diff --git a/www/html/getting-started.html b/www/html/getting-started.html index 8327fe9..dd3e014 100644 --- a/www/html/getting-started.html +++ b/www/html/getting-started.html @@ -34,8 +34,81 @@ This creates all fo the types needed for this module, including a type for the p Let's expand this example further by allowing some access for these types. My application needs access between it's own types and access to read random numbers. The access between private types is written exactly the same way current policy rules are written, i.e.:
-allow myapp_t myapp_log_t : file ra_file_perms; -allow myapp_t myapp_tmp_t : file rw_file_perms; +allow myapp_t myapp_log_t:file ra_file_perms; +allow myapp_t myapp_tmp_t:file create_file_perms;
+files_create_tmp_files(myapp_t,myapp_tmp_t,file) ++
+First, let's create myapp.if and add the following: +
+## <module name="myapp" layer="apps"> +## <summary>Myapp example policy</summary> +## <description>More descriptive text about myapp</description> + +## <interface name="myapp_domtrans"> +## <summary> +## Execute a domain transition to run myapp. +## </summary> +## <parameter name="domain"> +## Domain allowed to transition. +## </parameter> +## </interface> +define(`myapp_domtrans',` + gen_requires(` + type myapp_t, myapp_exec_t; + class fd use; + class process sigchld; + class fifo_file rw_file_perms; + ') + + domain_auto_trans($1,myapp_exec_t,myapp_t) + + allow $1 myapp_t:fd use; + allow myapp_t $1:fd use; + allow $1 myapp_t:fifo_file rw_file_perms; + allow $1 myapp_t:process sigchld; +') + +## <interface name="myapp_read_log"> +## <summary> +## Read myapp log files. +## </summary> +## <parameter name="domain"> +## Domain allowed to read the log files. +## </parameter> +## </interface> +define(`myapp_read_log',` + gen_requires(` + type myapp_log_t; + class file r_file_perms; + ') + + logging_search_logs($1) + allow $1 myapp_log_t:file r_file_perms; +') + +## </module> ++
+The second interface allows other domains to read myapp's log files. Myapp's +log files are in the /var/log directory, so the access to search the /var/log +directory is also given by the interface. The gen_requires() macro is used to +support loadable policy modules, and must explicitly list the type, attributes, +object classes, and permissions used by this interface. +