include # add `flags=(complain)` before `{` to switch to non-enforcement mode profile matrix-synapse { include include include /etc/gai.conf r, /etc/host.conf r, /etc/hosts r, /etc/mime.types r, /etc/nsswitch.conf r, /etc/passwd r, /etc/resolv.conf r, /etc/ssl/openssl.cnf r, owner @{PROC}/@{pid}/{fd/,limits,mounts,stat} r, /etc/matrix-synapse/** r, owner /var/lib/matrix-synapse/ r, owner /var/{lib,log}/matrix-synapse/** rw, # /usr/lib/python3.7/ctypes/util.py:287 calls `/sbin/ldconfig -p` /usr/sbin/ldconfig PUx, # /usr/lib/python3.7/platform.py:1057 calls `/bin/sh -c 'uname -p 2> /dev/null'` /usr/bin/dash Cx -> dash, profile dash { include /usr/bin/dash r, /usr/bin/uname PUx, } }