Improve documentation on files_read_etc_files().

2010-02-24 15:20:03 -05:00 · 2010-02-24 15:20:03 -05:00 · fca4a96bae
commit fca4a96bae
parent 611bc9311d
1 changed files with 34 additions and 0 deletions
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -2111,11 +2111,45 @@ interface(`files_manage_etc_dirs',`
 ## <summary>
 ##	Read generic files in /etc.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read generic
+##	files in /etc. These files are typically
+##	general system configuration files that do
+##	not have more specific SELinux types.  Some
+##	examples of these files are:
+##	</p>
+##	<ul>
+##		<li>/etc/fstab</li>
+##		<li>/etc/passwd</li>
+##		<li>/etc/services</li>
+##		<li>/etc/shells</li>
+##	</ul>
+##	<p>
+##	This interface does not include access to /etc/shadow.
+##	</p>
+##	<p>
+##	Generally, it is safe for many domains to have
+##	this access.  However, since this interface provides
+##	access to the /etc/passwd file, caution must be
+##	exercised, as user account names can be leaked
+##	through this access.
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>auth_read_shadow()</li>
+##		<li>files_read_etc_runtime_files()</li>
+##		<li>seutil_read_config()</li>
+##	</ul>	
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <infoflow type="read" weight="10"/>
 #
 interface(`files_read_etc_files',`
 	gen_require(`