diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if index 6564a31..704dec7 100644 --- a/policy/modules/kernel/files.if +++ b/policy/modules/kernel/files.if @@ -2111,11 +2111,45 @@ interface(`files_manage_etc_dirs',` ## ## Read generic files in /etc. ## +## +##

+## Allow the specified domain to read generic +## files in /etc. These files are typically +## general system configuration files that do +## not have more specific SELinux types. Some +## examples of these files are: +##

+## +##

+## This interface does not include access to /etc/shadow. +##

+##

+## Generally, it is safe for many domains to have +## this access. However, since this interface provides +## access to the /etc/passwd file, caution must be +## exercised, as user account names can be leaked +## through this access. +##

+##

+## Related interfaces: +##

+## +##
## ## ## Domain allowed access. ## ## +## # interface(`files_read_etc_files',` gen_require(`