Proper setup for SELinux support?

scott · October 11, 2016, 2:04pm

Running Syncthing on Fedora 24 with SELinux enforcing.

I had copied the syncthing binary to /usr/bin. I created the following systemd service file:

[Unit]
Description=Syncthing - Open Source Continuous File Synchronization for %I
Documentation=man:syncthing(1)
After=network.target
Wants=syncthing-inotify@.service

[Service]
user=skippy
Environment=HOME=/home/skippy
ExecStart=/usr/bin/syncthing -no-browser -no-restart -logflags=0
Restart=on-failure
SuccessExitStatus=3 4
RestartForceExitStatus=3 4

[Install]
WantedBy=multi-user.target

This worked: the application started and I could connect to it. The auto-update functionality did not work, though, because Syncthing could not create the temporary file at /usr/bin/syncthingsomerandomnumber:

[ND52F] WARNING: Automatic upgrade: open /usr/bin/syncthing029225758: permission denied

I’m not keen to run Syncthing as root, and I’m not keen to give an unprivileged user write access to /usr/bin.

I tried to modify my systemd service file to run under user context, rather than system context, from /home/skippy/bin/syncthing. This ran into many SELinux problems:

AVC avc:  denied  { execute } for  pid=22280 comm="(yncthing)" name="syncthing" dev="dm-0" ino=383264 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

AVC avc:  denied  { read open } for  pid=8911 comm="(yncthing)" path="/home/skippy/bin/syncthing" dev="dm-0" ino=604299 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

AVC avc:  denied  { execute_no_trans } for  pid=8980 comm="(yncthing)" path="/home/skippy/bin/syncthing" dev="dm-0" ino=604299 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:home_bin_t:s0 tclass=file permissive=0

AVC avc:  denied  { read } for  pid=9129 comm="syncthing" name=".stignore" dev="dm-0" ino=12825922 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=0

AVC avc:  denied  { name_connect } for  pid=9127 comm="syncthing" dest=443 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

I tried passing these to audit2allow to generate a loadable SELinux module, but every iteration resulted in another thing to tweak.

Before I go through any more cycles of this, I thought I’d see if anyone has a fully defined SELinux policy to properly allow Syncthing to run in user space on an SELinux enabled system. If not, I’ll continue to work on this and share what I find.

damajor · October 11, 2016, 9:57pm

This is expected as you have installed syncthing system wide.

If you want better control, just install it in userland and auto-updates should work.

If you mess with SELinux, do not forget to set the correct file attributes (list them with ‘ls -Z’, change them with ‘chcon’).

system · November 10, 2016, 10:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.