Improve documentation for userdomain interfaces:
userdom_use_user_terminals() userdom_dontaudit_search_user_home_dirs() userdom_dontaudit_use_unpriv_user_fds()
This commit is contained in:
Chris PeBenito
parent
88daf126f2
commit
c46376e665
|
|
@ -1392,13 +1392,21 @@ interface(`userdom_search_user_home_dirs',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Search user home directories.
|
||||
## Do not audit attempts to search user home directories.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to search user home directories.
|
||||
## This will supress SELinux denial messages when the specified
|
||||
## domain is denied the permission to search these directories.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`userdom_dontaudit_search_user_home_dirs',`
|
||||
gen_require(`
|
||||
|
|
@ -2554,13 +2562,29 @@ interface(`userdom_use_user_ptys',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read and write a user domain tty and pty.
|
||||
## Read and write a user TTYs and PTYs.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow the specified domain to read and write user
|
||||
## TTYs and PTYs. This will allow the domain to
|
||||
## interact with the user via the terminal. Typically
|
||||
## all interactive applications will require this
|
||||
## access.
|
||||
## </p>
|
||||
## <p>
|
||||
## However, this also allows the applications to spy
|
||||
## on user sessions or inject information into the
|
||||
## user session. Thus, this access should likely
|
||||
## not be allowed for non-interactive domains.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="both" weight="10"/>
|
||||
#
|
||||
interface(`userdom_use_user_terminals',`
|
||||
gen_require(`
|
||||
|
|
@ -2824,14 +2848,23 @@ interface(`userdom_use_unpriv_users_fds',`
|
|||
|
||||
########################################
|
||||
## <summary>
|
||||
## Do not audit attempts to inherit the
|
||||
## file descriptors from all user domains.
|
||||
## Do not audit attempts to inherit the file descriptors
|
||||
## from unprivileged user domains.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Do not audit attempts to inherit the file descriptors
|
||||
## from unprivileged user domains. This will supress
|
||||
## SELinux denial messages when the specified domain is denied
|
||||
## the permission to inherit these file descriptors.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## Domain to not audit.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <infoflow type="none"/>
|
||||
#
|
||||
interface(`userdom_dontaudit_use_unpriv_user_fds',`
|
||||
gen_require(`
|
||||
|
|
|
|||
Loading…
Reference in New Issue