From 884309360770a5d264cc22a39742c3a6d573aaef Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Fri, 12 Aug 2005 19:28:30 +0000 Subject: [PATCH] more comments --- refpolicy/policy/modules/kernel/selinux.if | 54 +++++++++++++++++++--- 1 file changed, 47 insertions(+), 7 deletions(-) diff --git a/refpolicy/policy/modules/kernel/selinux.if b/refpolicy/policy/modules/kernel/selinux.if index daf8e8441..837a94aaa 100644 --- a/refpolicy/policy/modules/kernel/selinux.if +++ b/refpolicy/policy/modules/kernel/selinux.if @@ -1,5 +1,5 @@ ## -## Policy for kernel security interface, in particular, selinuxfs. +## Policy for kernel security interface, in particular, selinuxfs. ## ## ## Contains the policy for the kernel SELinux security interface. @@ -61,6 +61,16 @@ interface(`selinux_get_enforce_mode',` ## Allow caller to set the mode of policy enforcement ## (enforcing or permissive mode). ## +## +##

+## Allow caller to set the mode of policy enforcement +## (enforcing or permissive mode). +##

+##

+## Since this is a security event, this action is +## always audited. +##

+##
## ## The process type to allow to set the enforcement mode. ## @@ -110,6 +120,16 @@ interface(`selinux_load_policy',` ## Allow caller to set the state of Booleans to ## enable or disable conditional portions of the policy. ## +## +##

+## Allow caller to set the state of Booleans to +## enable or disable conditional portions of the policy. +##

+##

+## Since this is a security event, this action is +## always audited. +##

+##
## ## The process type allowed to set the Boolean. ## @@ -140,8 +160,19 @@ interface(`selinux_set_boolean',` ######################################## ## -## Allow caller to set selinux security parameters. +## Allow caller to set SELinux access vector cache parameters. ## +## +##

+## Allow caller to set SELinux access vector cache parameters. +## The allows the domain to set performance related parameters +## of the AVC, such as cache threshold. +##

+##

+## Since this is a security event, this action is +## always audited. +##

+##
## ## The process type to allow to set security parameters. ## @@ -206,10 +237,10 @@ interface(`selinux_compute_access_vector',` ######################################## ## -## +## Calculate the default type for object creation. ## ## -## +## Domain allowed access. ## # interface(`selinux_compute_create_context',` @@ -227,10 +258,19 @@ interface(`selinux_compute_create_context',` ######################################## ## -## +## Calculate the context for relabeling objects. ## +## +##

+## Calculate the context for relabeling objects. +## This is determined by using the type_change +## rules in the policy, and is generally used +## for determining the context for relabeling +## a terminal when a user logs in. +##

+##
## -## The process type to +## Domain allowed access. ## # interface(`selinux_compute_relabel_context',` @@ -269,7 +309,7 @@ interface(`selinux_compute_user_contexts',` ######################################## ## -## Unconfined access to the SELinux security server. +## Unconfined access to the SELinux kernel security server. ## ## ## Domain allowed access.