Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 529896 - net-p2p/bitcoin-core - add selinux support
Summary: net-p2p/bitcoin-core - add selinux support
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Matt Whitlock
URL:
Whiteboard:
Keywords:
Depends on: 528516
Blocks:
  Show dependency tree
 
Reported: 2014-11-19 18:55 UTC by Eric Gisse
Modified: 2023-11-14 21:46 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
bitcoind-0.9.3.ebuild (bitcoind-0.9.3.ebuild,2.91 KB, text/plain)
2014-11-19 18:55 UTC, Eric Gisse
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Eric Gisse 2014-11-19 18:55:51 UTC
Created attachment 389786 [details]
bitcoind-0.9.3.ebuild

One of my personal projects is to make selinux more useful and to use it more often, to that end I chose to make running the bitcoind daemon under selinux a project.

The selinux policy is finished, just needs testing to iron out anything I missed. 

However a few small adjustments within the ebuild are necessary for this to work cleanly with log rotation.

Due to bitcoind's inability to run syslog() or put log files in a specific spot, it is difficult to set things up with labeling such that logrotate can make new log files in /var/lib/.bitcoin/bitcoin without giving it more privileges than I want.

To that end, I've set things up so bitcoin logs to debug.log which is symlinked to log/debug.log, which will have the appropriate selinux labels. This also has the bonus of keeping log files in their own directory.

I've attached the ebuild change, and one other small change needs to be done to the logrotate file:

Replace this:

/var/lib/bitcoin/.bitcoin/debug.log

...with this:

/var/lib/bitcoin/.bitcoin/log/debug.log


Note: selinux isn't integrated into the ebuild just yet, as there is no official gentoo selinux policy.
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2014-11-19 23:43:32 UTC
Comment on attachment 389786 [details]
bitcoind-0.9.3.ebuild

--- bitcoind-0.9.3.ebuild
+++ bitcoind-0.9.3.ebuild
@@ -1,6 +1,6 @@
 # Copyright 2010-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/net-p2p/bitcoind/bitcoind-0.9.3.ebuild,v 1.3 2014/11/13 18:41:27 blueness Exp $
+# $Header: /var/cvsroot/gentoo-x86/net-p2p/bitcoind/bitcoind-0.9.3.ebuild,v 1.2 2014/10/10 11:37:31 blueness Exp $

 EAPI=4

@@ -68,7 +68,6 @@

 src_configure() {
        econf \
-               --disable-ccache \
                $(use_with upnp miniupnpc) $(use_enable upnp upnp-default) \
                $(use_enable test tests)  \
                $(use_enable wallet)  \
@@ -95,10 +94,13 @@

        keepdir /var/lib/bitcoin/.bitcoin
        fperms 700 /var/lib/bitcoin
+       keepdir /var/lib/bitcoin/.bitcoin/log
        fowners bitcoin:bitcoin /var/lib/bitcoin/
        fowners bitcoin:bitcoin /var/lib/bitcoin/.bitcoin
-       dosym /etc/bitcoin/bitcoin.conf /var/lib/bitcoin/.bitcoin/bitcoin.conf
+       fowners bitcoin:bitcoin /var/lib/bitcoin/.bitcoin/log

+       dosym /etc/bitcoin/bitcoin.conf /var/lib/bitcoin/.bitcoin/bitcoin.conf
+       dosym /var/lib/bitcoin/.bitcoin/debug.log /var/lib/bitcoin/.bitcoin/log/debug.log
        dodoc doc/README.md doc/release-notes.md
        dodoc doc/assets-attribution.md doc/tor.md
        doman contrib/debian/manpages/{bitcoind.1,bitcoin.conf.5}
Comment 2 Luke-Jr 2014-11-20 00:17:35 UTC
Why are you removing --disable-ccache? I suggest symlinking to /var/log/bitcoind/ instead.
Comment 3 Eric Gisse 2014-11-20 05:37:31 UTC
I didn't touch ccache, as it was that way with the 0.9.3 ebuild. Feel free to add it back as I have no stake in what happens with it.

For /var/log/bitcoind, I like that idea and did consider it but rejected it for some bizarre reason which eludes me. Logs were in that spot - didn't feel like moving things around, I guess. 

Patch: 

# diff /usr/local/portage/net-p2p/bitcoind/bitcoind-0.9.3.ebuild /usr/portage/net-p2p/bitcoind/bitcoind-0.9.3.ebuild
97d96
<       keepdir /var/log/bitcoin
100,101d98
<       fowners bitcoin:bitcoin /var/log/bitcoin
<
103c100
<       dosym /var/log/bitcoin/debug.log /var/lib/bitcoin/.bitcoin/debug.log
---
>

Of course, apply the same change to the log rotation file.

It happily installs, logs, and rotates logs. 

Actual incorporation of selinux can come later.
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2014-11-27 15:22:27 UTC
Why are logs not installed in /var/log/bitcoin (seems to me to be the most logical place for log files)?
Comment 5 Eric Gisse 2014-11-27 16:23:56 UTC
They are now, but why it wasn't that way originally I haven't the foggiest.

The bitcoin tool doesn't let you dump to syslog or modify the location of the log, so that's more of a question for upstream / maintainer.
Comment 6 Chicago 2015-01-04 00:35:22 UTC
Forgive me if this is the wrong bug to comment on the ongoing development of the 0.9.3 ebuilds, but both the bitcoind and bitcoin-qt src_compile() seem to need hardening added to them.

Currently, src_compile() is omitted and the ebuild fails for me with a recommendation to "recompile with -fPIC".

Also, is anybody else interested in a USE="static" option?
If so, I will submit a patched ebuild for your consideration.
Comment 7 Luke-Jr 2015-01-04 03:17:48 UTC
(In reply to Christopher Camisa from comment #6)
> Forgive me if this is the wrong bug to comment on the ongoing development of
> the 0.9.3 ebuilds, but both the bitcoind and bitcoin-qt src_compile() seem
> to need hardening added to them.
> 
> Currently, src_compile() is omitted and the ebuild fails for me with a
> recommendation to "recompile with -fPIC".

I'm not sure how you're getting this - bitcoind is *always* built with -fPIC...

> Also, is anybody else interested in a USE="static" option?
> If so, I will submit a patched ebuild for your consideration.

Might be worth having... it should probably use the embedded leveldb and libsecp256k1 in this case as well. Patches for new features like this should ideally be against 0.10.0_rc1 in the overlay.
Comment 8 Florian Schmaus gentoo-dev 2023-10-24 10:53:05 UTC
@matt please check if this is still valid for the new bitcoin-core ebuild.

I also see that we have sec-policy/selinux-bitcoin in ::gentoo. So maybe this can be closed?
Comment 9 Matt Whitlock 2023-10-24 14:46:29 UTC
I know almost nothing about SELinux and certainly not enough to guess one way or another whether the bitcoin.* policy files at https://gitweb.gentoo.org/proj/hardened-refpolicy.git/tree/policy/modules/contrib are correct.

I can see one thing that's obviously wrong, which is the /var/lib/bitcoin path in bitcoin.fc. That would need to be updated to /var/lib/bitcoind. (Really, probably both paths need to be in there since users may take arbitrarily long to migrate.)

Maybe the logs directory (/var/log/bitcoind) also needs to be configured in the policy so bitcoind and logrotate can access it?

I'm sorry I can't be of more help here. SELinux has always seemed superfluous, confusing, and counterproductive to me, so I've stayed away from it. ::shrug::
Comment 10 Florian Schmaus gentoo-dev 2023-10-24 16:30:00 UTC
(In reply to Matt Whitlock from comment #9)
> I'm sorry I can't be of more help here.

No worries. Your response, even if negative, was already helpful.

@selinux: it appears the current sec-policy/selinux-bitcoin is incompatible with your bitcoin-core package. How can we re-align this?
Comment 11 Kenton Groombridge gentoo-dev 2023-11-14 21:46:09 UTC
(In reply to Florian Schmaus from comment #10)
> @selinux: it appears the current sec-policy/selinux-bitcoin is incompatible
> with your bitcoin-core package. How can we re-align this?

I'm not a bitcoin user so I can't say for sure what the current state of the bitcoin policy is. Realistically the best thing to do would be to test the current bitcoin package with the current bitcoin policy. If the policy breaks the package, then the policy needs to be updated/have the necessary adjustments made. It's possible that the policy is outdated, it was written originally for a different Linux distribution, or other things.

We have a Gentoo SELinux policy mirror on Github that users are encouraged to submit patches to: https://github.com/gentoo/hardened-refpolicy