From e23792990c00245dae4bd5b74a81e30914dbcffb Mon Sep 17 00:00:00 2001
From: Ben Radey <benjamin.radey+gpg@gmail.com>
Date: Wed, 8 Oct 2025 22:03:00 -0400
Subject: [PATCH] Building synapse SELinux policy into the image

---
 f42-server/Containerfile |  7 +++++++
 f42-server/synapse.te    | 14 ++++++++++++++
 2 files changed, 21 insertions(+)
 create mode 100644 f42-server/synapse.te

diff --git a/f42-server/Containerfile b/f42-server/Containerfile
index ff87a9d..045400e 100644
--- a/f42-server/Containerfile
+++ b/f42-server/Containerfile
@@ -14,6 +14,13 @@ FROM quay.io/fedora/fedora-silverblue:42
 
 COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
 
+# Set up Synapse SELinux policy
+COPY synapse.te /tmp/synapse.te
+RUN checkmodule -M -m -o /tmp/synapse.mod /tmp/synapse.te \
+    && semodule_package -o /tmp/synapse.pp -m /tmp/synapse.mod \
+    && semodule -i /tmp/synapse.pp \
+    && rm -f /tmp/synapse.{te,mod,pp}
+
 # Install ZFS repository
 RUN rpm-ostree install https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-2-8$(rpm --eval "%{dist}").noarch.rpm && \
     # cleanup and verification stage
diff --git a/f42-server/synapse.te b/f42-server/synapse.te
new file mode 100644
index 0000000..dcc0b03
--- /dev/null
+++ b/f42-server/synapse.te
@@ -0,0 +1,14 @@
+
+module synapse 1.0;
+
+require {
+	type httpd_t;
+	type unreserved_port_t;
+	class tcp_socket name_bind;
+}
+
+#============= httpd_t ==============
+
+#!!!! This avc can be allowed using the boolean 'nis_enabled'
+allow httpd_t unreserved_port_t:tcp_socket name_bind;
+