diff options
| author |   Kenton Groombridge <concord@gentoo.org> | 2024-05-06 16:33:13 -0400 |
|---|---|---|
| committer | Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:41:45 -0400 |
| commit | 8c2f46403362398b17348da14c551acad1cdc0b4 (patch) | |
| tree | 057d8e36b67f849fb74e2af16a96309fbfd8f0bb | |
| parent | bootloader: allow systemd-boot to manage EFI binaries (diff) | |
| download | hardened-refpolicy-8c2f46403362398b17348da14c551acad1cdc0b4.tar.gz hardened-refpolicy-8c2f46403362398b17348da14c551acad1cdc0b4.tar.bz2 hardened-refpolicy-8c2f46403362398b17348da14c551acad1cdc0b4.zip | |
matrixd: add tunable for binding to all unreserved ports
This is to support using Synapse workers which require binding to
multiple TCP ports in lieu of manually labeling unreserved ports for
use.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/services/matrixd.te | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/policy/modules/services/matrixd.te b/policy/modules/services/matrixd.te index c396a3d7c..5f092f31c 100644 --- a/policy/modules/services/matrixd.te +++ b/policy/modules/services/matrixd.te @@ -20,6 +20,16 @@ gen_tunable(matrix_allow_federation, true) ## </desc> gen_tunable(matrix_postgresql_connect, false) +## <desc> +## <p> +## Determine whether Matrixd is allowed to bind all +## TCP ports. This is intended for more complex Matrix +## server configurations (e.g. Synapse workers) and may +## be used in lieu of manually labeling each port. +## </p> +## </desc> +gen_tunable(matrix_bind_all_unreserved_tcp_ports, false) + type matrixd_t; type matrixd_exec_t; init_daemon_domain(matrixd_t, matrixd_exec_t) @@ -117,7 +127,11 @@ tunable_policy(`matrix_postgresql_connect',` postgresql_tcp_connect(matrixd_t) ') +tunable_policy(`matrix_bind_all_unreserved_tcp_ports',` + corenet_tcp_bind_all_unreserved_ports(matrixd_t) +') + optional_policy(` apache_search_config(matrixd_t) ') - + |