Created attachment 389786 [details] bitcoind-0.9.3.ebuild One of my personal projects is to make selinux more useful and to use it more often, to that end I chose to make running the bitcoind daemon under selinux a project. The selinux policy is finished, just needs testing to iron out anything I missed. However a few small adjustments within the ebuild are necessary for this to work cleanly with log rotation. Due to bitcoind's inability to run syslog() or put log files in a specific spot, it is difficult to set things up with labeling such that logrotate can make new log files in /var/lib/.bitcoin/bitcoin without giving it more privileges than I want. To that end, I've set things up so bitcoin logs to debug.log which is symlinked to log/debug.log, which will have the appropriate selinux labels. This also has the bonus of keeping log files in their own directory. I've attached the ebuild change, and one other small change needs to be done to the logrotate file: Replace this: /var/lib/bitcoin/.bitcoin/debug.log ...with this: /var/lib/bitcoin/.bitcoin/log/debug.log Note: selinux isn't integrated into the ebuild just yet, as there is no official gentoo selinux policy.
Comment on attachment 389786 [details] bitcoind-0.9.3.ebuild --- bitcoind-0.9.3.ebuild +++ bitcoind-0.9.3.ebuild @@ -1,6 +1,6 @@ # Copyright 2010-2014 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/net-p2p/bitcoind/bitcoind-0.9.3.ebuild,v 1.3 2014/11/13 18:41:27 blueness Exp $ +# $Header: /var/cvsroot/gentoo-x86/net-p2p/bitcoind/bitcoind-0.9.3.ebuild,v 1.2 2014/10/10 11:37:31 blueness Exp $ EAPI=4 @@ -68,7 +68,6 @@ src_configure() { econf \ - --disable-ccache \ $(use_with upnp miniupnpc) $(use_enable upnp upnp-default) \ $(use_enable test tests) \ $(use_enable wallet) \ @@ -95,10 +94,13 @@ keepdir /var/lib/bitcoin/.bitcoin fperms 700 /var/lib/bitcoin + keepdir /var/lib/bitcoin/.bitcoin/log fowners bitcoin:bitcoin /var/lib/bitcoin/ fowners bitcoin:bitcoin /var/lib/bitcoin/.bitcoin - dosym /etc/bitcoin/bitcoin.conf /var/lib/bitcoin/.bitcoin/bitcoin.conf + fowners bitcoin:bitcoin /var/lib/bitcoin/.bitcoin/log + dosym /etc/bitcoin/bitcoin.conf /var/lib/bitcoin/.bitcoin/bitcoin.conf + dosym /var/lib/bitcoin/.bitcoin/debug.log /var/lib/bitcoin/.bitcoin/log/debug.log dodoc doc/README.md doc/release-notes.md dodoc doc/assets-attribution.md doc/tor.md doman contrib/debian/manpages/{bitcoind.1,bitcoin.conf.5}
Why are you removing --disable-ccache? I suggest symlinking to /var/log/bitcoind/ instead.
I didn't touch ccache, as it was that way with the 0.9.3 ebuild. Feel free to add it back as I have no stake in what happens with it. For /var/log/bitcoind, I like that idea and did consider it but rejected it for some bizarre reason which eludes me. Logs were in that spot - didn't feel like moving things around, I guess. Patch: # diff /usr/local/portage/net-p2p/bitcoind/bitcoind-0.9.3.ebuild /usr/portage/net-p2p/bitcoind/bitcoind-0.9.3.ebuild 97d96 < keepdir /var/log/bitcoin 100,101d98 < fowners bitcoin:bitcoin /var/log/bitcoin < 103c100 < dosym /var/log/bitcoin/debug.log /var/lib/bitcoin/.bitcoin/debug.log --- > Of course, apply the same change to the log rotation file. It happily installs, logs, and rotates logs. Actual incorporation of selinux can come later.
Why are logs not installed in /var/log/bitcoin (seems to me to be the most logical place for log files)?
They are now, but why it wasn't that way originally I haven't the foggiest. The bitcoin tool doesn't let you dump to syslog or modify the location of the log, so that's more of a question for upstream / maintainer.
Forgive me if this is the wrong bug to comment on the ongoing development of the 0.9.3 ebuilds, but both the bitcoind and bitcoin-qt src_compile() seem to need hardening added to them. Currently, src_compile() is omitted and the ebuild fails for me with a recommendation to "recompile with -fPIC". Also, is anybody else interested in a USE="static" option? If so, I will submit a patched ebuild for your consideration.
(In reply to Christopher Camisa from comment #6) > Forgive me if this is the wrong bug to comment on the ongoing development of > the 0.9.3 ebuilds, but both the bitcoind and bitcoin-qt src_compile() seem > to need hardening added to them. > > Currently, src_compile() is omitted and the ebuild fails for me with a > recommendation to "recompile with -fPIC". I'm not sure how you're getting this - bitcoind is *always* built with -fPIC... > Also, is anybody else interested in a USE="static" option? > If so, I will submit a patched ebuild for your consideration. Might be worth having... it should probably use the embedded leveldb and libsecp256k1 in this case as well. Patches for new features like this should ideally be against 0.10.0_rc1 in the overlay.
@matt please check if this is still valid for the new bitcoin-core ebuild. I also see that we have sec-policy/selinux-bitcoin in ::gentoo. So maybe this can be closed?
I know almost nothing about SELinux and certainly not enough to guess one way or another whether the bitcoin.* policy files at https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib are correct. I can see one thing that's obviously wrong, which is the /var/lib/bitcoin path in bitcoin.fc. That would need to be updated to /var/lib/bitcoind. (Really, probably both paths need to be in there since users may take arbitrarily long to migrate.) Maybe the logs directory (/var/log/bitcoind) also needs to be configured in the policy so bitcoind and logrotate can access it? I'm sorry I can't be of more help here. SELinux has always seemed superfluous, confusing, and counterproductive to me, so I've stayed away from it. ::shrug::
(In reply to Matt Whitlock from comment #9) > I'm sorry I can't be of more help here. No worries. Your response, even if negative, was already helpful. @selinux: it appears the current sec-policy/selinux-bitcoin is incompatible with your bitcoin-core package. How can we re-align this?
(In reply to Florian Schmaus from comment #10) > @selinux: it appears the current sec-policy/selinux-bitcoin is incompatible > with your bitcoin-core package. How can we re-align this? I'm not a bitcoin user so I can't say for sure what the current state of the bitcoin policy is. Realistically the best thing to do would be to test the current bitcoin package with the current bitcoin policy. If the policy breaks the package, then the policy needs to be updated/have the necessary adjustments made. It's possible that the policy is outdated, it was written originally for a different Linux distribution, or other things. We have a Gentoo SELinux policy mirror on Github that users are encouraged to submit patches to: https://github.com/gentoo/hardened-refpolicy