commit: 8c2f46403362398b17348da14c551acad1cdc0b4
Author: Kenton Groombridge <concord <AT> gentoo <DOT> org>
AuthorDate: Mon May 6 20:33:13 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Tue May 14 17:41:45 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8c2f4640
matrixd: add tunable for binding to all unreserved ports
This is to support using Synapse workers which require binding to
multiple TCP ports in lieu of manually labeling unreserved ports for
use.
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/matrixd.te | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/matrixd.te
b/policy/modules/services/matrixd.te
index c396a3d7c..5f092f31c 100644
--- a/policy/modules/services/matrixd.te
+++ b/policy/modules/services/matrixd.te
@@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true)
## </desc>
gen_tunable(matrix_postgresql_connect, false)
+## <desc>
+## <p>
+## Determine whether Matrixd is allowed to bind all
+## TCP ports. This is intended for more complex Matrix
+## server configurations (e.g. Synapse workers) and may
+## be used in lieu of manually labeling each port.
+## </p>
+## </desc>
+gen_tunable(matrix_bind_all_unreserved_tcp_ports, false)
+
type matrixd_t;
type matrixd_exec_t;
init_daemon_domain(matrixd_t, matrixd_exec_t)
@@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',`
postgresql_tcp_connect(matrixd_t)
')
+tunable_policy(`matrix_bind_all_unreserved_tcp_ports',`
+ corenet_tcp_bind_all_unreserved_ports(matrixd_t)
+')
+
optional_policy(`
apache_search_config(matrixd_t)
')
-
+
