From Fedora Project Wiki
No edit summary |
No edit summary |
||
| Line 3: | Line 3: | ||
* '''System Service bitcoind''' | * '''System Service bitcoind''' | ||
** Should have its datadir somewhere like %{_datadir} | ** Should have its datadir somewhere like %{_datadir}bitcoinsys/ which expands to /var/lib/bitcoinsys/ | ||
** Config file <code>%config(noreplace) %{_datadir}/ | ** Config file <code>%config(noreplace) %{_datadir}/bitcoinsys/bitcoin.conf</code> with wallet disabled by default, but they could enable it with wallet=1 if they really want it. | ||
** With system username like: <code> | ** With system username like: <code>bitcoinsys</code> | ||
** Wrapper should launch bitcoind in a context named like: <code> | ** Wrapper should launch bitcoind in a context named like: <code>bitcoinsys_t</code> | ||
** %doc README-FEDORA-BITCOIN-SERVICE should probably explain how the service is meant to be configured, used and controlled with bitcoin-cli or RPC/REST interfaces as the non-default datadir does not match upstream documentation and it thus may be non-obvious to users. | ** %doc README-FEDORA-BITCOIN-SERVICE should probably explain how the service is meant to be configured, used and controlled with bitcoin-cli or RPC/REST interfaces as the non-default datadir does not match upstream documentation and it thus may be non-obvious to users. | ||
* '''User service bitcoind and bitcoin-qt''' | * '''User service bitcoind and graphical bitcoin-qt''' | ||
** The most common way in which Bitcoin Core users run their own bitcoind or bitcoin-qt with is as a non-root user with datadir <code>~/.bitcoin/</code>. | ** The most common way in which Bitcoin Core users run their own bitcoind or bitcoin-qt with is as a non-root user with datadir <code>~/.bitcoin/</code>. | ||
** There should be a separate user homedir SELinux policy for bitcoind and bitcoin-qt operated in this manner. | ** There should be a separate user homedir SELinux policy for bitcoind and bitcoin-qt operated in this manner, with a context like <code>user_bitcoin_t</code>. | ||
** Note: Arbitrary other services may need to be granted both UNIX filesystem and SELinux permission to read the autotoken file from the user's ~/.bitcoin directory. | |||
Revision as of 02:43, 30 October 2015
RPM Package and SELinux
There probably should be two separate SELinux policy modules for the two different ways Bitcoin Core is used.
- System Service bitcoind
- Should have its datadir somewhere like %{_datadir}bitcoinsys/ which expands to /var/lib/bitcoinsys/
- Config file
%config(noreplace) %{_datadir}/bitcoinsys/bitcoin.confwith wallet disabled by default, but they could enable it with wallet=1 if they really want it. - With system username like:
bitcoinsys - Wrapper should launch bitcoind in a context named like:
bitcoinsys_t - %doc README-FEDORA-BITCOIN-SERVICE should probably explain how the service is meant to be configured, used and controlled with bitcoin-cli or RPC/REST interfaces as the non-default datadir does not match upstream documentation and it thus may be non-obvious to users.
- User service bitcoind and graphical bitcoin-qt
- The most common way in which Bitcoin Core users run their own bitcoind or bitcoin-qt with is as a non-root user with datadir
~/.bitcoin/. - There should be a separate user homedir SELinux policy for bitcoind and bitcoin-qt operated in this manner, with a context like
user_bitcoin_t. - Note: Arbitrary other services may need to be granted both UNIX filesystem and SELinux permission to read the autotoken file from the user's ~/.bitcoin directory.
- The most common way in which Bitcoin Core users run their own bitcoind or bitcoin-qt with is as a non-root user with datadir