Syncthing Policy Module

[naftulikay]

Policy governing Syncthing - a file synchronization utility written in Go.

Dependent upon TresysTechnology/refpolicy#37.

[ghost]

These comments aren't needed. Its too obvious.

[naftulikay]

Working on it.

[ghost]

General note/query. I suspect that you have developed this policy using the RedHat reference policy fork. I might be wrong but if you did, then be aware that reference policy differs quite a bit from RedHat's fork, and that it differs in fundamental way's.

[naftulikay]

@doverride I have fixed most of the issues you've mentioned above and amended my commit.

Can you recommend an alternate for userdom_basic_networking? Should I just extract what's defined in there and use that?

Also, I'm combing through the style guide to make sure that everything is in order.

[naftulikay]

Still getting these denieds, probably due to invalid file transitions:

type=AVC msg=audit(1474779504.096:965): avc:  denied  { create } for  pid=6143 comm="syncthing" name="Sync" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=dir permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { create } for  pid=6143 comm="syncthing" name=".stfolder" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { read write open } for  pid=6143 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.145:967): avc:  denied  { getattr } for  pid=6142 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1

As the following user:

$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant) context=unconfined_u:unconfined_r:unconfined_t

With the following home directory:

$ ls -lhaZ ~
total 36K
drwx------. 8 vagrant vagrant unconfined_u:object_r:user_home_dir_t  230 Sep 25 05:06 .
drwxr-xr-x. 3 root    root    system_u:object_r:home_root_t           21 Aug  1 17:39 ..
-rw-------. 1 vagrant vagrant unconfined_u:object_r:user_home_t     6.4K Sep 25 03:34 .bash_history
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t       18 May 17 14:22 .bash_logout
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t      193 May 17 14:22 .bash_profile
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t      231 May 17 14:22 .bashrc
drwxrwxr-x. 2 vagrant vagrant user_u:object_r:user_home_t            102 Sep  4 05:25 bin
drwx------. 4 vagrant vagrant unconfined_u:object_r:user_home_t       38 Sep 25 04:58 .config
-rw-------. 1 vagrant vagrant unconfined_u:object_r:user_home_t       37 Sep 25 05:06 .lesshst
drwxrwxr-x. 3 vagrant vagrant user_u:object_r:user_home_t             19 Sep  4 05:22 .local
drwxr-----. 3 root    root    unconfined_u:object_r:user_home_t       19 Aug  1 10:40 .pki
drwx------. 2 vagrant root    unconfined_u:object_r:ssh_home_t        29 Aug 30 18:32 .ssh
drwx------. 2 vagrant vagrant system_u:object_r:user_home_dir_t       23 Sep 25 04:58 Sync
-rw-r--r--. 1 vagrant vagrant unconfined_u:object_r:user_home_t        6 Aug  1 10:40 .vbox_version
-rw-------. 1 vagrant vagrant unconfined_u:object_r:user_home_t     3.9K Sep 25 03:27 .viminfo
-rw-r--r--. 1 root    root    unconfined_u:object_r:user_home_t      182 Aug  1 17:42 .wget-hsts

I think it's being caused by Syncthing running in SystemD in user mode ie systemctl --user start syncthing.

[ghost]

On 09/25/2016 07:04 AM, Naftuli Tzvi Kay wrote:

Still getting these denieds, probably due to invalid file transitions:

type=AVC msg=audit(1474779504.096:965): avc:  denied  { create } for  pid=6143 comm="syncthing" name="Sync" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=dir permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { create } for  pid=6143 comm="syncthing" name=".stfolder" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { read write open } for  pid=6143 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.145:967): avc:  denied  { getattr } for  pid=6142 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1

Something like this might do it

userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[ghost]

On 09/25/2016 07:04 AM, Naftuli Tzvi Kay wrote:

Still getting these denieds, probably due to invalid file transitions:

type=AVC msg=audit(1474779504.096:965): avc:  denied  { create } for  pid=6143 comm="syncthing" name="Sync" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=dir permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { create } for  pid=6143 comm="syncthing" name=".stfolder" scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.096:966): avc:  denied  { read write open } for  pid=6143 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1
type=AVC msg=audit(1474779504.145:967): avc:  denied  { getattr } for  pid=6142 comm="syncthing" path="/home/vagrant/Sync/.stfolder" dev="dm-0" ino=8757928 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:user_home_dir_t tclass=file permissive=1

This is wrong:

+# newly created dirs in home root will transition to user_home_t
+userdom_home_filetrans_user_home_dir(syncthing_t)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[naftulikay]

Yes, if I run this outside of SystemD as unconfined_u, I get no more denieds and everything seems to work just fine.

[naftulikay]

Okay, so everything works and I don't have any more denieds coming from syncthing.

The only remaining problem is that when I run Syncthing with SystemD in user mode with the following unit:

Description=Syncthing - Open Source Continuous File Synchronization
Documentation=man:syncthing(1)
After=network.target
Wants=syncthing-inotify.service

[Service]
ExecStart=/usr/local/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4

[Install]
WantedBy=default.target

The Syncthing process is running as system_u:

$ ps auxZ | grep syncthing
system_u:system_r:syncthing_t   vagrant   9028  0.2  2.0  29272 20556 ?        Ssl  16:56   0:00 /usr/local/bin/syncthing -no-browser -no-restart -logflags=0

This causes the files that Syncthing creates to have the following contexts:

$ ls -lhZa ~/Sync/ ~/.config/syncthing/
/home/vagrant/.config/syncthing/:
total 20K
drwx------. 3 vagrant vagrant system_u:object_r:user_home_t      122 Sep 25 16:56 .
drwx------. 4 vagrant vagrant unconfined_u:object_r:user_home_t   38 Sep 25 16:56 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t      619 Sep 25 16:56 cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     2.9K Sep 25 16:56 config.xml
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t     1.1K Sep 25 16:56 https-cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     1.7K Sep 25 16:56 https-key.pem
drwxr-xr-x. 2 vagrant vagrant system_u:object_r:user_home_t       85 Sep 25 16:56 index-v0.14.0.db
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t      288 Sep 25 16:56 key.pem

/home/vagrant/Sync/:
total 0
drwx------. 2 vagrant vagrant system_u:object_r:user_home_t          23 Sep 25 16:56 .
drwx------. 9 vagrant vagrant unconfined_u:object_r:user_home_dir_t 242 Sep 25 17:01 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t           0 Sep 25 16:56 .stfolder

It's interesting that SystemD in user mode is running as system_u. Is there something I need to add to my unit to have SystemD exec this as the user's SELinux user and role?

[ghost]

On 09/25/2016 07:04 PM, Naftuli Tzvi Kay wrote:

Okay, so everything works and I don't have any more denieds coming from syncthing.

The only remaining problem is that when I run Syncthing with SystemD in user mode with the following unit:

Description=Syncthing - Open Source Continuous File Synchronization
Documentation=man:syncthing(1)
After=network.target
Wants=syncthing-inotify.service

[Service]
ExecStart=/usr/local/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4

[Install]
WantedBy=default.target

The Syncthing process is running as system_u:

$ ps auxZ | grep syncthing
system_u:system_r:syncthing_t   vagrant   9028  0.2  2.0  29272 20556 ?        Ssl  16:56   0:00 /usr/local/bin/syncthing -no-browser -no-restart -logflags=0

This causes the files that Syncthing creates to have the following contexts:

reference policy currently does not support systemd --user, so for now
you can ignore that issue

$ ls -lhZa ~/Sync/ ~/.config/syncthing/
/home/vagrant/.config/syncthing/:
total 20K
drwx------. 3 vagrant vagrant system_u:object_r:user_home_t      122 Sep 25 16:56 .
drwx------. 4 vagrant vagrant unconfined_u:object_r:user_home_t   38 Sep 25 16:56 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t      619 Sep 25 16:56 cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     2.9K Sep 25 16:56 config.xml
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t     1.1K Sep 25 16:56 https-cert.pem
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t     1.7K Sep 25 16:56 https-key.pem
drwxr-xr-x. 2 vagrant vagrant system_u:object_r:user_home_t       85 Sep 25 16:56 index-v0.14.0.db
-rw-------. 1 vagrant vagrant system_u:object_r:user_home_t      288 Sep 25 16:56 key.pem

/home/vagrant/Sync/:
total 0
drwx------. 2 vagrant vagrant system_u:object_r:user_home_t          23 Sep 25 16:56 .
drwx------. 9 vagrant vagrant unconfined_u:object_r:user_home_dir_t 242 Sep 25 17:01 ..
-rw-r--r--. 1 vagrant vagrant system_u:object_r:user_home_t           0 Sep 25 16:56 .stfolder

It's interesting that SystemD in user mode is running as system_u. Is there something I need to add to my unit to have SystemD exec this as the user's SELinux user and role?

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[naftulikay]

@doverride Would you like me to submit this change upstream to the NetworkManager interface? IIRC I shouldn't be doing gen_require et al here.

[ghost]

On 09/25/2016 07:11 PM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

+kernel_read_kernel_sysctls(syncthing_t)
+
+kernel_read_system_state(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+
+sysnet_dns_name_resolve(syncthing_t)
remove sysnet_dns_name_resolve(syncthing_t) since
auth_use_nsswitch(syncthing_t) make it redundant

+auth_use_nsswitch(syncthing_t) # /etc/nsswitch.conf
+
+networkmanager_read_pid_files(syncthing_t)
+
+# TODO no rule allows searching this dir type
+gen_require(`

• type NetworkManager_var_run_t;
  +')
  +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

@doverride Would you like me to submit this change upstream to the NetworkManager interface? IIRC I shouldn't be doing gen_require et al here.

networkmanager_read_pid_files(synchting_t) makes
search_dirs_pattern(syncthing_t, NetworkManager_var_run_t,
NetworkManager_var_run_t) redundant.

so remove:

+# TODO no rule allows searching this dir type
+gen_require(`

• type NetworkManager_var_run_t;
  +')
  +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t,
  NetworkManager_var_run_t)

also make networkmanager_read_pid_files(syncthing_t) optional:

optional_policy(`
# temporary hack: this is for /run/NetworkManager/resolv.conf and
should be made part of sysnet_dns_name_resolve()
networkmanager_read_pid_files(syncthing_t)
')

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[ghost]

/usr/bin/syncthing -- gen_context(system_u:object_r:syncthing_exec_t,s0)

[ghost]

use this instead:

allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

[ghost]

use userdom_use_user_terminals(syncthing_t) instead or preferably userdom_use_inherited_user_terminals(syncthing_t) if that is available

[naftulikay]

userdom_use_inherited_user_terminals doesn't exist in refpolicy.

I'm not sure how crucial this permission is to the runtime of Syncthing. Due to the warning present in userdom_use_user_terminals, I am hesitant about this permission:

##  However, this also allows the applications to spy
##  on user sessions or inject information into the
##  user session.  Thus, this access should likely
##  not be allowed for non-interactive domains.

Is this access okay for a daemon-like program running in the background?

[ghost]

line 27 to 32 are redundant (already taken care of on like 23 to 25)

[ghost]

use allow syncthing_t self:fifo_file rw_fifo_file_perms; instead

[ghost]

use: can_exec(syncthing_t, syncthing_exec_t) instead

[ghost]

remove line 78

[ghost]

should be optional:

optional_policy(`
# temporary hack until we make this part of sysnet_dns_name_resolve
networkmanager_read_pid_files(syncthing_t)
')

[ghost]

line 83 to 87 can be removed (is already allowed with the networkmanager_read_pid_files() call

[naftulikay]

If I remove these lines, I see:

type=AVC msg=audit(1474865450.349:1770): avc:  denied  { search } for  pid=12157 comm="syncthing" name="NetworkManager" dev="tmpfs" ino=16441 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=dir permissive=1

The definition of this interface is:

interface(`networkmanager_read_pid_files',`
    gen_require(`
        type NetworkManager_var_run_t;
    ')

    files_search_pids($1)
    allow $1 NetworkManager_var_run_t:file read_file_perms;
')

[ghost]

fix style issues

[naftulikay]

@doverride can you link me to the styles wiki on this topic?

[ghost]

On 09/26/2016 07:00 AM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

+kernel_read_kernel_sysctls(syncthing_t)
+
+kernel_read_system_state(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+
+sysnet_dns_name_resolve(syncthing_t)
+auth_use_nsswitch(syncthing_t) # /etc/nsswitch.conf
+
+networkmanager_read_pid_files(syncthing_t)
+
+# TODO no rule allows searching this dir type
+gen_require(`

• type NetworkManager_var_run_t;
  +')
  +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

If I remove these lines, I see:

type=AVC msg=audit(1474865450.349:1770): avc:  denied  { search } for  pid=12157 comm="syncthing" name="NetworkManager" dev="tmpfs" ino=16441 scontext=system_u:system_r:syncthing_t tcontext=system_u:object_r:NetworkManager_var_run_t tclass=dir permissive=1

The definition of this interface is:

interface(`networkmanager_read_pid_files',`
  gen_require(`
      type NetworkManager_var_run_t;
  ')

  files_search_pids($1)
  allow $1 NetworkManager_var_run_t:file read_file_perms;
')

That should have been:

files_search_pids($1)
read_files_pattern($1, NetworkManager_var_run_t, NetworkManager_var_run_t)

So that interface should be adjusted

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[ghost]

On 09/26/2016 08:16 AM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

@@ -0,0 +1,90 @@
+policy_module(syncthing, 1.0.0)
+
+# Declarations
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+# should only ever be execed non-root, but can be started by systemd --user as a service
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+userdom_use_user_ptys(syncthing_t)

userdom_use_inherited_user_terminals doesn't exist in refpolicy.

I'm not sure how crucial this permission is to the runtime of Syncthing. Due to the warning present in userdom_use_user_terminals, I am hesitant about this permission:

try userdom_use_user_term() or userdom_use_inherited_user_term()

no need to hesitarw this makes it so that if you run syncthing manually
from a tty/pty that it can print to it

##    However, this also allows the applications to spy
##    on user sessions or inject information into the
##    user session.  Thus, this access should likely
##    not be allowed for non-interactive domains.

Is this access okay for a daemon-like program running in the background?

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[ghost]

On 09/26/2016 08:19 AM, Dominick Grift wrote:

On 09/26/2016 08:16 AM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

@@ -0,0 +1,90 @@
+policy_module(syncthing, 1.0.0)
+
+# Declarations
+attribute_role syncthing_roles;
+role syncthing_roles types syncthing_t;
+
+type syncthing_t;
+type syncthing_exec_t;
+# should only ever be execed non-root, but can be started by systemd --user as a service
+init_daemon_domain(syncthing_t, syncthing_exec_t)
+userdom_user_application_domain(syncthing_t, syncthing_exec_t)
+userdom_use_user_ptys(syncthing_t)

userdom_use_inherited_user_terminals doesn't exist in refpolicy.

I'm not sure how crucial this permission is to the runtime of Syncthing. Due to the warning present in userdom_use_user_terminals, I am hesitant about this permission:

try userdom_use_user_term() or userdom_use_inherited_user_term()

no need to hesitarw this makes it so that if you run syncthing manually
from a tty/pty that it can print to it

##   However, this also allows the applications to spy
##   on user sessions or inject information into the
##   user session.  Thus, this access should likely
##   not be allowed for non-interactive domains.

Is this access okay for a daemon-like program running in the background?

Whoops i misread.

userdom_use_user_terminals() should be okay to use. Even though it is a
daemon, one should also be able to run it manually i suspect (syncthing
... &)

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[ghost]

On 09/26/2016 08:47 PM, Naftuli Tzvi Kay wrote:

rfkrocktk commented on this pull request.

+kernel_read_system_state(syncthing_t)
+kernel_read_net_sysctls(syncthing_t)
+
+sysnet_dns_name_resolve(syncthing_t)
+auth_use_nsswitch(syncthing_t) # /etc/nsswitch.conf
+
+networkmanager_read_pid_files(syncthing_t)
+
+# TODO no rule allows searching this dir type
+gen_require(`

• type NetworkManager_var_run_t;
  +')
  +search_dirs_pattern(syncthing_t, NetworkManager_var_run_t, NetworkManager_var_run_t)

+# file transitions
+userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

@doverride can you link me to the styles wiki on this topic?

https://github.com/TresysTechnology/refpolicy/wiki/StyleGuide
https://github.com/TresysTechnology/refpolicy/wiki/InterfaceNaming

Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[naftulikay]

@doverride I have updated according to the style guide. Please let me know if there are any other changes. I'm still getting a denied due to the NetworkManager bug in the policy, but I can submit a PR for that.

[ghost]

policy_module(syncthing, 1.0.0)

########################################
#
# Declarations
#

attribute_role syncthing_roles;
role syncthing_roles types syncthing_t;

type syncthing_t;
type syncthing_exec_t;
init_daemon_domain(syncthing_t, syncthing_exec_t)
userdom_user_application_domain(syncthing_t, syncthing_exec_t)

type syncthing_config_home_t;
userdom_user_home_content(syncthing_config_home_t)

########################################
#
# Declarations
#

allow syncthing_t self:process getsched;
allow syncthing_t self:fifo_file rw_fifo_file_perms;
allow syncthing_t self:tcp_socket { listen accept };

can_exec(syncthing_t, syncthing_exec_t)

kernel_read_kernel_sysctls(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
kernel_read_system_state(syncthing_t)

corenet_tcp_sendrecv_generic_if(syncthing_t)
corenet_udp_sendrecv_generic_if(syncthing_t)

corenet_tcp_bind_generic_node(syncthing_t)
corenet_tcp_sendrecv_generic_node(syncthing_t)
corenet_tcp_sendrecv_all_ports(syncthing_t)

corenet_udp_bind_generic_node(syncthing_t)
corenet_udp_sendrecv_generic_node(syncthing_t)
corenet_udp_sendrecv_all_ports(syncthing_t)

corenet_tcp_connect_all_ports(syncthing_t)

corenet_tcp_bind_syncthing_port(syncthing_t)
corenet_udp_bind_syncthing_discovery_port(syncthing_t)
corenet_tcp_bind_syncthing_admin_port(syncthing_t)

dev_read_rand(syncthing_t)
dev_read_urand(syncthing_t)

fs_getattr_xattr_fs(syncthing_t)

auth_use_nsswitch(syncthing_t)

miscfiles_read_generic_certs(syncthing_t)
miscfiles_read_localization(syncthing_t)

userdom_manage_user_home_content_files(syncthing_t)
userdom_manage_user_home_content_dirs(syncthing_t)
userdom_manage_user_home_content_symlinks(syncthing_t)
userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)

# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

userdom_use_user_terminals(syncthing_t)

optional_policy(`
    # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
    networkmanager_read_pid_files(syncthing_t)
')

[ghost]

## <summary>Application that lets you synchronize your files across multiple devices.</summary>

########################################
## <summary>
##  Role access for Syncthing
## </summary>
## <param name="role">
##  <summary>
##  Role allowed access
##  </summary>
## </param>
## <param name="domain">
##  <summary>
##  User domain for the role
##  </summary>
## </param>
#
interface(`syncthing_role', `

    gen_require(`
        attribute_role syncthing_roles;
        type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
    ')

    roleattribute $1 syncthing_roles;

    domtrans_pattern($2, syncthing_exec_t, syncthing_t)

    allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
    allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
    allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
')

[ghost]

If you make it look like the above then i think it should be pretty good. You should indeed also send a PR for adjusted networkmanager_read_var_run_files()

Once you made these changes then please ask @pebenito to look at it and if possible commit it

[ghost]

There is at least one thing missing though. Syncthing is currently not allowed to read its own synchthing_config_home_t files.

[ghost]

oh now i see... this is wrong

userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

The above would only apply to ~/syncthing, but that is not accurate. Instead it should apply to ~/.config/syncthing

So you instead want something like:

userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

[naftulikay]

@doverride I have submitted my PR for the NetworkManager fix at #27.

oh now i see... this is wrong

userdom_user_home_dir_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

The above would only apply to ~/syncthing, but that is not accurate. Instead it should apply to ~/.config/syncthing

So you instead want something like:

userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

@doverride above, did you mean I should use:

userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, ".config/syncthing")

or am I misunderstanding? For now I have updated my PR verbatim with what you posted.

[naftulikay]

@pebenito This is almost ready for merge. I need to test the full workflow again, but it's just about there. If there's anything that sticks out, please let me know and I'll explain or fix.

[pebenito]

I don't see anything more than @doverride has already noted.

[naftulikay]

@doverride @pebenito I have tested the full workflow of this PR, and everything checks out. Please merge refpolicy#37 if everything looks good, and then merge this PR as well.

Please let me know if any other changes are necessary.