2246255 – SELinux denial of bitcoind reading /etc/bitcoin/bitcoin.conf

Bug 2246255 - SELinux denial of bitcoind reading /etc/bitcoin/bitcoin.conf

Summary: SELinux denial of bitcoind reading /etc/bitcoin/bitcoin.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	bitcoin-core-selinux
Sub Component:
Version:	38
Hardware:	aarch64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Simone Caronni
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-10-26 03:16 UTC by Jordan Williams
Modified:	2023-12-06 02:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:	bitcoin-core-selinux-0-11.20231127git4505616.fc37 bitcoin-core-selinux-0-11.20231127git4505616.el9 bitcoin-core-selinux-0-11.20231127git4505616.fc39 bitcoin-core-selinux-0-11.20231127git4505616.fc38 bitcoin-core-selinux-0-11.20231127git4505616.el8
Clone Of:
Environment:
Last Closed:	2023-12-05 16:27:33 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Jordan Williams 2023-10-26 03:16:15 UTC

On Fedora IoT 38 and 39, when attempting to run the bitcoin-core server, it's unable to start due to being denied access to `/etc/bitcoin/bitcoin.conf`.

Reproducible: Always

Steps to Reproduce:
1. `sudo rpm-ostree install bitcoin-core-server bitcoin-core-selinux bitcoin-core-utils`
2. `sudo systemctl reboot`
3. `sudo cp /usr/share/doc/bitcoin-core-server/bitcoin.conf.example /etc/bitcoin/bitcoin.conf`
4. `sudo systemctl start bitcoin.service`
Actual Results:  
The bitcoin service fails to start. The log shows the following error message.

```
Error reading configuration file: specified config file "/etc/bitcoin/bitcoin.conf" could not be opened.
```

Additionally, `sudo ausearch -c 'bitcoin'` returns the following messages:

```
time->Wed Oct 25 22:06:07 2023
type=AVC msg=audit(1698289567.600:697): avc:  denied  { nnp_transition } for  pid=8237 comm="(bitcoind)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:bitcoin_t:s0 tclass=process2 permissive=0
----
time->Wed Oct 25 22:06:07 2023
type=AVC msg=audit(1698289567.733:699): avc:  denied  { read } for  pid=8237 comm="bitcoind" name="bitcoin.conf" dev="mmcblk0p3" ino=253222 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:bitcoin_conf_t:s0 tclass=file permissive=0
----
time->Wed Oct 25 22:06:08 2023
type=AVC msg=audit(1698289568.118:706): avc:  denied  { nnp_transition } for  pid=8244 comm="(bitcoind)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:bitcoin_t:s0 tclass=process2 permissive=0
----
time->Wed Oct 25 22:06:08 2023
type=AVC msg=audit(1698289568.249:708): avc:  denied  { read } for  pid=8244 comm="bitcoind" name="bitcoin.conf" dev="mmcblk0p3" ino=253222 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:bitcoin_conf_t:s0 tclass=file permissive=0
----
time->Wed Oct 25 22:06:08 2023
type=AVC msg=audit(1698289568.612:715): avc:  denied  { nnp_transition } for  pid=8255 comm="(bitcoind)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:bitcoin_t:s0 tclass=process2 permissive=0
----
time->Wed Oct 25 22:06:08 2023
type=AVC msg=audit(1698289568.740:717): avc:  denied  { read } for  pid=8255 comm="bitcoind" name="bitcoin.conf" dev="mmcblk0p3" ino=253222 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:bitcoin_conf_t:s0 tclass=file permissive=0
----
time->Wed Oct 25 22:06:09 2023
type=AVC msg=audit(1698289569.097:724): avc:  denied  { nnp_transition } for  pid=8289 comm="(bitcoind)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:bitcoin_t:s0 tclass=process2 permissive=0
----
time->Wed Oct 25 22:06:09 2023
type=AVC msg=audit(1698289569.224:726): avc:  denied  { read } for  pid=8289 comm="bitcoind" name="bitcoin.conf" dev="mmcblk0p3" ino=253222 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:bitcoin_conf_t:s0 tclass=file permissive=0
----
time->Wed Oct 25 22:06:09 2023
type=AVC msg=audit(1698289569.607:733): avc:  denied  { nnp_transition } for  pid=8292 comm="(bitcoind)" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:bitcoin_t:s0 tclass=process2 permissive=0
----
time->Wed Oct 25 22:06:09 2023
type=AVC msg=audit(1698289569.738:735): avc:  denied  { read } for  pid=8292 comm="bitcoind" name="bitcoin.conf" dev="mmcblk0p3" ino=253222 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:bitcoin_conf_t:s0 tclass=file permissive=0
```

Expected Results:  
The bitcoin service should be able to read `/etc/bitcoin/bitcoin.conf` and start.

I've followed the instructions at https://docs.fedoraproject.org/en-US/fedora-silverblue/troubleshooting/#_selinux_problems to ensure the SELinux policy is correct, but this did not fix the problem.

Comment 1 Fedora Update System 2023-11-27 10:47:24 UTC

FEDORA-2023-889e5b5801 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-889e5b5801

Comment 2 Fedora Update System 2023-11-27 10:47:25 UTC

FEDORA-2023-4c176d2b0a has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-4c176d2b0a

Comment 3 Fedora Update System 2023-11-27 10:47:25 UTC

FEDORA-2023-de859441ea has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-de859441ea

Comment 4 Fedora Update System 2023-11-27 10:47:26 UTC

FEDORA-EPEL-2023-9285d6ee02 has been submitted as an update to Fedora EPEL 9. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9285d6ee02

Comment 5 Simone Caronni 2023-11-27 10:48:56 UTC

An update to fix the issue has been pushed, thanks for reporting.

I'm running my node with SELinux enabled, but due to some "development" mislabeling on the system I've never stumbled upon the issue.

Comment 6 Fedora Update System 2023-11-28 01:37:23 UTC

FEDORA-EPEL-2023-9285d6ee02 has been pushed to the Fedora EPEL 9 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-9285d6ee02

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2023-11-28 02:24:22 UTC

FEDORA-2023-de859441ea has been pushed to the Fedora 38 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-de859441ea`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-de859441ea

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2023-11-28 02:40:42 UTC

FEDORA-2023-889e5b5801 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-889e5b5801`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-889e5b5801

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2023-11-28 02:49:58 UTC

FEDORA-EPEL-2023-c3a0dc1d80 has been pushed to the Fedora EPEL 8 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2023-c3a0dc1d80

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 10 Fedora Update System 2023-11-28 02:50:53 UTC

FEDORA-2023-4c176d2b0a has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-4c176d2b0a`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-4c176d2b0a

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 11 Fedora Update System 2023-12-05 16:27:33 UTC

FEDORA-2023-4c176d2b0a has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2023-12-06 00:34:13 UTC

FEDORA-EPEL-2023-9285d6ee02 has been pushed to the Fedora EPEL 9 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 13 Fedora Update System 2023-12-06 01:39:50 UTC

FEDORA-2023-889e5b5801 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 14 Fedora Update System 2023-12-06 01:46:08 UTC

FEDORA-2023-de859441ea has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Fedora Update System 2023-12-06 02:00:56 UTC

FEDORA-EPEL-2023-c3a0dc1d80 has been pushed to the Fedora EPEL 8 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.