diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index 67bf8ce..12d9b15 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -6,16 +6,28 @@ ## ## ##

-## Create a file type used for init scripts. -## Can not be used in conjunction with -## init_script_domain(). +## Create a file type used for init scripts. It can not be +## used in conjunction with init_script_domain(). These +## script files are typically stored in the /etc/init.d directory. +##

+##

+## Typically this is used to constrain what services an +## admin can start/stop. For example, a policy writer may want +## to constrain a web administrator to only being able to +## restart the web server, not other services. This special type +## will help address that goal. +##

+##

+## This also makes the type usable for files; thus an +## explicit call to files_type() is redundant. ##

## ## ## -## Type of the script file used as an entry point to this domain. +## Type to be used for a script file. ## ## +## # interface(`init_script_file',` gen_require(` @@ -145,11 +157,29 @@ interface(`init_ranged_domain',` ######################################## ## ## Create a domain for long running processes -## (daemons) which can be started by init scripts. +## (daemons/services) which are started by init scripts. ## +## +##

+## Create a domain for long running processes (daemons/services) +## which are started by init scripts. Short running processes +## should use the init_system_domain() interface instead. +## Typically all long running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the process must also run in a specific MLS/MCS level, +## the init_ranged_daemon_domain() should be used instead. +##

+## ## ## -## Type to be used as a domain. +## Type to be used as a daemon domain. ## ## ## @@ -157,6 +187,7 @@ interface(`init_ranged_domain',` ## Type of the program to be used as an entry point to this domain. ## ## +## # interface(`init_daemon_domain',` gen_require(` @@ -210,11 +241,31 @@ interface(`init_daemon_domain',` ######################################## ## ## Create a domain for long running processes -## (daemons) which can be started by init scripts. +## (daemons/services) which are started by init scripts, +## running at a specified MLS/MCS range. ## +## +##

+## Create a domain for long running processes (daemons/services) +## which are started by init scripts, running at a specified +## MLS/MCS range. Short running processes +## should use the init_ranged_system_domain() interface instead. +## Typically all long running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface if they need to run in a specific MLS/MCS range. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the policy build option TYPE is standard (MLS and MCS disabled), +## this interface has the same behavior as init_daemon_domain(). +##

+## ## ## -## Type to be used as a domain. +## Type to be used as a daemon domain. ## ## ## @@ -224,9 +275,10 @@ interface(`init_daemon_domain',` ## ## ## -## Range for the domain. +## MLS/MCS range for the domain. ## ## +## # interface(`init_ranged_daemon_domain',` gen_require(` @@ -248,11 +300,31 @@ interface(`init_ranged_daemon_domain',` ######################################## ## ## Create a domain for short running processes -## which can be started by init scripts. +## which are started by init scripts. ## +## +##

+## Create a domain for long running processes (daemons/services) +## which are started by init scripts. These are generally applications that +## are used to initialize the system during boot. +## Long running processes +## should use the init_daemon_domain() interface instead. +## Typically all short running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the process must also run in a specific MLS/MCS level, +## the init_ranged_system_domain() should be used instead. +##

+## ## ## -## Type to be used as a domain. +## Type to be used as a system domain. ## ## ## @@ -260,6 +332,7 @@ interface(`init_ranged_daemon_domain',` ## Type of the program to be used as an entry point to this domain. ## ## +## # interface(`init_system_domain',` gen_require(` @@ -285,11 +358,32 @@ interface(`init_system_domain',` ######################################## ## ## Create a domain for short running processes -## which can be started by init scripts. +## which are started by init scripts. ## +## +##

+## Create a domain for long running processes (daemons/services) +## which are started by init scripts. +## These are generally applications that +## are used to initialize the system during boot. +## Long running processes +## should use the init_ranged_system_domain() interface instead. +## Typically all short running processes started by an init +## script (usually in /etc/init.d) will need to use this +## interface if they need to run in a specific MLS/MCS range. +##

+##

+## The types will be made usable as a domain and file, making +## calls to domain_type() and files_type() redundant. +##

+##

+## If the policy build option TYPE is standard (MLS and MCS disabled), +## this interface has the same behavior as init_system_domain(). +##

+## ## ## -## Type to be used as a domain. +## Type to be used as a system domain. ## ## ## @@ -302,6 +396,7 @@ interface(`init_system_domain',` ## Range for the domain. ## ## +## # interface(`init_ranged_system_domain',` gen_require(` @@ -415,11 +510,51 @@ interface(`init_sigchld',` ## ## Inherit and use file descriptors from init. ## +## +##

+## Allow the specified domain to inherit file +## descriptors from the init program (process ID 1). +## Typically the only file descriptors to be +## inherited from init are for the console. +## This does not allow the domain any access to +## the object to which the file descriptors references. +##

+##

+## Related interfaces: +##

+##
    +##
  • init_dontaudit_use_fds()
    • +##
  • term_dontaudit_use_console()
    • +##
  • term_use_console()
    • +##
+##

+## Example usage: +##

+##

+## init_use_fds(mydomain_t) +## term_use_console(mydomain_t) +##

+##

+## Normally, processes that can inherit these file +## descriptors (usually services) write messages to the +## system log instead of writing to the console. +## Therefore, in many cases, this access should +## dontaudited instead. +##

+##

+## Example dontaudit usage: +##

+##

+## init_dontaudit_use_fds(mydomain_t) +## term_dontaudit_use_console(mydomain_t) +##

+## ## ## ## Domain allowed access. ## ## +## # interface(`init_use_fds',` gen_require(`