From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 31 May 2017 20:44:03 -0400 Subject: [refpolicy] [PATCH 1/4] consolekit: introduce consolekit_use_inhibit_lock interface In-Reply-To: <20170526161640.GA30439@julius.enp8s0.d30> References: <20170526161054.15183-1-jason@perfinion.com> <20170526161054.15183-2-jason@perfinion.com> <20170526161640.GA30439@julius.enp8s0.d30> Message-ID: <9cc0263f-99da-0785-ea05-25b0b57f9111@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/26/2017 12:16 PM, Dominick Grift via refpolicy wrote: > On Sat, May 27, 2017 at 12:10:51AM +0800, Jason Zaman via refpolicy wrote: >> Applications hold FDs while they hold the lock. >> Implements this API: >> https://www.freedesktop.org/wiki/Software/systemd/inhibit/ >> --- >> consolekit.if | 19 +++++++++++++++++++ >> 1 file changed, 19 insertions(+) >> >> diff --git a/consolekit.if b/consolekit.if >> index 5b830ec..c2c203f 100644 >> --- a/consolekit.if >> +++ b/consolekit.if >> @@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',` >> >> ######################################## >> ## >> +## Take inhibit locks from consolekit >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`consolekit_use_inhibit_lock',` >> + gen_require(` >> + type consolekit_t, consolekit_var_run_t; >> + ') >> + >> + allow $1 consolekit_t:fd use; >> + allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms; > > I suppose my personal preference would be consolekit_rw_inherited_runtime_fifo_files(): > > allow $1 consolekit_t:fd use; > allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms; Agreed, that seems to match more what is described. > But consolekit_use_inhibit_lock() sounds fine as well... I'm ok with the interface name as long as you put that explanation in the patch set overview email in the interface's description tag. -- Chris PeBenito