rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Improve the documentation of:

Browse Source 
init_script_file()
init_daemon_domain()
init_system_domain()
init_ranged_daemon_domain()
init_ranged_system_domain()
init_use_fds()
This commit is contained in:
Chris PeBenito 2010-02-25 16:00:58 -05:00
parent d6887176c1
commit 13f000d2ef
1 changed files with 148 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
policy/modules/system/init.if
View File

@ -6,16 +6,28 @@
## </summary> ## </summary>
## <desc> ## <desc>
## <p> ## <p>
## Create a file type used for init scripts. ## Create a file type used for init scripts. It can not be
## Can not be used in conjunction with ## used in conjunction with init_script_domain(). These
## init_script_domain(). ## script files are typically stored in the /etc/init.d directory.
## </p>
## <p>
## Typically this is used to constrain what services an
## admin can start/stop. For example, a policy writer may want
## to constrain a web administrator to only being able to
## restart the web server, not other services. This special type
## will help address that goal.
## </p>
## <p>
## This also makes the type usable for files; thus an
## explicit call to files_type() is redundant.
## </p> ## </p>
## </desc> ## </desc>
## <param name="script_file"> ## <param name="script_file">
## <summary> ## <summary>
## Type of the script file used as an entry point to this domain. ## Type to be used for a script file.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="none"/>
# #
interface(`init_script_file',` interface(`init_script_file',`
gen_require(` gen_require(`
@ -145,11 +157,29 @@ interface(`init_ranged_domain',`
######################################## ########################################
## <summary> ## <summary>
## Create a domain for long running processes ## Create a domain for long running processes
## (daemons) which can be started by init scripts. ## (daemons/services) which are started by init scripts.
## </summary> ## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts. Short running processes
## should use the init_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_daemon_domain() should be used instead.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Type to be used as a domain. ## Type to be used as a daemon domain.
## </summary> ## </summary>
## </param> ## </param>
## <param name="entry_point"> ## <param name="entry_point">
@ -157,6 +187,7 @@ interface(`init_ranged_domain',`
## Type of the program to be used as an entry point to this domain. ## Type of the program to be used as an entry point to this domain.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="10"/>
# #
interface(`init_daemon_domain',` interface(`init_daemon_domain',`
gen_require(` gen_require(`
@ -210,11 +241,31 @@ interface(`init_daemon_domain',`
######################################## ########################################
## <summary> ## <summary>
## Create a domain for long running processes ## Create a domain for long running processes
## (daemons) which can be started by init scripts. ## (daemons/services) which are started by init scripts,
## running at a specified MLS/MCS range.
## </summary> ## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts, running at a specified
## MLS/MCS range. Short running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all long running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_daemon_domain().
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Type to be used as a domain. ## Type to be used as a daemon domain.
## </summary> ## </summary>
## </param> ## </param>
## <param name="entry_point"> ## <param name="entry_point">
@ -224,9 +275,10 @@ interface(`init_daemon_domain',`
## </param> ## </param>
## <param name="range"> ## <param name="range">
## <summary> ## <summary>
## Range for the domain. ## MLS/MCS range for the domain.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="10"/>
# #
interface(`init_ranged_daemon_domain',` interface(`init_ranged_daemon_domain',`
gen_require(` gen_require(`
@ -248,11 +300,31 @@ interface(`init_ranged_daemon_domain',`
######################################## ########################################
## <summary> ## <summary>
## Create a domain for short running processes ## Create a domain for short running processes
## which can be started by init scripts. ## which are started by init scripts.
## </summary> ## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts. These are generally applications that
## are used to initialize the system during boot.
## Long running processes
## should use the init_daemon_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the process must also run in a specific MLS/MCS level,
## the init_ranged_system_domain() should be used instead.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Type to be used as a domain. ## Type to be used as a system domain.
## </summary> ## </summary>
## </param> ## </param>
## <param name="entry_point"> ## <param name="entry_point">
@ -260,6 +332,7 @@ interface(`init_ranged_daemon_domain',`
## Type of the program to be used as an entry point to this domain. ## Type of the program to be used as an entry point to this domain.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="10"/>
# #
interface(`init_system_domain',` interface(`init_system_domain',`
gen_require(` gen_require(`
@ -285,11 +358,32 @@ interface(`init_system_domain',`
######################################## ########################################
## <summary> ## <summary>
## Create a domain for short running processes ## Create a domain for short running processes
## which can be started by init scripts. ## which are started by init scripts.
## </summary> ## </summary>
## <desc>
## <p>
## Create a domain for long running processes (daemons/services)
## which are started by init scripts.
## These are generally applications that
## are used to initialize the system during boot.
## Long running processes
## should use the init_ranged_system_domain() interface instead.
## Typically all short running processes started by an init
## script (usually in /etc/init.d) will need to use this
## interface if they need to run in a specific MLS/MCS range.
## </p>
## <p>
## The types will be made usable as a domain and file, making
## calls to domain_type() and files_type() redundant.
## </p>
## <p>
## If the policy build option TYPE is standard (MLS and MCS disabled),
## this interface has the same behavior as init_system_domain().
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Type to be used as a domain. ## Type to be used as a system domain.
## </summary> ## </summary>
## </param> ## </param>
## <param name="entry_point"> ## <param name="entry_point">
@ -302,6 +396,7 @@ interface(`init_system_domain',`
## Range for the domain. ## Range for the domain.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="10"/>
# #
interface(`init_ranged_system_domain',` interface(`init_ranged_system_domain',`
gen_require(` gen_require(`
@ -415,11 +510,51 @@ interface(`init_sigchld',`
## <summary> ## <summary>
## Inherit and use file descriptors from init. ## Inherit and use file descriptors from init.
## </summary> ## </summary>
## <desc>
## <p>
## Allow the specified domain to inherit file
## descriptors from the init program (process ID 1).
## Typically the only file descriptors to be
## inherited from init are for the console.
## This does not allow the domain any access to
## the object to which the file descriptors references.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>init_dontaudit_use_fds()</li>
## <li>term_dontaudit_use_console()</li>
## <li>term_use_console()</li>
## </ul>
## <p>
## Example usage:
## </p>
## <p>
## init_use_fds(mydomain_t)
## term_use_console(mydomain_t)
## </p>
## <p>
## Normally, processes that can inherit these file
## descriptors (usually services) write messages to the
## system log instead of writing to the console.
## Therefore, in many cases, this access should
## dontaudited instead.
## </p>
## <p>
## Example dontaudit usage:
## </p>
## <p>
## init_dontaudit_use_fds(mydomain_t)
## term_dontaudit_use_console(mydomain_t)
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="1"/>
# #
interface(`init_use_fds',` interface(`init_use_fds',`
gen_require(` gen_require(`