoin/\.bitcoin/bitcoin\.conf gen_context(system_u:object_r:bitcoin_etc_t,s0) /var/lib/bitcoin/\.bitcoin/debug\.log gen_context(system_u:object_r:bitcoin_log_t,s0) -/var/lib/bitcoin/\.bitcoin/log(/.*)? gen_context(system_u:object_r:bitcoin_log_t,s0) +/var/log/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_log_t,s0) Created attachment 390112 [details]
bitcoin.fc
Simple fs def to start from
Created attachment 390114 [details]
bitcoin.if
Created attachment 390116 [details]
bitcoin.te
I've been able to use bitcoind succesfully with the attached policy, based on yours and the additional patches, but I did not include every single one of them. The contexts within /var/lib/bitcoin might need to be improved (to the level that you had) although I would be surprised if bitcoin shouldn't be configured so that it uses the "standard" locations (/etc/bitcoin for config, /var/log/bitcoin for logging, etc.) I did not include the bitcoin_read_config_files interface as I didn't need it (yet). Also I'm probably going to allow initrc_t to read all configuration files as I've noticed that many applications have init scripts in Gentoo that parse the configuration file. The bitcoin_manage_log is not needed for logrotate afaics, the logfile must be marked as a logfile though (and not just a regular file_type) as logrotate has the proper rights on all logfile attribute inheriting types. The current policy has an init_script_readable() requirement. I'm not personally convinced this is the right way to go though. I'll probably allow initrc_t read access to all generic configuration files (as there are other init scripts also reading configuration files) but that still leaves bitcoin_var_lib_t. I rejiggered the policy such that the conf file is lableed as bitcoin_conf_t in both /var/lib/bitcoin/.bitcoin and /etc/bitcoin so I think that's solved. The policy is merged with the hardened-refpolicy repository and the selinux-bitcoin package is now available (-9999 for now). I kept the init_script_readable_type definition in it for now, as I could not find a suitable alternative for initrc_t (esp. for the var_lib_t ones) and at least it allows to configure policies in an isolated manner (instead of updating initrc_t). I'll let it linger in our policy for a while to see where things need to be improved before upstreaming. r2 is in tree, ~arch Rebasing let me take a look at this now. # semanage fcontext --list | grep bitcoin /etc/bitcoin(/.*)? all files system_u:object_r:bitcoin_etc_t /etc/rc\.d/init\.d/bitcoind regular file system_u:object_r:bitcoin_initrc_exec_t /usr/bin/bitcoind regular file system_u:object_r:bitcoin_exec_t /var/lib/bitcoin(/.*)? all files system_u:object_r:bitcoin_var_lib_t These seem to be missing: /var/lib/bitcoin/\.bitcoin/bitcoin\.conf gen_context(system_u:object_r:bitcoin_etc_t,s0) /var/lib/bitcoin/\.bitcoin/debug\.log gen_context(system_u:object_r:bitcoin_log_t,s0) /var/log/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_log_t,s0) sec-policy -r2 is stable now. what about the missing stuff in the last comment? The /var/log/bitcoin one indeed needs to be added. The other ones should be carefully analyzed if this is mandatory or if bitcoin can't be updated to use proper locations (instead of (ab)using /var/lib for all that). If it is necessary, then the proper filetrans definitions need to be taken up as well. Either reopen the bug and remove the "sec-policy r2" from the whiteboard, or use a new bug. Remainder is part of bug #553868 |
Created attachment 388712 [details, diff] bitcoin selinux policy I'm running a few things as a public service. Most of them have quality selinux policies, but some services have nothing and I consider this "suboptimal" for Reasons(tm). I really want to, among other things, switch this into full-enforcing but right now its' "let it happen, and cry into avc.log". Yes, this is very much My First Policy(tm). Keep that in mind. Some things with how selinux policy modules I consider baffling and against general best practices. For example, how rather than keeping everything except common macros within a given module set, I have to spread out certain networking definitions into the corenetwork.* files. But I've worked within the guidelines as I currently understand them. Which makes developing a bit of a headache because upstream not only has to figure out whether you are doing something insane or not, but also actually merge in changes rather than adding to a tree. Plus it took me awhile to poke the overlay server to determine that it is not in fact down, but just useless over http. The results are thus: * New policy module: "bitcoin". Built using the tor policy as a reference, though this was written purely from scratch. * Modified Boolean / corenetwork / modules Necessary changes to stay within the overall framework. Now, I think I have bitcoin as with my use set flag (+ipv6, +logrotate) working well enough. It happily starts, stops, and rebuilds the block chain without complaint. I don't believe I missed anything, but for example I was tinkering with this all afternoon and only as I'm polishing up did the process spit out a bunch of denials about locale_t which it never cared about before. Other things like upnp I don't even precisely understand the point, much less how to properly test that it works. Currently this is functioning without any avc denials, and without any (obvoius) grossly stupid policy openings. So I'm happy with this as a first draft. I don't have anything in terms of ebuild changes as I'm more concerned about whether the selinux policy is acceptable.