rpms/selinux-policy
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Improve documentation for userdomain interfaces:

Browse Source 
userdom_use_user_terminals()
userdom_dontaudit_search_user_home_dirs()
userdom_dontaudit_use_unpriv_user_fds()
This commit is contained in:
Chris PeBenito 2010-03-02 14:01:10 -05:00
parent 88daf126f2
commit c46376e665
1 changed files with 39 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
policy/modules/system/userdomain.if
View File

@ -1392,13 +1392,21 @@ interface(`userdom_search_user_home_dirs',`
######################################## ########################################
## <summary> ## <summary>
## Search user home directories. ## Do not audit attempts to search user home directories.
## </summary> ## </summary>
## <desc>
## <p>
## Do not audit attempts to search user home directories.
## This will supress SELinux denial messages when the specified
## domain is denied the permission to search these directories.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain to not audit.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="none"/>
# #
interface(`userdom_dontaudit_search_user_home_dirs',` interface(`userdom_dontaudit_search_user_home_dirs',`
gen_require(` gen_require(`
@ -2554,13 +2562,29 @@ interface(`userdom_use_user_ptys',`
######################################## ########################################
## <summary> ## <summary>
## Read and write a user domain tty and pty. ## Read and write a user TTYs and PTYs.
## </summary> ## </summary>
## <desc>
## <p>
## Allow the specified domain to read and write user
## TTYs and PTYs. This will allow the domain to
## interact with the user via the terminal. Typically
## all interactive applications will require this
## access.
## </p>
## <p>
## However, this also allows the applications to spy
## on user sessions or inject information into the
## user session. Thus, this access should likely
## not be allowed for non-interactive domains.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="both" weight="10"/>
# #
interface(`userdom_use_user_terminals',` interface(`userdom_use_user_terminals',`
gen_require(` gen_require(`
@ -2824,14 +2848,23 @@ interface(`userdom_use_unpriv_users_fds',`
######################################## ########################################
## <summary> ## <summary>
## Do not audit attempts to inherit the ## Do not audit attempts to inherit the file descriptors
## file descriptors from all user domains. ## from unprivileged user domains.
## </summary> ## </summary>
## <desc>
## <p>
## Do not audit attempts to inherit the file descriptors
## from unprivileged user domains. This will supress
## SELinux denial messages when the specified domain is denied
## the permission to inherit these file descriptors.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain to not audit.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="none"/>
# #
interface(`userdom_dontaudit_use_unpriv_user_fds',` interface(`userdom_dontaudit_use_unpriv_user_fds',`
gen_require(` gen_require(`