[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     b5b6cb5395d941a974d597e202dda20c21b2ffc5
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 14:35:22 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b5b6cb53

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 87 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	--	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..2a56735
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 bitcoin_t;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..ad3e7ec
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_files_pattern;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+fs_getattr_xattr_fs(bitcoin_t)
+fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     777d8f99864daafbc967a2fbd58e1bb614f8c2ec
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 15:21:19 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=777d8f99

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 98 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 162 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..672516e
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,98 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:process signal_perms;
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+#list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+manage_dirs_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_system_state(bitcoin_t)
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_connect_http_port(bitcoin_t)
+corenet_tcp_bind_generic_node(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+userdom_use_user_terminals(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     f267781b01ee975acfd1f2c3f92366c994961e37
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 14:21:34 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=f267781b

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 ++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 93 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 157 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..b62f16d
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,93 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:process signal_perms;
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+#list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_system_state(bitcoin_t)
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     b6bb266c74511af3e6f2d1a3dfbfa165716ff2a9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 14:05:12 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b6bb266c

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 89 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 153 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..66a1c1d
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,89 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     74986b6148745779596c8604e6f6e489a2c89c13
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 23 12:46:08 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 12:46:08 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=74986b61

OpenRC cgroup helper requires dac_override privilege

Managing and updating cgroups through the kernel-invoked openrc cgroup
helper has the helper run under root privileges, but accessing files
(reading mostly) that are owned by a different user.

---
 policy/modules/contrib/openrc.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te
index bf5a336..91afb6e 100644
--- a/policy/modules/contrib/openrc.te
+++ b/policy/modules/contrib/openrc.te
@@ -13,6 +13,7 @@ role system_r types openrc_cgroup_release_t;
 # OpenRC cgroup release policy
 #
 
+allow openrc_cgroup_release_t self:capability dac_override;
 allow openrc_cgroup_release_t self:unix_stream_socket create_socket_perms;
 
 kernel_domtrans_to(openrc_cgroup_release_t, openrc_cgroup_release_exec_t)

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     74986b6148745779596c8604e6f6e489a2c89c13
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Nov 23 12:46:08 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 12:46:08 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=74986b61

OpenRC cgroup helper requires dac_override privilege

Managing and updating cgroups through the kernel-invoked openrc cgroup
helper has the helper run under root privileges, but accessing files
(reading mostly) that are owned by a different user.

---
 policy/modules/contrib/openrc.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te
index bf5a336..91afb6e 100644
--- a/policy/modules/contrib/openrc.te
+++ b/policy/modules/contrib/openrc.te
@@ -13,6 +13,7 @@ role system_r types openrc_cgroup_release_t;
 # OpenRC cgroup release policy
 #
 
+allow openrc_cgroup_release_t self:capability dac_override;
 allow openrc_cgroup_release_t self:unix_stream_socket create_socket_perms;
 
 kernel_domtrans_to(openrc_cgroup_release_t, openrc_cgroup_release_exec_t)

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     e872d6690226ab048f76dd7bf849546a0273856b
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 16:19:27 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=e872d669

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 89 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 153 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..66a1c1d
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,89 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     47ced09d9eaad4632c5667b3185d81b5491bfc45
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 16:14:41 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=47ced09d

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 88 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 152 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..f069c55
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,88 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     a89a0cb5ca7a1b82bb9741c56cef24acfc8a986a
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 16:09:12 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=a89a0cb5

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 87 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..4c13fea
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     43299f0d2a7a0ac2adc1b91ea2939bca948863b2
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 16:01:32 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=43299f0d

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 87 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..4c13fea
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     8c8da66ac3f8b7fa37fc60ac8d92251ba00bfc20
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 16:00:03 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8c8da66a

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 87 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..6103dee
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     dc7e1bc6aac145b6ee318bed445819031f5523d1
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 15:45:23 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dc7e1bc6

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 ++++++++
 policy/modules/contrib/bitcoin.if | 48 ++++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 86 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 150 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..ddd1ca3
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,86 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     7279800c28d37ac866f6d47924c5f23fa5e1875d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 15:37:21 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=7279800c

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 ++++++++
 policy/modules/contrib/bitcoin.if | 48 ++++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 86 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 150 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	--	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..ddd1ca3
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,86 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     fda39cc6bb008dabfa6ea8c670483e0b68108331
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 14:41:36 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=fda39cc6

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 ++++++++
 policy/modules/contrib/bitcoin.if | 48 ++++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 86 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 150 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	--	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..2a56735
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 bitcoin_t;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..ddd1ca3
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,86 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')

[gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/

[Sven Vermeulen]

commit:     cb4861e977601050afc03217b9421f3ad1119f3e
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Tue Nov 11 14:23:16 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=cb4861e9

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 87 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 151 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..86c4083
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	--	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..2a56735
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 bitcoin_t;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..cb85531
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,87 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+##<</desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_files_pattern;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+fs_getattr_xattr_fs(bitcoin_t)
+fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')