From c46376e66552202d21a1ed70166ab3e71c57a0b5 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Mar 02 2010 19:01:10 +0000 Subject: Improve documentation for userdomain interfaces: userdom_use_user_terminals() userdom_dontaudit_search_user_home_dirs() userdom_dontaudit_use_unpriv_user_fds() --- diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index cd08bc3..b18abce 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1392,13 +1392,21 @@ interface(`userdom_search_user_home_dirs',` ######################################## ## -## Search user home directories. +## Do not audit attempts to search user home directories. ## +## +##

+## Do not audit attempts to search user home directories. +## This will supress SELinux denial messages when the specified +## domain is denied the permission to search these directories. +##

+##
## ## -## Domain allowed access. +## Domain to not audit. ## ## +## # interface(`userdom_dontaudit_search_user_home_dirs',` gen_require(` @@ -2554,13 +2562,29 @@ interface(`userdom_use_user_ptys',` ######################################## ## -## Read and write a user domain tty and pty. +## Read and write a user TTYs and PTYs. ## +## +##

+## Allow the specified domain to read and write user +## TTYs and PTYs. This will allow the domain to +## interact with the user via the terminal. Typically +## all interactive applications will require this +## access. +##

+##

+## However, this also allows the applications to spy +## on user sessions or inject information into the +## user session. Thus, this access should likely +## not be allowed for non-interactive domains. +##

+##
## ## ## Domain allowed access. ## ## +## # interface(`userdom_use_user_terminals',` gen_require(` @@ -2824,14 +2848,23 @@ interface(`userdom_use_unpriv_users_fds',` ######################################## ## -## Do not audit attempts to inherit the -## file descriptors from all user domains. +## Do not audit attempts to inherit the file descriptors +## from unprivileged user domains. ## +## +##

+## Do not audit attempts to inherit the file descriptors +## from unprivileged user domains. This will supress +## SELinux denial messages when the specified domain is denied +## the permission to inherit these file descriptors. +##

+##
## ## -## Domain allowed access. +## Domain to not audit. ## ## +## # interface(`userdom_dontaudit_use_unpriv_user_fds',` gen_require(`