[selinux-policy: 2438/3172] Improve documentation on kernel_read_system_state(), kernel_read_network_state(), and kernel_read_pr

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:36:25 UTC 2010 

commit 7a0c0b40889175cfc1896aad4202589c38ac9c32
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Thu Feb 25 12:59:11 2010 -0500

    Improve documentation on kernel_read_system_state(), kernel_read_network_state(), and kernel_read_proc_symlinks().

 policy/modules/kernel/kernel.if |   74 +++++++++++++++++++++++++++++++++++---
 1 files changed, 68 insertions(+), 6 deletions(-)
---
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 8a970d5..f1fae05 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -759,13 +759,22 @@ interface(`kernel_getattr_proc_files',`
 
 ########################################
 ## <summary>
-##	Read symbolic links in /proc.
+##	Read generic symbolic links in /proc.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read (follow) generic
+##	symbolic links (symlinks) in the proc filesystem (/proc).
+##	This interface does not include access to the targets of
+##	these links.  An example symlink is /proc/self.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <infoflow type="read" weight="10"/>
 #
 interface(`kernel_read_proc_symlinks',`
 	gen_require(`
@@ -777,13 +786,33 @@ interface(`kernel_read_proc_symlinks',`
 
 ########################################
 ## <summary>
-##	Allows caller to read system state information in proc.
+##	Allows caller to read system state information in /proc.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read general system
+##	state information from the proc filesystem (/proc).
+##	</p>
+##	<p>
+##	Generally it should be safe to allow this access.  Some
+##	example files that can be read based on this interface:
+##	</p>
+##	<ul>
+##		<li>/proc/cpuinfo</li>
+##		<li>/proc/meminfo</li>
+##		<li>/proc/uptime</li>
+##	</ul>
+##	<p>
+##	This does not allow access to sysctl entries (/proc/sys/*)
+##	nor process state information (/proc/pid).
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The process type reading the system state information.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <infoflow type="read" weight="10"/>
 ## <rolecap/>
 #
 interface(`kernel_read_system_state',`
@@ -1082,13 +1111,24 @@ interface(`kernel_search_network_state',`
 
 ########################################
 ## <summary>
-##	Allow caller to read the network state information.
+##	Read the network state information.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read the networking
+##	state information. This includes several pieces
+##	of networking information, such as network interface
+##	names, netfilter (iptables) statistics, protocol
+##	information, routes, and remote procedure call (RPC)
+##	information.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
-##	The process type reading the state.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <infoflow type="read" weight="10"/>
 ## <rolecap/>
 #
 interface(`kernel_read_network_state',`
@@ -1650,13 +1690,35 @@ interface(`kernel_read_crypto_sysctls',`
 
 ########################################
 ## <summary>
-##	Read generic kernel sysctls.
+##	Read general kernel sysctls.
 ## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to read general
+##	kernel sysctl settings. These settings are typically
+##	read using the sysctl program.  The settings
+##	that are included by this interface are prefixed
+##	with "kernel.", for example, kernel.sysrq.
+##	</p>
+##	<p>
+##	This does not include access to the hotplug
+##	handler setting (kernel.hotplug)
+##	nor the module installer handler setting
+##	(kernel.modprobe).
+##	</p>
+##	<p>
+##	Related interfaces:
+##	</p>
+##	<ul>
+##		<li>kernel_rw_kernel_sysctl()</li>
+##	</ul>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <infoflow type="read" weight="10"/>
 #
 interface(`kernel_read_kernel_sysctls',`
 	gen_require(`

More information about the scm-commits mailing list