From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-749687-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id E52D3138A1A
	for <garchives@archives.gentoo.org>; Sun, 23 Nov 2014 14:06:25 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 5592AE0874;
	Sun, 23 Nov 2014 14:06:18 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id A3AFCE0854
	for <gentoo-commits@lists.gentoo.org>; Sun, 23 Nov 2014 14:06:16 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 96D2D340100
	for <gentoo-commits@lists.gentoo.org>; Sun, 23 Nov 2014 14:06:15 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id D2959ABFC
	for <gentoo-commits@lists.gentoo.org>; Sun, 23 Nov 2014 14:06:11 +0000 (UTC)
From: "Sven Vermeulen" <swift@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <swift@gentoo.org>
Message-ID: <1416751512.b6bb266c74511af3e6f2d1a3dfbfa165716ff2a9.swift@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:bitcoin commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/bitcoin.fc policy/modules/contrib/bitcoin.if policy/modules/contrib/bitcoin.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: swift
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: b6bb266c74511af3e6f2d1a3dfbfa165716ff2a9
X-VCS-Branch: bitcoin
Date: Sun, 23 Nov 2014 14:06:11 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: a5f1bcd7-1326-4931-b6d4-e620d7172488
X-Archives-Hash: a9ae0334b4b0dc125b89531b18aa54d7

commit:     b6bb266c74511af3e6f2d1a3dfbfa165716ff2a9
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Tue Nov 11 14:23:16 2014 +0000
Commit:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Nov 23 14:05:12 2014 +0000
URL:        http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=b6bb266c

Bitcoin policy

---
 policy/modules/contrib/bitcoin.fc | 16 +++++++
 policy/modules/contrib/bitcoin.if | 48 +++++++++++++++++++++
 policy/modules/contrib/bitcoin.te | 89 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 153 insertions(+)

diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc
new file mode 100644
index 0000000..d2198e4
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.fc
@@ -0,0 +1,16 @@
+#
+# /etc
+#
+/etc/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_etc_t,s0)
+/etc/rc\.d/init\.d/bitcoind	--	gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0)
+
+#
+# /usr
+#
+/usr/bin/bitcoind	--	gen_context(system_u:object_r:bitcoin_exec_t,s0)
+
+#
+# /var
+#
+/var/lib/bitcoin(/.*)?	gen_context(system_u:object_r:bitcoin_var_lib_t,s0)
+

diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if
new file mode 100644
index 0000000..922bc7c
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.if
@@ -0,0 +1,48 @@
+## <summary>Bitcoin software-based online payment system</summary>
+
+#########################################
+## <summary>
+##	Administer a bitcoin environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access
+##	</summary>
+## </param>
+#
+interface(`bitcoin_admin',`
+	gen_require(`
+		type bitcoin_t;
+		type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t;
+		type bitcoin_var_lib_t, bitcoin_var_run_t;
+		type bitcoin_initrc_exec_t;
+	')
+
+	allow $1 bitcoin_t:process { ptrace signal_perms };
+	ps_process_pattern($1, bitcoin_t)
+
+	init_labeled_script_domtrans($1, bitcoin_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 bitcoin_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	files_list_tmp($1)
+	admin_pattern($1, bitcoin_tmp_t)
+
+	logging_list_logs($1)
+	admin_pattern($1, bitcoin_log_t)
+
+	files_list_etc($1)
+	admin_pattern($1, bitcoin_etc_t)
+
+	files_list_var_lib($1)
+	admin_pattern($1, bitcoin_var_lib_t)
+
+	files_list_pids($1)
+	admin_pattern($1, bitcoin_var_run_t)
+')

diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te
new file mode 100644
index 0000000..66a1c1d
--- /dev/null
+++ b/policy/modules/contrib/bitcoin.te
@@ -0,0 +1,89 @@
+policy_module(bitcoin, 0.1)
+
+#########################################
+#
+# Declarations
+#
+
+## <desc>
+##	<p>
+##	Determine whether the bitcoin daemon can bind
+##	to all unreserved ports or not.
+##	</p>
+## </desc>
+gen_tunable(bitcoin_bind_all_unreserved_ports, false)
+
+type bitcoin_t;
+type bitcoin_exec_t;
+init_daemon_domain(bitcoin_t, bitcoin_exec_t)
+
+type bitcoin_initrc_exec_t;
+init_script_file(bitcoin_initrc_exec_t)
+
+type bitcoin_etc_t;
+files_config_file(bitcoin_etc_t)
+init_script_readable_type(bitcoin_etc_t)
+
+type bitcoin_log_t;
+logging_log_file(bitcoin_log_t)
+
+type bitcoin_var_lib_t;
+files_type(bitcoin_var_lib_t)
+init_script_readable_type(bitcoin_var_lib_t)
+
+type bitcoin_var_run_t;
+files_pid_file(bitcoin_var_run_t)
+
+type bitcoin_tmp_t;
+files_tmp_file(bitcoin_tmp_t)
+
+#########################################
+#
+# Local policy
+#
+
+allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read };
+allow bitcoin_t self:tcp_socket create_stream_socket_perms;
+
+read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t)
+
+allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms };
+files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file)
+
+allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms;
+manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t)
+
+kernel_read_vm_sysctls(bitcoin_t)
+
+corenet_all_recvfrom_netlabel(bitcoin_t)
+corenet_all_recvfrom_unlabeled(bitcoin_t)
+
+corenet_sendrecv_bitcoin_server_packets(bitcoin_t)
+# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets
+corenet_tcp_bind_bitcoin_port(bitcoin_t)
+#corenet_tcp_connect_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_bitcoin_port(bitcoin_t)
+corenet_tcp_sendrecv_generic_if(bitcoin_t)
+corenet_tcp_sendrecv_generic_node(bitcoin_t)
+#corenet_sendrecv_dns_server_packets(bitcoin_t)
+#corenet_udp_bind_dns_port(bitcoin_t)
+#corenet_udp_sendrecv_dns_port(bitcoin_t)
+
+dev_read_sysfs(bitcoin_t)
+dev_read_urand(bitcoin_t)
+
+domain_use_interactive_fds(bitcoin_t)
+
+files_read_etc_runtime_files(bitcoin_t)
+files_read_usr_files(bitcoin_t)
+
+#fs_getattr_xattr_fs(bitcoin_t)
+#fs_associate(bitcoin_var_lib_t)
+
+auth_use_nsswitch(bitcoin_t)
+
+miscfiles_read_localization(bitcoin_t)
+
+tunable_policy(`bitcoin_bind_all_unreserved_ports',`
+        corenet_tcp_bind_all_unreserved_ports(bitcoin_t)
+')