selinux-refpolicy/policy/modules/apps/syncthing.te

policy_module(syncthing, 1.1.0)

########################################
#
# Declarations
#

attribute_role syncthing_roles;
role syncthing_roles types syncthing_t;

type syncthing_t;
type syncthing_exec_t;
init_daemon_domain(syncthing_t, syncthing_exec_t)
userdom_user_application_domain(syncthing_t, syncthing_exec_t)

type syncthing_xdg_config_t alias syncthing_config_home_t;
xdg_config_content(syncthing_xdg_config_t)

########################################
#
# Declarations
#

allow syncthing_t self:process getsched;
allow syncthing_t self:fifo_file rw_fifo_file_perms;
allow syncthing_t self:tcp_socket { listen accept };

can_exec(syncthing_t, syncthing_exec_t)

manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)

kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
kernel_read_system_state(syncthing_t)

corenet_tcp_sendrecv_generic_if(syncthing_t)
corenet_udp_sendrecv_generic_if(syncthing_t)
corenet_tcp_bind_generic_node(syncthing_t)
corenet_tcp_sendrecv_generic_node(syncthing_t)
corenet_tcp_sendrecv_all_ports(syncthing_t)
corenet_udp_bind_generic_node(syncthing_t)
corenet_udp_sendrecv_generic_node(syncthing_t)
corenet_udp_sendrecv_all_ports(syncthing_t)
corenet_tcp_connect_all_ports(syncthing_t)
corenet_tcp_bind_syncthing_port(syncthing_t)
corenet_udp_bind_syncthing_discovery_port(syncthing_t)
corenet_tcp_bind_syncthing_admin_port(syncthing_t)

dev_read_rand(syncthing_t)
dev_read_urand(syncthing_t)

fs_getattr_xattr_fs(syncthing_t)

auth_use_nsswitch(syncthing_t)

miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)

userdom_user_content_access_template(syncthing, syncthing_t)

userdom_use_user_terminals(syncthing_t)

optional_policy(`
	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
	networkmanager_read_pid_files(syncthing_t)
')
Bump module versions for release. 2018-07-01 15:02:33 +00:00			`policy_module(syncthing, 1.1.0)`
Re-add policy modules from old refpolicy-contrib submodule. 2018-06-23 13:00:56 +00:00
			`########################################`
			`#`
			`# Declarations`
			`#`

			`attribute_role syncthing_roles;`
			`role syncthing_roles types syncthing_t;`

			`type syncthing_t;`
			`type syncthing_exec_t;`
			`init_daemon_domain(syncthing_t, syncthing_exec_t)`
			`userdom_user_application_domain(syncthing_t, syncthing_exec_t)`

			`type syncthing_xdg_config_t alias syncthing_config_home_t;`
			`xdg_config_content(syncthing_xdg_config_t)`

			`########################################`
			`#`
			`# Declarations`
			`#`

			`allow syncthing_t self:process getsched;`
			`allow syncthing_t self:fifo_file rw_fifo_file_perms;`
			`allow syncthing_t self:tcp_socket { listen accept };`

			`can_exec(syncthing_t, syncthing_exec_t)`

			`manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)`
			`manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)`
			`manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)`
			`xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)`

			`kernel_read_kernel_sysctls(syncthing_t)`
			`kernel_read_net_sysctls(syncthing_t)`
			`kernel_read_system_state(syncthing_t)`

			`corenet_tcp_sendrecv_generic_if(syncthing_t)`
			`corenet_udp_sendrecv_generic_if(syncthing_t)`
			`corenet_tcp_bind_generic_node(syncthing_t)`
			`corenet_tcp_sendrecv_generic_node(syncthing_t)`
			`corenet_tcp_sendrecv_all_ports(syncthing_t)`
			`corenet_udp_bind_generic_node(syncthing_t)`
			`corenet_udp_sendrecv_generic_node(syncthing_t)`
			`corenet_udp_sendrecv_all_ports(syncthing_t)`
			`corenet_tcp_connect_all_ports(syncthing_t)`
			`corenet_tcp_bind_syncthing_port(syncthing_t)`
			`corenet_udp_bind_syncthing_discovery_port(syncthing_t)`
			`corenet_tcp_bind_syncthing_admin_port(syncthing_t)`

			`dev_read_rand(syncthing_t)`
			`dev_read_urand(syncthing_t)`

			`fs_getattr_xattr_fs(syncthing_t)`

			`auth_use_nsswitch(syncthing_t)`

			`miscfiles_read_generic_certs(syncthing_t)`
			`miscfiles_read_localization(syncthing_t)`

			`userdom_user_content_access_template(syncthing, syncthing_t)`

			`userdom_use_user_terminals(syncthing_t)`

			optional_policy(`
			`# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()`
			`networkmanager_read_pid_files(syncthing_t)`
			`')`