matrixd: various fixes

Allow matrix to getsched of its own processes and also allow it to connect to all TCP ports if federation is enabled. There are seemingly some servers out there on weird federation ports, so allow this access. Signed-off-by: Kenton Groombridge <me@concord.sh>
2022-03-31 13:19:37 -04:00 · 2022-03-31 13:19:37 -04:00 · 3e22b4bb2a
commit 3e22b4bb2a
parent df59df505d
1 changed files with 3 additions and 4 deletions
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@ -49,7 +49,7 @@ allow matrixd_t self:udp_socket create_socket_perms;
 allow matrixd_t self:unix_dgram_socket create_socket_perms;
 # execmem is needed for Python callbacks
 # https://cffi.readthedocs.io/en/latest/using.html#callbacks
-allow matrixd_t self:process execmem;
+allow matrixd_t self:process { getsched execmem };

 allow matrixd_t matrixd_tmp_t:file { manage_file_perms map };
 files_tmp_filetrans(matrixd_t, matrixd_tmp_t, file)
@ -104,8 +104,7 @@ sysnet_read_config(matrixd_t)
 userdom_search_user_runtime_root(matrixd_t)

 tunable_policy(`matrix_allow_federation',`
-	corenet_tcp_connect_all_unreserved_ports(matrixd_t)
-	corenet_tcp_connect_generic_port(matrixd_t)
+	corenet_tcp_connect_all_ports(matrixd_t)
 	corenet_udp_bind_all_ports(matrixd_t)
 ', `
 	corenet_dontaudit_tcp_connect_all_ports(matrixd_t)
@ -120,4 +119,4 @@ tunable_policy(`matrix_postgresql_connect',`
 optional_policy(`
 	apache_search_config(matrixd_t)
 ')
- 
+