Running Syncthing on Fedora 24 with SELinux enforcing.
I had copied the syncthing
binary to /usr/bin
. I created the following systemd service file:
[Unit]
Description=Syncthing - Open Source Continuous File Synchronization for %I
Documentation=man:syncthing(1)
After=network.target
Wants=syncthing-inotify@.service
[Service]
user=skippy
Environment=HOME=/home/skippy
ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4
[Install]
WantedBy=multi-user.target
This worked: the application started and I could connect to it. The auto-update functionality did not work, though, because Syncthing could not create the temporary file at /usr/bin/syncthingsomerandomnumber:
[ND52F] WARNING: Automatic upgrade: open /usr/bin/syncthing029225758: permission denied
I’m not keen to run Syncthing as root, and I’m not keen to give an unprivileged user write access to /usr/bin
.
I tried to modify my systemd service file to run under user context, rather than system context, from /home/skippy/bin/syncthing
. This ran into many SELinux problems:
AVC avc: denied { execute } for pid=22280 comm="(yncthing)" name="syncthing" dev="dm-0" ino=383264 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0
AVC avc: denied { read open } for pid=8911 comm="(yncthing)" path="/home/skippy/bin/syncthing" dev="dm-0" ino=604299 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0
AVC avc: denied { execute_no_trans } for pid=8980 comm="(yncthing)" path="/home/skippy/bin/syncthing" dev="dm-0" ino=604299 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0
AVC avc: denied { read } for pid=9129 comm="syncthing" name=".stignore" dev="dm-0" ino=12825922 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0
AVC avc: denied { name_connect } for pid=9127 comm="syncthing" dest=443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
I tried passing these to audit2allow
to generate a loadable SELinux module, but every iteration resulted in another thing to tweak.
Before I go through any more cycles of this, I thought I’d see if anyone has a fully defined SELinux policy to properly allow Syncthing to run in user space on an SELinux enabled system. If not, I’ll continue to work on this and share what I find.