Improve the documentation of:
init_script_file() init_daemon_domain() init_system_domain() init_ranged_daemon_domain() init_ranged_system_domain() init_use_fds()
This commit is contained in:
Chris PeBenito
parent
d6887176c1
commit
13f000d2ef
@ -6,16 +6,28 @@
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Create a file type used for init scripts.
|
||||
## Can not be used in conjunction with
|
||||
## init_script_domain().
|
||||
## Create a file type used for init scripts. It can not be
|
||||
## used in conjunction with init_script_domain(). These
|
||||
## script files are typically stored in the /etc/init.d directory.
|
||||
## </p>
|
||||
## <p>
|
||||
## Typically this is used to constrain what services an
|
||||
## admin can start/stop. For example, a policy writer may want
|
||||
## to constrain a web administrator to only being able to
|
||||
## restart the web server, not other services. This special type
|
||||
## will help address that goal.
|
||||
## </p>
|
||||
## <p>
|
||||
## This also makes the type usable for files; thus an
|
||||
## explicit call to files_type() is redundant.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="script_file">
|
||||
## <summary>
|
||||
## Type of the script file used as an entry point to this domain.
|
||||
## Type to be used for a script file.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`init_script_file',`
|
||||
gen_require(`
|
||||
@ -145,11 +157,29 @@ interface(`init_ranged_domain',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for long running processes
|
||||
## (daemons) which can be started by init scripts.
|
||||
## (daemons/services) which are started by init scripts.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Create a domain for long running processes (daemons/services)
|
||||
## which are started by init scripts. Short running processes
|
||||
## should use the init_system_domain() interface instead.
|
||||
## Typically all long running processes started by an init
|
||||
## script (usually in /etc/init.d) will need to use this
|
||||
## interface.
|
||||
## </p>
|
||||
## <p>
|
||||
## The types will be made usable as a domain and file, making
|
||||
## calls to domain_type() and files_type() redundant.
|
||||
## </p>
|
||||
## <p>
|
||||
## If the process must also run in a specific MLS/MCS level,
|
||||
## the init_ranged_daemon_domain() should be used instead.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## Type to be used as a daemon domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
@ -157,6 +187,7 @@ interface(`init_ranged_domain',`
|
||||
## Type of the program to be used as an entry point to this domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`init_daemon_domain',`
|
||||
gen_require(`
|
||||
@ -210,11 +241,31 @@ interface(`init_daemon_domain',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for long running processes
|
||||
## (daemons) which can be started by init scripts.
|
||||
## (daemons/services) which are started by init scripts,
|
||||
## running at a specified MLS/MCS range.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Create a domain for long running processes (daemons/services)
|
||||
## which are started by init scripts, running at a specified
|
||||
## MLS/MCS range. Short running processes
|
||||
## should use the init_ranged_system_domain() interface instead.
|
||||
## Typically all long running processes started by an init
|
||||
## script (usually in /etc/init.d) will need to use this
|
||||
## interface if they need to run in a specific MLS/MCS range.
|
||||
## </p>
|
||||
## <p>
|
||||
## The types will be made usable as a domain and file, making
|
||||
## calls to domain_type() and files_type() redundant.
|
||||
## </p>
|
||||
## <p>
|
||||
## If the policy build option TYPE is standard (MLS and MCS disabled),
|
||||
## this interface has the same behavior as init_daemon_domain().
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## Type to be used as a daemon domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
@ -224,9 +275,10 @@ interface(`init_daemon_domain',`
|
||||
## </param>
|
||||
## <param name="range">
|
||||
## <summary>
|
||||
## Range for the domain.
|
||||
## MLS/MCS range for the domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`init_ranged_daemon_domain',`
|
||||
gen_require(`
|
||||
@ -248,11 +300,31 @@ interface(`init_ranged_daemon_domain',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for short running processes
|
||||
## which can be started by init scripts.
|
||||
## which are started by init scripts.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Create a domain for long running processes (daemons/services)
|
||||
## which are started by init scripts. These are generally applications that
|
||||
## are used to initialize the system during boot.
|
||||
## Long running processes
|
||||
## should use the init_daemon_domain() interface instead.
|
||||
## Typically all short running processes started by an init
|
||||
## script (usually in /etc/init.d) will need to use this
|
||||
## interface.
|
||||
## </p>
|
||||
## <p>
|
||||
## The types will be made usable as a domain and file, making
|
||||
## calls to domain_type() and files_type() redundant.
|
||||
## </p>
|
||||
## <p>
|
||||
## If the process must also run in a specific MLS/MCS level,
|
||||
## the init_ranged_system_domain() should be used instead.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## Type to be used as a system domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
@ -260,6 +332,7 @@ interface(`init_ranged_daemon_domain',`
|
||||
## Type of the program to be used as an entry point to this domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`init_system_domain',`
|
||||
gen_require(`
|
||||
@ -285,11 +358,32 @@ interface(`init_system_domain',`
|
||||
########################################
|
||||
## <summary>
|
||||
## Create a domain for short running processes
|
||||
## which can be started by init scripts.
|
||||
## which are started by init scripts.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Create a domain for long running processes (daemons/services)
|
||||
## which are started by init scripts.
|
||||
## These are generally applications that
|
||||
## are used to initialize the system during boot.
|
||||
## Long running processes
|
||||
## should use the init_ranged_system_domain() interface instead.
|
||||
## Typically all short running processes started by an init
|
||||
## script (usually in /etc/init.d) will need to use this
|
||||
## interface if they need to run in a specific MLS/MCS range.
|
||||
## </p>
|
||||
## <p>
|
||||
## The types will be made usable as a domain and file, making
|
||||
## calls to domain_type() and files_type() redundant.
|
||||
## </p>
|
||||
## <p>
|
||||
## If the policy build option TYPE is standard (MLS and MCS disabled),
|
||||
## this interface has the same behavior as init_system_domain().
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Type to be used as a domain.
|
||||
## Type to be used as a system domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="entry_point">
|
||||
@ -302,6 +396,7 @@ interface(`init_system_domain',`
|
||||
## Range for the domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="read" weight="10"/>
|
||||
#
|
||||
interface(`init_ranged_system_domain',`
|
||||
gen_require(`
|
||||
@ -415,11 +510,51 @@ interface(`init_sigchld',`
|
||||
## <summary>
|
||||
## Inherit and use file descriptors from init.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to inherit file
|
||||
## descriptors from the init program (process ID 1).
|
||||
## Typically the only file descriptors to be
|
||||
## inherited from init are for the console.
|
||||
## This does not allow the domain any access to
|
||||
## the object to which the file descriptors references.
|
||||
## </p>
|
||||
## <p>
|
||||
## Related interfaces:
|
||||
## </p>
|
||||
## <ul>
|
||||
## <li>init_dontaudit_use_fds()</li>
|
||||
## <li>term_dontaudit_use_console()</li>
|
||||
## <li>term_use_console()</li>
|
||||
## </ul>
|
||||
## <p>
|
||||
## Example usage:
|
||||
## </p>
|
||||
## <p>
|
||||
## init_use_fds(mydomain_t)
|
||||
## term_use_console(mydomain_t)
|
||||
## </p>
|
||||
## <p>
|
||||
## Normally, processes that can inherit these file
|
||||
## descriptors (usually services) write messages to the
|
||||
## system log instead of writing to the console.
|
||||
## Therefore, in many cases, this access should
|
||||
## dontaudited instead.
|
||||
## </p>
|
||||
## <p>
|
||||
## Example dontaudit usage:
|
||||
## </p>
|
||||
## <p>
|
||||
## init_dontaudit_use_fds(mydomain_t)
|
||||
## term_dontaudit_use_console(mydomain_t)
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="read" weight="1"/>
|
||||
#
|
||||
interface(`init_use_fds',`
|
||||
gen_require(`
|
||||
|
||||
Loading…
Reference in New Issue
Block a user