forked from syncthing/syncthing
/
syncthing.te
74 lines (57 loc) · 1.58 KB
/
syncthing.te
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
policy_module(syncthing, 1.0.0)
type syncthing_t;
type syncthing_exec_t;
attribute_role syncthing_roles;
##########################
# Define Ports
##########################
attribute syncthing_ports;
type syncthing_port_t, syncthing_ports;
type syncthing_admin_port_t, syncthing_ports;
type syncthing_discovery_port_t, syncthing_ports;
corenet_port(syncthing_port_t)
corenet_port(syncthing_admin_port_t)
corenet_port(syncthing_discovery_port_t)
# packets
# TODO
# domain patterns
userdom_user_application_domain(syncthing_t, syncthing_exec_t)
#####################
# Process Permissions
#####################
userdom_basic_networking(syncthing_t)
kernel_read_net_sysctls(syncthing_t)
fs_getattr_xattr_fs(syncthing_t)
sysnet_dns_name_resolve(syncthing_t)
kernel_read_system_state(syncthing_t)
userdom_manage_user_home_content(syncthing_t)
# bind to generic nodes
corenet_tcp_bind_generic_node(syncthing_t)
corenet_udp_bind_generic_node(syncthing_t)
# bind to syncthing ports
syncthing_bind_ports(syncthing_t)
# define config type as user home content
gen_require(`
type config_home_t;
')
type syncthing_config_home_t;
userdom_user_home_content(syncthing_config_home_t)
filetrans_pattern(syncthing_t, config_home_t, syncthing_config_home_t, dir, "syncthing")
#######
# Roles
#######
role syncthing_roles types syncthing_t;
optional_policy(`
gen_require(`
type unconfined_t;
role unconfined_r;
')
syncthing_role(unconfined_r, unconfined_t)
')
optional_policy(`
gen_require(`
type user_t;
role user_r;
')
syncthing_role(user_r, user_t)
')