diff options
author | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-11-11 15:23:16 +0100 |
---|---|---|
committer | Sven Vermeulen <sven.vermeulen@siphos.be> | 2014-12-15 19:37:59 +0100 |
commit | 70c4420916c7da775aac6f6b383e7f17f85bcb79 (patch) | |
tree | ca869e72ae925f461b45a0ef6d6e8f725e53857e | |
parent | Add support for init_script_readable (diff) | |
download | hardened-refpolicy-70c4420916c7da775aac6f6b383e7f17f85bcb79.tar.gz hardened-refpolicy-70c4420916c7da775aac6f6b383e7f17f85bcb79.tar.bz2 hardened-refpolicy-70c4420916c7da775aac6f6b383e7f17f85bcb79.zip |
Bitcoin policy
-rw-r--r-- | policy/modules/contrib/bitcoin.fc | 16 | ||||
-rw-r--r-- | policy/modules/contrib/bitcoin.if | 48 | ||||
-rw-r--r-- | policy/modules/contrib/bitcoin.te | 98 |
3 files changed, 162 insertions, 0 deletions
diff --git a/policy/modules/contrib/bitcoin.fc b/policy/modules/contrib/bitcoin.fc new file mode 100644 index 00000000..d2198e4d --- /dev/null +++ b/policy/modules/contrib/bitcoin.fc @@ -0,0 +1,16 @@ +# +# /etc +# +/etc/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_etc_t,s0) +/etc/rc\.d/init\.d/bitcoind -- gen_context(system_u:object_r:bitcoin_initrc_exec_t,s0) + +# +# /usr +# +/usr/bin/bitcoind -- gen_context(system_u:object_r:bitcoin_exec_t,s0) + +# +# /var +# +/var/lib/bitcoin(/.*)? gen_context(system_u:object_r:bitcoin_var_lib_t,s0) + diff --git a/policy/modules/contrib/bitcoin.if b/policy/modules/contrib/bitcoin.if new file mode 100644 index 00000000..922bc7c6 --- /dev/null +++ b/policy/modules/contrib/bitcoin.if @@ -0,0 +1,48 @@ +## <summary>Bitcoin software-based online payment system</summary> + +######################################### +## <summary> +## Administer a bitcoin environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access +## </summary> +## </param> +## <param name="role"> +## <summary> +## Role allowed access +## </summary> +## </param> +# +interface(`bitcoin_admin',` + gen_require(` + type bitcoin_t; + type bitcoin_etc_t, bitcoin_tmp_t, bitcoin_log_t; + type bitcoin_var_lib_t, bitcoin_var_run_t; + type bitcoin_initrc_exec_t; + ') + + allow $1 bitcoin_t:process { ptrace signal_perms }; + ps_process_pattern($1, bitcoin_t) + + init_labeled_script_domtrans($1, bitcoin_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 bitcoin_initrc_exec_t system_r; + allow $2 system_r; + + files_list_tmp($1) + admin_pattern($1, bitcoin_tmp_t) + + logging_list_logs($1) + admin_pattern($1, bitcoin_log_t) + + files_list_etc($1) + admin_pattern($1, bitcoin_etc_t) + + files_list_var_lib($1) + admin_pattern($1, bitcoin_var_lib_t) + + files_list_pids($1) + admin_pattern($1, bitcoin_var_run_t) +') diff --git a/policy/modules/contrib/bitcoin.te b/policy/modules/contrib/bitcoin.te new file mode 100644 index 00000000..672516e9 --- /dev/null +++ b/policy/modules/contrib/bitcoin.te @@ -0,0 +1,98 @@ +policy_module(bitcoin, 0.1) + +######################################### +# +# Declarations +# + +## <desc> +## <p> +## Determine whether the bitcoin daemon can bind +## to all unreserved ports or not. +## </p> +## </desc> +gen_tunable(bitcoin_bind_all_unreserved_ports, false) + +type bitcoin_t; +type bitcoin_exec_t; +init_daemon_domain(bitcoin_t, bitcoin_exec_t) + +type bitcoin_initrc_exec_t; +init_script_file(bitcoin_initrc_exec_t) + +type bitcoin_etc_t; +files_config_file(bitcoin_etc_t) +init_script_readable_type(bitcoin_etc_t) + +type bitcoin_log_t; +logging_log_file(bitcoin_log_t) + +type bitcoin_var_lib_t; +files_type(bitcoin_var_lib_t) +init_script_readable_type(bitcoin_var_lib_t) + +type bitcoin_var_run_t; +files_pid_file(bitcoin_var_run_t) + +type bitcoin_tmp_t; +files_tmp_file(bitcoin_tmp_t) + +######################################### +# +# Local policy +# + +allow bitcoin_t self:process signal_perms; +allow bitcoin_t self:netlink_route_socket { write getattr read bind create nlmsg_read }; +allow bitcoin_t self:tcp_socket create_stream_socket_perms; + +read_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) +read_lnk_files_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) +#list_dirs_pattern(bitcoin_t, bitcoin_etc_t, bitcoin_etc_t) + +allow bitcoin_t bitcoin_tmp_t:file { create_file_perms write_file_perms }; +files_tmp_filetrans(bitcoin_t, bitcoin_tmp_t, file) + +allow bitcoin_t bitcoin_var_lib_t:lnk_file read_lnk_file_perms; +manage_files_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t) +manage_dirs_pattern(bitcoin_t, bitcoin_var_lib_t, bitcoin_var_lib_t) + +kernel_read_system_state(bitcoin_t) +kernel_read_vm_sysctls(bitcoin_t) + +corenet_all_recvfrom_netlabel(bitcoin_t) +corenet_all_recvfrom_unlabeled(bitcoin_t) + +corenet_sendrecv_bitcoin_server_packets(bitcoin_t) +# TODO why bind and connect simultaneously? If needed, perhaps also bitcoin_client_packets +corenet_tcp_bind_bitcoin_port(bitcoin_t) +corenet_tcp_connect_bitcoin_port(bitcoin_t) +corenet_tcp_connect_http_port(bitcoin_t) +corenet_tcp_bind_generic_node(bitcoin_t) +corenet_tcp_sendrecv_bitcoin_port(bitcoin_t) +corenet_tcp_sendrecv_generic_if(bitcoin_t) +corenet_tcp_sendrecv_generic_node(bitcoin_t) +#corenet_sendrecv_dns_server_packets(bitcoin_t) +#corenet_udp_bind_dns_port(bitcoin_t) +#corenet_udp_sendrecv_dns_port(bitcoin_t) + +dev_read_sysfs(bitcoin_t) +dev_read_urand(bitcoin_t) + +domain_use_interactive_fds(bitcoin_t) + +files_read_etc_runtime_files(bitcoin_t) +files_read_usr_files(bitcoin_t) + +fs_getattr_xattr_fs(bitcoin_t) +#fs_associate(bitcoin_var_lib_t) + +auth_use_nsswitch(bitcoin_t) + +miscfiles_read_localization(bitcoin_t) + +userdom_use_user_terminals(bitcoin_t) + +tunable_policy(`bitcoin_bind_all_unreserved_ports',` + corenet_tcp_bind_all_unreserved_ports(bitcoin_t) +') |