Created attachment 389786 [details]
One of my personal projects is to make selinux more useful and to use it more often, to that end I chose to make running the bitcoind daemon under selinux a project.
The selinux policy is finished, just needs testing to iron out anything I missed.
However a few small adjustments within the ebuild are necessary for this to work cleanly with log rotation.
Due to bitcoind's inability to run syslog() or put log files in a specific spot, it is difficult to set things up with labeling such that logrotate can make new log files in /var/lib/.bitcoin/bitcoin without giving it more privileges than I want.
To that end, I've set things up so bitcoin logs to debug.log which is symlinked to log/debug.log, which will have the appropriate selinux labels. This also has the bonus of keeping log files in their own directory.
I've attached the ebuild change, and one other small change needs to be done to the logrotate file:
Note: selinux isn't integrated into the ebuild just yet, as there is no official gentoo selinux policy.
Comment on attachment 389786 [details]
@@ -1,6 +1,6 @@
# Copyright 2010-2014 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-p2p/bitcoind/bitcoind-0.9.3.ebuild,v 1.3 2014/11/13 18:41:27 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-p2p/bitcoind/bitcoind-0.9.3.ebuild,v 1.2 2014/10/10 11:37:31 blueness Exp $
@@ -68,7 +68,6 @@
- --disable-ccache \
$(use_with upnp miniupnpc) $(use_enable upnp upnp-default) \
$(use_enable test tests) \
$(use_enable wallet) \
@@ -95,10 +94,13 @@
fperms 700 /var/lib/bitcoin
+ keepdir /var/lib/bitcoin/.bitcoin/log
fowners bitcoin:bitcoin /var/lib/bitcoin/
fowners bitcoin:bitcoin /var/lib/bitcoin/.bitcoin
- dosym /etc/bitcoin/bitcoin.conf /var/lib/bitcoin/.bitcoin/bitcoin.conf
+ fowners bitcoin:bitcoin /var/lib/bitcoin/.bitcoin/log
+ dosym /etc/bitcoin/bitcoin.conf /var/lib/bitcoin/.bitcoin/bitcoin.conf
+ dosym /var/lib/bitcoin/.bitcoin/debug.log /var/lib/bitcoin/.bitcoin/log/debug.log
dodoc doc/README.md doc/release-notes.md
dodoc doc/assets-attribution.md doc/tor.md
Why are you removing --disable-ccache? I suggest symlinking to /var/log/bitcoind/ instead.
I didn't touch ccache, as it was that way with the 0.9.3 ebuild. Feel free to add it back as I have no stake in what happens with it.
For /var/log/bitcoind, I like that idea and did consider it but rejected it for some bizarre reason which eludes me. Logs were in that spot - didn't feel like moving things around, I guess.
# diff /usr/local/portage/net-p2p/bitcoind/bitcoind-0.9.3.ebuild /usr/portage/net-p2p/bitcoind/bitcoind-0.9.3.ebuild
< keepdir /var/log/bitcoin
< fowners bitcoin:bitcoin /var/log/bitcoin
< dosym /var/log/bitcoin/debug.log /var/lib/bitcoin/.bitcoin/debug.log
Of course, apply the same change to the log rotation file.
It happily installs, logs, and rotates logs.
Actual incorporation of selinux can come later.
Why are logs not installed in /var/log/bitcoin (seems to me to be the most logical place for log files)?
They are now, but why it wasn't that way originally I haven't the foggiest.
The bitcoin tool doesn't let you dump to syslog or modify the location of the log, so that's more of a question for upstream / maintainer.
Forgive me if this is the wrong bug to comment on the ongoing development of the 0.9.3 ebuilds, but both the bitcoind and bitcoin-qt src_compile() seem to need hardening added to them.
Currently, src_compile() is omitted and the ebuild fails for me with a recommendation to "recompile with -fPIC".
Also, is anybody else interested in a USE="static" option?
If so, I will submit a patched ebuild for your consideration.
(In reply to Christopher Camisa from comment #6)
> Forgive me if this is the wrong bug to comment on the ongoing development of
> the 0.9.3 ebuilds, but both the bitcoind and bitcoin-qt src_compile() seem
> to need hardening added to them.
> Currently, src_compile() is omitted and the ebuild fails for me with a
> recommendation to "recompile with -fPIC".
I'm not sure how you're getting this - bitcoind is *always* built with -fPIC...
> Also, is anybody else interested in a USE="static" option?
> If so, I will submit a patched ebuild for your consideration.
Might be worth having... it should probably use the embedded leveldb and libsecp256k1 in this case as well. Patches for new features like this should ideally be against 0.10.0_rc1 in the overlay.