It means that a process can access file handles opened by another process (usually inheriting file handles from parent but sometimes exchanging them via unix domain sockets), can acces dir and file for the process (see the process in ps output) and read write named pipes created by another process.
Migh not be desirable but no doubt about what it does.
On 5 August 2014 1:41:36 PM AEST, Zhi Xin <xinzhi@xxxxxxxxxxx> wrote:
>Hi,
>
>Recently, I'm working on SEAndroid for kk4.4. I found that some policy
>are confused in sepolicy/unconfineddomain.te.
>
>allow unconfineddomain domain:fd *;
>
>allow unconfineddomain domain:dir r_dir_perms;
>
>allow unconfineddomain domain:lnk_file r_file_perms;
>
>allow unconfineddomain domain:{ fifo_file file } rw_file_perms;
>
>
>
>I know sometimes object can be a domain. But when object is domain,
>should class be process ? In the examples above, the class are dir,
>lnk_file and file. How can this happen ? Does anyone know any scenario
>fit these situations ?
>
>Thanks.
>Sincerely
>Alan Xin
>
>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Selinux mailing list
>Selinux@xxxxxxxxxxxxx
>To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
>To get help, send an email containing "help" to
>Selinux-request@xxxxxxxxxxxxx.
--
Sent from my Samsung Galaxy Note 2 with K-9 Mail.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
