From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 31 May 2017 20:44:03 -0400
Subject: [refpolicy] [PATCH 1/4] consolekit: introduce
 consolekit_use_inhibit_lock interface
In-Reply-To: <20170526161640.GA30439@julius.enp8s0.d30>
References: <20170526161054.15183-1-jason@perfinion.com>
	<20170526161054.15183-2-jason@perfinion.com>
	<20170526161640.GA30439@julius.enp8s0.d30>
Message-ID: <9cc0263f-99da-0785-ea05-25b0b57f9111@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 05/26/2017 12:16 PM, Dominick Grift via refpolicy wrote:
> On Sat, May 27, 2017 at 12:10:51AM +0800, Jason Zaman via refpolicy wrote:
>> Applications hold FDs while they hold the lock.
>> Implements this API:
>> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
>> ---
>>  consolekit.if | 19 +++++++++++++++++++
>>  1 file changed, 19 insertions(+)
>>
>> diff --git a/consolekit.if b/consolekit.if
>> index 5b830ec..c2c203f 100644
>> --- a/consolekit.if
>> +++ b/consolekit.if
>> @@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
>>
>>  ########################################
>>  ## <summary>
>> +##	Take inhibit locks from consolekit
>> +## </summary>
>> +## <param name="domain">
>> +##	<summary>
>> +##	Domain allowed access.
>> +##	</summary>
>> +## </param>
>> +#
>> +interface(`consolekit_use_inhibit_lock',`
>> +	gen_require(`
>> +		type consolekit_t, consolekit_var_run_t;
>> +	')
>> +
>> +	allow $1 consolekit_t:fd use;
>> +	allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;
>
> I suppose my personal preference would be consolekit_rw_inherited_runtime_fifo_files():
>
> allow $1 consolekit_t:fd use;
> allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;

Agreed, that seems to match more what is described.


> But consolekit_use_inhibit_lock() sounds fine as well...

I'm ok with the interface name as long as you put that explanation in 
the patch set overview email in the interface's description tag.


-- 
Chris PeBenito