From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 31 May 2017 20:44:03 -0400
Subject: [refpolicy] [PATCH 1/4] consolekit: introduce
consolekit_use_inhibit_lock interface
In-Reply-To: <20170526161640.GA30439@julius.enp8s0.d30>
References: <20170526161054.15183-1-jason@perfinion.com>
<20170526161054.15183-2-jason@perfinion.com>
<20170526161640.GA30439@julius.enp8s0.d30>
Message-ID: <9cc0263f-99da-0785-ea05-25b0b57f9111@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 05/26/2017 12:16 PM, Dominick Grift via refpolicy wrote:
> On Sat, May 27, 2017 at 12:10:51AM +0800, Jason Zaman via refpolicy wrote:
>> Applications hold FDs while they hold the lock.
>> Implements this API:
>> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
>> ---
>> consolekit.if | 19 +++++++++++++++++++
>> 1 file changed, 19 insertions(+)
>>
>> diff --git a/consolekit.if b/consolekit.if
>> index 5b830ec..c2c203f 100644
>> --- a/consolekit.if
>> +++ b/consolekit.if
>> @@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
>>
>> ########################################
>> ##
>> +## Take inhibit locks from consolekit
>> +##
>> +##
>> +##
>> +## Domain allowed access.
>> +##
>> +##
>> +#
>> +interface(`consolekit_use_inhibit_lock',`
>> + gen_require(`
>> + type consolekit_t, consolekit_var_run_t;
>> + ')
>> +
>> + allow $1 consolekit_t:fd use;
>> + allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;
>
> I suppose my personal preference would be consolekit_rw_inherited_runtime_fifo_files():
>
> allow $1 consolekit_t:fd use;
> allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
Agreed, that seems to match more what is described.
> But consolekit_use_inhibit_lock() sounds fine as well...
I'm ok with the interface name as long as you put that explanation in
the patch set overview email in the interface's description tag.
--
Chris PeBenito