Navigation

← Previous Changeset
Next Changeset →

Changeset c46376e66552202d21a1ed70166ab3e71c57a0b5

Timestamp:

03/02/10 13:01:10 (5 months ago)

Author:

Chris PeBenito <cpebenito@tresys.com>

Committer:

Chris PeBenito <cpebenito@tresys.com> 1267556470 -0500

Parent:

[88daf126f29a667808a4119a8712df790c468e85]

Message:

Improve documentation for userdomain interfaces:
userdom_use_user_terminals()
userdom_dontaudit_search_user_home_dirs()
userdom_dontaudit_use_unpriv_user_fds()

Files:

policy/modules/system/userdomain.if (modified) (3 diffs)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

policy/modules/system/userdomain.if

rc3c753f	rc46376e
1393	1393	########################################
1394	1394	## <summary>
1395		## Search user home directories.
1396		## </summary>
1397		## <param name="domain">
1398		## <summary>
1399		## Domain allowed access.
1400		## </summary>
1401		## </param>
	1395	## Do not audit attempts to search user home directories.
	1396	## </summary>
	1397	## <desc>
	1398	## <p>
	1399	## Do not audit attempts to search user home directories.
	1400	## This will supress SELinux denial messages when the specified
	1401	## domain is denied the permission to search these directories.
	1402	## </p>
	1403	## </desc>
	1404	## <param name="domain">
	1405	## <summary>
	1406	## Domain to not audit.
	1407	## </summary>
	1408	## </param>
	1409	## <infoflow type="none"/>
1402	1410	#
1403	1411	interface(`userdom_dontaudit_search_user_home_dirs',`
…	…
2555	2563	########################################
2556	2564	## <summary>
2557		## Read and write a user domain tty and pty.
2558		## </summary>
2559		## <param name="domain">
2560		## <summary>
2561		## Domain allowed access.
2562		## </summary>
2563		## </param>
	2565	## Read and write a user TTYs and PTYs.
	2566	## </summary>
	2567	## <desc>
	2568	## <p>
	2569	## Allow the specified domain to read and write user
	2570	## TTYs and PTYs. This will allow the domain to
	2571	## interact with the user via the terminal. Typically
	2572	## all interactive applications will require this
	2573	## access.
	2574	## </p>
	2575	## <p>
	2576	## However, this also allows the applications to spy
	2577	## on user sessions or inject information into the
	2578	## user session. Thus, this access should likely
	2579	## not be allowed for non-interactive domains.
	2580	## </p>
	2581	## </desc>
	2582	## <param name="domain">
	2583	## <summary>
	2584	## Domain allowed access.
	2585	## </summary>
	2586	## </param>
	2587	## <infoflow type="both" weight="10"/>
2564	2588	#
2565	2589	interface(`userdom_use_user_terminals',`
…	…
2825	2849	########################################
2826	2850	## <summary>
2827		## Do not audit attempts to inherit the
2828		## file descriptors from all user domains.
2829		## </summary>
2830		## <param name="domain">
2831		## <summary>
2832		## Domain allowed access.
2833		## </summary>
2834		## </param>
	2851	## Do not audit attempts to inherit the file descriptors
	2852	## from unprivileged user domains.
	2853	## </summary>
	2854	## <desc>
	2855	## <p>
	2856	## Do not audit attempts to inherit the file descriptors
	2857	## from unprivileged user domains. This will supress
	2858	## SELinux denial messages when the specified domain is denied
	2859	## the permission to inherit these file descriptors.
	2860	## </p>
	2861	## </desc>
	2862	## <param name="domain">
	2863	## <summary>
	2864	## Domain to not audit.
	2865	## </summary>
	2866	## </param>
	2867	## <infoflow type="none"/>
2835	2868	#
2836	2869	interface(`userdom_dontaudit_use_unpriv_user_fds',`

Download in other formats:

Unified Diff
Zip Disabled

* Generating other formats may take time.