diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 5667bcc..6c0c20b 100644 --- a/policy/modules/kernel/domain.if +++ b/policy/modules/kernel/domain.if @@ -35,11 +35,42 @@ interface(`domain_base_type',` ## <summary> ## Make the specified type usable as a domain. ## </summary> +## <desc> +## <p> +## Make the specified type usable as a domain. This, +## or an interface that calls this interface, must be +## used on all types that are used as domains. +## </p> +## <p> +## Related interfaces: +## </p> +## <ul> +## <li>application_domain()</li> +## <li>init_daemon_domain()</li> +## <li>init_domaion()</li> +## <li>init_ranged_daemon_domain()</li> +## <li>init_ranged_domain()</li> +## <li>init_ranged_system_domain()</li> +## <li>init_script_domain()</li> +## <li>init_system_domain()</li> +## </ul> +## <p> +## Example: +## </p> +## <p> +## type mydomain_t; +## domain_type(mydomain_t) +## type myfile_t; +## files_type(myfile_t) +## allow mydomain_t myfile_t:file read_file_perms; +## </p> +## </desc> ## <param name="type"> ## <summary> ## Type to be used as a domain type. ## </summary> ## </param> +## <infoflow type="none"/> # interface(`domain_type',` # start with basic domain @@ -340,11 +371,20 @@ interface(`domain_cron_exemption_target',` ## Inherit and use file descriptors from ## domains with interactive programs. ## </summary> +## <desc> +## <p> +## Allow the specified domain to inherit and use file +## descriptors from domains with interactive programs. +## This does not allow access to the objects being referenced +## by the file descriptors. +## </p> +## </desc> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> +## <infoflow type="read" weight="1"/> # interface(`domain_use_interactive_fds',` gen_require(`