From: rfkrocktk@gmail.com (Naftuli Tzvi Kay) Date: Sun, 21 Aug 2016 00:31:55 -0700 Subject: [refpolicy] Syncthing Policy Module Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello, This is my first post here, but I've done a fair bit of work on getting policy support for Syncthing working. I have submitted the following pull requests: Add Syncthing Support to Policy: https://github.com/TresysTechnology/refpolicy/pull/37 Syncthing Policy Module: https://github.com/TresysTechnology/refpolicy-contrib/pull/26 I'd love to hear feedback, improvements, comments, criticisms. Currently, the policy will let Syncthing do most basic things it'll need to do by default: - Manage all user home files/dirs/etc. - Bind to the 3 different ports required for Syncthing to function (admin, transfer, discovery ports). - Connect to arbitrary remote hosts on arbitrary ports (ie: remote Syncthing servers might be listening on non-standardized ports to get around firewall restrictions etc.). - Allow user_u, staff_u, and unconfined_u to run Syncthing. Some things I'd like to have it do that I haven't figured out yet: - Standardize some way of managing syncthing_config_home_t as a subset of config_home_t, which doesn't seem to have been standardized in the reference policy (Fedora has the type, nobody else seems to). - Supply booleans for cases I haven't imagined yet (possibly serving files out of /mnt or /srv? would anyone really want to run this as root? etc.) Please send feedback, I'll happily refactor and rewrite accordingly. Thanks, - Naftuli Tzvi -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160821/c7acf9ce/attachment.html