Improve the documentation of files interfaces:

files_pid_file()
files_config_file()
files_tmp_file()
files_read_etc_runtime_files()
files_read_usr_files()
files_search_var_lib()
files_pid_filetrans()
This commit is contained in:
Chris PeBenito 2010-03-01 10:53:50 -05:00
parent 5fb5bf2686
commit 7cf2858e4a
1 changed files with 162 additions and 3 deletions

View File

@ -58,6 +58,14 @@
## <li>logging_log_file()</li> ## <li>logging_log_file()</li>
## <li>userdom_user_home_content()</li> ## <li>userdom_user_home_content()</li>
## </ul> ## </ul>
## <p>
## Example:
## </p>
## <p>
## type myfile_t;
## files_type(myfile_t)
## allow mydomain_t myfile_t:file read_file_perms;
## </p>
## </desc> ## </desc>
## <param name="type"> ## <param name="type">
## <summary> ## <summary>
@ -160,11 +168,39 @@ interface(`files_security_mountpoint',`
## Make the specified type usable for ## Make the specified type usable for
## runtime process ID files. ## runtime process ID files.
## </summary> ## </summary>
## <desc>
## <p>
## Make the specified type usable for runtime process ID files,
## typically found in /var/run.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a PID file type may result in problems with starting
## or stopping services.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>files_pid_filetrans()</li>
## </ul>
## <p>
## Example usage with a domain that can create and
## write its PID file with a private PID file type in the
## /var/run directory:
## </p>
## <p>
## type mypidfile_t;
## files_pid_file(mypidfile_t)
## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
## files_pid_filetrans(mydomain_t, mypidfile_t, file)
## </p>
## </desc>
## <param name="type"> ## <param name="type">
## <summary> ## <summary>
## Type to be used for PID files. ## Type to be used for PID files.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="none"/>
# #
interface(`files_pid_file',` interface(`files_pid_file',`
gen_require(` gen_require(`
@ -180,11 +216,31 @@ interface(`files_pid_file',`
## Make the specified type a ## Make the specified type a
## configuration file. ## configuration file.
## </summary> ## </summary>
## <desc>
## <p>
## Make the specified type usable for configuration files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## configuration management tools.
## </p>
## <p>
## Example usage with a domain that can read
## its configuration file /etc:
## </p>
## <p>
## type myconffile_t;
## files_config_file(myconffile_t)
## allow mydomain_t myconffile_t:file read_file_perms;
## files_search_etc(mydomain_t)
## </p>
## </desc>
## <param name="file_type"> ## <param name="file_type">
## <summary> ## <summary>
## Type to be used as a configuration file. ## Type to be used as a configuration file.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="none"/>
# #
interface(`files_config_file',` interface(`files_config_file',`
gen_require(` gen_require(`
@ -288,12 +344,39 @@ interface(`files_poly_member_tmp',`
## Make the specified type a file ## Make the specified type a file
## used for temporary files. ## used for temporary files.
## </summary> ## </summary>
## <desc>
## <p>
## Make the specified type usable for temporary files.
## This will also make the type usable for files, making
## calls to files_type() redundant. Failure to use this interface
## for a temporary file may result in problems with
## purging temporary files.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>files_tmp_filetrans()</li>
## </ul>
## <p>
## Example usage with a domain that can create and
## write its temporary file in the system temporary file
## directories (/tmp or /var/tmp):
## </p>
## <p>
## type mytmpfile_t;
## files_tmp_file(mytmpfile_t)
## allow mydomain_t mytmpfile_t:file { create_file_perms write_file_perms };
## files_tmp_filetrans(mydomain_t, mytmpfile_t, file)
## </p>
## </desc>
## <param name="file_type"> ## <param name="file_type">
## <summary> ## <summary>
## Type of the file to be used as a ## Type of the file to be used as a
## temporary file. ## temporary file.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="none"/>
# #
interface(`files_tmp_file',` interface(`files_tmp_file',`
gen_require(` gen_require(`
@ -2178,7 +2261,7 @@ interface(`files_manage_etc_dirs',`
## <li>auth_read_shadow()</li> ## <li>auth_read_shadow()</li>
## <li>files_read_etc_runtime_files()</li> ## <li>files_read_etc_runtime_files()</li>
## <li>seutil_read_config()</li> ## <li>seutil_read_config()</li>
## </ul> ## </ul>
## </desc> ## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
@ -2410,11 +2493,29 @@ interface(`files_create_boot_flag',`
## Read files in /etc that are dynamically ## Read files in /etc that are dynamically
## created on boot, such as mtab. ## created on boot, such as mtab.
## </summary> ## </summary>
## <desc>
## <p>
## Allow the specified domain to read dynamically created
## configuration files in /etc. These files are typically
## general system configuration files that do
## not have more specific SELinux types. Some
## examples of these files are:
## </p>
## <ul>
## <li>/etc/motd</li>
## <li>/etc/mtab</li>
## <li>/etc/nologin</li>
## </ul>
## <p>
## This interface does not include access to /etc/shadow.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="10" />
## <rolecap/> ## <rolecap/>
# #
interface(`files_read_etc_runtime_files',` interface(`files_read_etc_runtime_files',`
@ -3930,11 +4031,29 @@ interface(`files_getattr_usr_files',`
## <summary> ## <summary>
## Read generic files in /usr. ## Read generic files in /usr.
## </summary> ## </summary>
## <desc>
## <p>
## Allow the specified domain to read generic
## files in /usr. These files are various program
## files that do not have more specific SELinux types.
## Some examples of these files are:
## </p>
## <ul>
## <li>/usr/include/*</li>
## <li>/usr/share/doc/*</li>
## <li>/usr/share/info/*</li>
## </ul>
## <p>
## Generally, it is safe for many domains to have
## this access.
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="10"/>
# #
interface(`files_read_usr_files',` interface(`files_read_usr_files',`
gen_require(` gen_require(`
@ -4491,11 +4610,25 @@ interface(`files_getattr_var_lib_dirs',`
## <summary> ## <summary>
## Search the /var/lib directory. ## Search the /var/lib directory.
## </summary> ## </summary>
## <desc>
## <p>
## Search the /var/lib directory. This is
## necessary to access files or directories under
## /var/lib that have a private type. For example, a
## domain accessing a private library file in the
## /var/lib directory:
## </p>
## <p>
## allow mydomain_t mylibfile_t:file read_file_perms;
## files_search_var_lib(mydomain_t)
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="read" weight="5"/>
# #
interface(`files_search_var_lib',` interface(`files_search_var_lib',`
gen_require(` gen_require(`
@ -4938,9 +5071,34 @@ interface(`files_read_generic_pids',`
######################################## ########################################
## <summary> ## <summary>
## Create an object in the process ID directory, with a private ## Create an object in the process ID directory, with a private type.
## type using a type transition.
## </summary> ## </summary>
## <desc>
## <p>
## Create an object in the process ID directory (e.g., /var/run)
## with a private type. Typically this is used for creating
## private PID files in /var/run with the private type instead
## of the general PID file type. To accomplish this goal,
## either the program must be SELinux-aware, or use this interface.
## </p>
## <p>
## Related interfaces:
## </p>
## <ul>
## <li>files_pid_file()</li>
## </ul>
## <p>
## Example usage with a domain that can create and
## write its PID file with a private PID file type in the
## /var/run directory:
## </p>
## <p>
## type mypidfile_t;
## files_pid_file(mypidfile_t)
## allow mydomain_t mypidfile_t:file { create_file_perms write_file_perms };
## files_pid_filetrans(mydomain_t, mypidfile_t, file)
## </p>
## </desc>
## <param name="domain"> ## <param name="domain">
## <summary> ## <summary>
## Domain allowed access. ## Domain allowed access.
@ -4956,6 +5114,7 @@ interface(`files_read_generic_pids',`
## The object class of the object being created. ## The object class of the object being created.
## </summary> ## </summary>
## </param> ## </param>
## <infoflow type="write" weight="10"/>
# #
interface(`files_pid_filetrans',` interface(`files_pid_filetrans',`
gen_require(` gen_require(`