From: sven.vermeulen@siphos.be (Sven Vermeulen)
Date: Sun, 25 Mar 2018 13:57:14 +0200
Subject: [refpolicy] [PATCH v3 19/19] Switch syncthing to XDG config types
	and make user content access optional
In-Reply-To: <20180325115714.5610-1-sven.vermeulen@siphos.be>
References: <20180325115714.5610-1-sven.vermeulen@siphos.be>
Message-ID: <20180325115714.5610-20-sven.vermeulen@siphos.be>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

The syncthing application can, but does not have to, be used for
synchronizing end user data. Hence, the user data access is made
optional through the support of the syncthing_*_user_content booleans.

Also, the syncthing_config_home_t type is renamed to
syncthing_xdg_config_t to be aligned with the XDG setup. An alias
is put in place to allow for a transitional period before
syncthing_config_home_t is completely phaded out.

Changes since v2:
 - Fix typo in call to userdom_user_content_access_template
Changes since v1:
 - Move tunable definition inside template

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 syncthing.fc |  2 +-
 syncthing.if |  8 ++++----
 syncthing.te | 19 ++++++++-----------
 3 files changed, 13 insertions(+), 16 deletions(-)

diff --git a/syncthing.fc b/syncthing.fc
index 4f7f53e..e95b451 100644
--- a/syncthing.fc
+++ b/syncthing.fc
@@ -1,3 +1,3 @@
 /usr/bin/syncthing                      -- gen_context(system_u:object_r:syncthing_exec_t,s0)
 
-HOME_DIR/\.config/syncthing(/.*)?          gen_context(system_u:object_r:syncthing_config_home_t,s0)
+HOME_DIR/\.config/syncthing(/.*)?          gen_context(system_u:object_r:syncthing_xdg_config_t,s0)
diff --git a/syncthing.if b/syncthing.if
index 065800a..2c0eb24 100644
--- a/syncthing.if
+++ b/syncthing.if
@@ -18,14 +18,14 @@
 interface(`syncthing_role', `
 	gen_require(`
 		attribute_role syncthing_roles;
-		type syncthing_t, syncthing_exec_t, syncthing_config_home_t;
+		type syncthing_t, syncthing_exec_t, syncthing_xdg_config_t;
 	')
 
 	roleattribute $1 syncthing_roles;
 
 	domtrans_pattern($2, syncthing_exec_t, syncthing_t)
 
-	allow $2 syncthing_config_home_t:file { manage_file_perms relabel_file_perms };
-	allow $2 syncthing_config_home_t:dir { manage_dir_perms relabel_dir_perms };
-	allow $2 syncthing_config_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
+	allow $2 syncthing_xdg_config_t:file { manage_file_perms relabel_file_perms };
+	allow $2 syncthing_xdg_config_t:dir { manage_dir_perms relabel_dir_perms };
+	allow $2 syncthing_xdg_config_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };
 ')
diff --git a/syncthing.te b/syncthing.te
index 92d0bf5..de3b979 100644
--- a/syncthing.te
+++ b/syncthing.te
@@ -13,8 +13,8 @@ type syncthing_exec_t;
 init_daemon_domain(syncthing_t, syncthing_exec_t)
 userdom_user_application_domain(syncthing_t, syncthing_exec_t)
 
-type syncthing_config_home_t;
-userdom_user_home_content(syncthing_config_home_t)
+type syncthing_xdg_config_t alias syncthing_config_home_t;
+xdg_config_content(syncthing_xdg_config_t)
 
 ########################################
 #
@@ -27,9 +27,10 @@ allow syncthing_t self:tcp_socket { listen accept };
 
 can_exec(syncthing_t, syncthing_exec_t)
 
-manage_dirs_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
-manage_lnk_files_pattern(syncthing_t, syncthing_config_home_t, syncthing_config_home_t)
+manage_dirs_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+manage_lnk_files_pattern(syncthing_t, syncthing_xdg_config_t, syncthing_xdg_config_t)
+xdg_config_filetrans(syncthing_t, syncthing_xdg_config_t, dir)
 
 kernel_read_kernel_sysctls(syncthing_t)
 kernel_read_net_sysctls(syncthing_t)
@@ -58,13 +59,9 @@ auth_use_nsswitch(syncthing_t)
 miscfiles_read_generic_certs(syncthing_t)
 miscfiles_read_localization(syncthing_t)
 
-userdom_manage_user_home_content_files(syncthing_t)
-userdom_manage_user_home_content_dirs(syncthing_t)
-userdom_manage_user_home_content_symlinks(syncthing_t)
-userdom_user_home_dir_filetrans_user_home_content(syncthing_t, dir)
+userdom_user_content_access_template(syncthing, syncthing_t)
+
 userdom_use_user_terminals(syncthing_t)
-# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
-userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")
 
 optional_policy(`
 	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-- 
2.16.1