Add Syncthing Support to Policy

For now, optionally add the Syncthing role to user_r, staff_r,
and unconfined_r, and define the Syncthing ports in core network.

policy/modules/kernel/corenetwork.te.in

@@ -255,6 +255,9 @@ network_port(stunnel) # no defined portcon
 network_port(svn, tcp,3690,s0, udp,3690,s0)
 network_port(svrloc, tcp,427,s0, udp,427,s0)
 network_port(swat, tcp,901,s0)
+network_port(syncthing, tcp,22000,s0)
+network_port(syncthing_admin, tcp,8384,s0)
+network_port(syncthing_discovery, udp,21027,s0)
 network_port(sype_transport, tcp,9911,s0, udp,9911,s0)
 network_port(syslogd, udp,514,s0)
 network_port(syslog_tls, tcp,6514,s0, udp,6514,s0)

policy/modules/roles/staff.te

@@ -51,6 +51,10 @@ optional_policy(`
 	userdom_dontaudit_use_user_terminals(staff_t)
 ')
 
+optional_policy(`
+	syncthing_role(staff_r, staff_t)
+')
+
 optional_policy(`
 	vlock_run(staff_t, staff_r)
 ')

policy/modules/roles/unprivuser.te

@@ -145,6 +145,10 @@ ifndef(`distro_redhat',`
 		sudo_role_template(user, user_r, user_t)
 	')
 
+	optional_policy(`
+		syncthing_role(user_r, user_t)
+	')
+
 	optional_policy(`
 		thunderbird_role(user_r, user_t)
 	')

policy/modules/system/unconfined.te

@@ -173,6 +173,10 @@ optional_policy(`
 	spamassassin_role(unconfined_r, unconfined_t)
 ')
 
+optional_policy(`
+	syncthing_role(unconfined_r, unconfined_t)
+')
+
 optional_policy(`
 	sysnet_run_dhcpc(unconfined_t, unconfined_r)
 	sysnet_dbus_chat_dhcpc(unconfined_t)