Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 528516 - selinux policy for net-p2p/bitcoind
Summary: selinux policy for net-p2p/bitcoind
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
Whiteboard: sec-policy r2
Depends on:
Blocks: 529896
  Show dependency tree
Reported: 2014-11-06 23:07 UTC by Eric Gisse
Modified: 2021-01-22 00:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

bitcoin selinux policy (bitcoin.patch,16.82 KB, patch)
2014-11-06 23:07 UTC, Eric Gisse
Details | Diff
more work (bitcoin2.patch,3.88 KB, patch)
2014-11-17 16:25 UTC, Eric Gisse
Details | Diff
3rd and i think final patch (bitcoin3.patch,7.65 KB, patch)
2014-11-19 18:47 UTC, Eric Gisse
Details | Diff
bitcoin.fc (bitcoin.fc,335 bytes, text/plain)
2014-11-23 15:26 UTC, Sven Vermeulen (RETIRED)
bitcoin.if (bitcoin.if,1.06 KB, text/x-matlab)
2014-11-23 15:26 UTC, Sven Vermeulen (RETIRED)
bitcoin.te (bitcoin.te,2.66 KB, text/plain)
2014-11-23 15:26 UTC, Sven Vermeulen (RETIRED)

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2014-11-06 23:07:43 UTC
Created attachment 388712 [details, diff]
bitcoin selinux policy

I'm running a few things as a public service. Most of them have quality selinux policies, but some services have nothing and I consider this "suboptimal" for Reasons(tm). I really want to, among other things, switch this into full-enforcing but right now its' "let it happen, and cry into avc.log".

Yes, this is very much My First Policy(tm). Keep that in mind.

Some things with how selinux policy modules I consider baffling and against general best practices. For example, how rather than keeping everything except common macros within a given module set, I have to spread out certain networking definitions into the corenetwork.* files. But I've worked within the guidelines as I currently understand them.

Which makes developing a bit of a headache because upstream not only has to figure out whether you are doing something insane or not, but also actually merge in changes rather than adding to a tree.

Plus it took me awhile to poke the overlay server to determine that it is not in fact down, but just useless over http. 

The results are thus:

* New policy module: "bitcoin". 

Built using the tor policy as a reference, though this was written purely from scratch. 

* Modified Boolean / corenetwork / modules

Necessary changes to stay within the overall framework.

Now, I think I have bitcoin as with my use set flag (+ipv6, +logrotate) working well enough. It happily starts, stops, and rebuilds the block chain without complaint.

I don't believe I missed anything, but for example I was tinkering with this all afternoon and only as I'm polishing up did the process spit out a bunch of denials about locale_t which it never cared about before. 

Other things like upnp I don't even precisely understand the point, much less how to properly test that it works. 

Currently this is functioning without any avc denials, and without any (obvoius) grossly stupid policy openings. So I'm happy with this as a first draft. 

I don't have anything in terms of ebuild changes as I'm more concerned about whether the selinux policy is acceptable.
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-08 16:42:00 UTC
Hi Eric

I'll test your policy soon and, with your permission (if you give it ;-) send it upstream as well for review.

The reason of the networking stuff to be in the corenetwork instead of the bitcoin module is because some of the networking definitions cannot be in a loadable module (which the bitcoin code will be). Instead, it has to reside in the base module (of which corenetwork is a part of).
Comment 2 Eric Gisse 2014-11-17 16:25:19 UTC
Created attachment 389576 [details, diff]
more work

Had to do some more work on this in order to make it build right on 2.3 userspace, which meant writing commenting docu better. Plus some misc things had to be fixed, along with remembering to give access to sysadm_r.

Might have to do a bit more work on logging and rotation, but this policy is a bit more stable now.
Comment 3 Eric Gisse 2014-11-19 18:47:14 UTC
Created attachment 389784 [details, diff]
3rd and i think final patch

A bit more work had to be done to make this work properly in enforcing. 

Network macros reduced to the minimum, logrotate works now, and will actually start in 2.3 userspace enforcing mode!

Had to build some interfaces and tie in properly with init and logrotate to make everything work smoothly.
Comment 4 Eric Gisse 2014-11-20 05:41:23 UTC
Log location adjustment as per Luke Jr.

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
index fb80005..e705c89 100644
--- a/policy/modules/contrib/bitcoin.fc
+++ b/policy/modules/contrib/bitcoin.fc
@@ -9,5 +9,5 @@
 /etc/bitcoin(/.*)?                                     gen_context(system_u:object_r:bitcoin_etc_t,s0)
 /var/lib/bitcoin/\.bitcoin/bitcoin\.conf               gen_context(system_u:object_r:bitcoin_etc_t,s0)
 /var/lib/bitcoin/\.bitcoin/debug\.log                  gen_context(system_u:object_r:bitcoin_log_t,s0)
-/var/lib/bitcoin/\.bitcoin/log(/.*)?                   gen_context(system_u:object_r:bitcoin_log_t,s0)
+/var/log/bitcoin(/.*)?                                 gen_context(system_u:object_r:bitcoin_log_t,s0)
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-23 15:26:02 UTC
Created attachment 390112 [details]

Simple fs def to start from
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-23 15:26:24 UTC
Created attachment 390114 [details]
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-23 15:26:49 UTC
Created attachment 390116 [details]
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-23 15:31:31 UTC
I've been able to use bitcoind succesfully with the attached policy, based on yours and the additional patches, but I did not include every single one of them.

The contexts within /var/lib/bitcoin might need to be improved (to the level that you had) although I would be surprised if bitcoin shouldn't be configured so that it uses the "standard" locations (/etc/bitcoin for config, /var/log/bitcoin for logging, etc.)

I did not include the bitcoin_read_config_files interface as I didn't need it (yet). Also I'm probably going to allow initrc_t to read all configuration files as I've noticed that many applications have init scripts in Gentoo that parse the configuration file.

The bitcoin_manage_log is not needed for logrotate afaics, the logfile must be marked as a logfile though (and not just a regular file_type) as logrotate has the proper rights on all logfile attribute inheriting types.
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-27 21:06:04 UTC
The current policy has an init_script_readable() requirement. I'm not personally convinced this is the right way to go though.

I'll probably allow initrc_t read access to all generic configuration files (as there are other init scripts also reading configuration files) but that still leaves bitcoin_var_lib_t.
Comment 10 Eric Gisse 2014-11-27 23:00:33 UTC
I rejiggered the policy such that the conf file is lableed as bitcoin_conf_t in both /var/lib/bitcoin/.bitcoin and /etc/bitcoin so I think that's solved.
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-15 18:54:20 UTC
The policy is merged with the hardened-refpolicy repository and the selinux-bitcoin package is now available (-9999 for now).

I kept the init_script_readable_type definition in it for now, as I could not find a suitable alternative for initrc_t (esp. for the var_lib_t ones) and at least it allows to configure policies in an isolated manner (instead of updating initrc_t).

I'll let it linger in our policy for a while to see where things need to be improved before upstreaming.
Comment 12 Sven Vermeulen (RETIRED) gentoo-dev 2014-12-21 14:10:34 UTC
r2 is in tree, ~arch
Comment 13 Eric Gisse 2015-01-08 05:22:18 UTC
Rebasing let me take a look at this now.

# semanage fcontext --list | grep bitcoin
/etc/bitcoin(/.*)?                                 all files          system_u:object_r:bitcoin_etc_t
/etc/rc\.d/init\.d/bitcoind                        regular file       system_u:object_r:bitcoin_initrc_exec_t
/usr/bin/bitcoind                                  regular file       system_u:object_r:bitcoin_exec_t
/var/lib/bitcoin(/.*)?                             all files          system_u:object_r:bitcoin_var_lib_t

These seem to be missing:

/var/lib/bitcoin/\.bitcoin/bitcoin\.conf                gen_context(system_u:object_r:bitcoin_etc_t,s0)
/var/lib/bitcoin/\.bitcoin/debug\.log                   gen_context(system_u:object_r:bitcoin_log_t,s0)
/var/log/bitcoin(/.*)?                                  gen_context(system_u:object_r:bitcoin_log_t,s0)
Comment 14 Jason Zaman gentoo-dev 2015-01-29 10:23:51 UTC
sec-policy -r2 is stable now.

what about the missing stuff in the last comment?
Comment 15 Sven Vermeulen (RETIRED) gentoo-dev 2015-04-16 18:51:57 UTC
The /var/log/bitcoin one indeed needs to be added. The other ones should be carefully analyzed if this is mandatory or if bitcoin can't be updated to use proper locations (instead of (ab)using /var/lib for all that).

If it is necessary, then the proper filetrans definitions need to be taken up as well.

Either reopen the bug and remove the "sec-policy r2" from the whiteboard, or use a new bug.
Comment 16 Sven Vermeulen (RETIRED) gentoo-dev 2015-07-03 16:22:16 UTC
Remainder is part of bug #553868