From ba903b48402444f14d7992fbb84237ee3469f4f7 Mon Sep 17 00:00:00 2001
From: Naftuli Tzvi Kay <rfkrocktk@gmail.com>
Date: Sun, 21 Aug 2016 00:06:32 -0700
Subject: [PATCH] Add Syncthing Support to Policy

For now, optionally add the Syncthing role to user_r, staff_r,
and unconfined_r, and define the Syncthing ports in core network.
---
 policy/modules/kernel/corenetwork.te.in | 3 +++
 policy/modules/roles/staff.te           | 4 ++++
 policy/modules/roles/unprivuser.te      | 4 ++++
 policy/modules/system/unconfined.te     | 4 ++++
 4 files changed, 15 insertions(+)

diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 81ef28f38..9318239fd 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -255,6 +255,9 @@ network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
 network_port(svrloc, tcp,427,s0, udp,427,s0)
 network_port(swat, tcp,901,s0)
+network_port(syncthing, tcp,22000,s0)
+network_port(syncthing_admin, tcp,8384,s0)
+network_port(syncthing_discovery, udp,21027,s0)
 network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
 network_port(syslogd, udp,514,s0)
 network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 33c699353..6fc12dd17 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -51,6 +51,10 @@ optional_policy(`
 	userdom_dontaudit_use_user_terminals(staff_t)
 ')
 
+optional_policy(`
+	syncthing_role(staff_r, staff_t)
+')
+
 optional_policy(`
 	vlock_run(staff_t, staff_r)
 ')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 2c4a15438..e7567617e 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
 		sudo_role_template(user, user_r, user_t)
 	')
 
+	optional_policy(`
+		syncthing_role(user_r, user_t)
+	')
+
 	optional_policy(`
 		thunderbird_role(user_r, user_t)
 	')
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index ad23fce2b..83e681d94 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -173,6 +173,10 @@ optional_policy(`
 	spamassassin_role(unconfined_r, unconfined_t)
 ')
 
+optional_policy(`
+	syncthing_role(unconfined_r, unconfined_t)
+')
+
 optional_policy(`
 	sysnet_run_dhcpc(unconfined_t, unconfined_r)
 	sysnet_dbus_chat_dhcpc(unconfined_t)