[selinux-policy: 2434/3172] Improve documentation on files_read_etc_files().
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:36:04 UTC 2010
commit fca4a96bae6865d14e577ca89a03b4967f831cf0
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Feb 24 15:20:03 2010 -0500
Improve documentation on files_read_etc_files().
policy/modules/kernel/files.if | 34 ++++++++++++++++++++++++++++++++++
1 files changed, 34 insertions(+), 0 deletions(-)
---
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 6564a31..704dec7 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -2111,11 +2111,45 @@ interface(`files_manage_etc_dirs',`
## <summary>
## Read generic files in /etc.
## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /etc. These files are typically
+## general system configuration files that do
+## not have more specific SELinux types. Some
+## examples of these files are:
+## </p>
+## <ul>
+## <li>/etc/fstab</li>
+## <li>/etc/passwd</li>
+## <li>/etc/services</li>
+## <li>/etc/shells</li>
+## </ul>
+## <p>
+## This interface does not include access to /etc/shadow.
+## </p>
+## <p>
+## Generally, it is safe for many domains to have
+## this access. However, since this interface provides
+## access to the /etc/passwd file, caution must be
+## exercised, as user account names can be leaked
+## through this access.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>auth_read_shadow()</li>
+## <li>files_read_etc_runtime_files()</li>
+## <li>seutil_read_config()</li>
+## </ul>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
+## <infoflow type="read" weight="10"/>
#
interface(`files_read_etc_files',`
gen_require(`
More information about the scm-commits
mailing list