From: dac.override@gmail.com (Dominick Grift)
Date: Fri, 26 May 2017 18:16:40 +0200
Subject: [refpolicy] [PATCH 1/4] consolekit: introduce
 consolekit_use_inhibit_lock interface
In-Reply-To: <20170526161054.15183-2-jason@perfinion.com>
References: <20170526161054.15183-1-jason@perfinion.com>
	<20170526161054.15183-2-jason@perfinion.com>
Message-ID: <20170526161640.GA30439@julius.enp8s0.d30>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sat, May 27, 2017 at 12:10:51AM +0800, Jason Zaman via refpolicy wrote:
> Applications hold FDs while they hold the lock.
> Implements this API:
> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> ---
>  consolekit.if | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/consolekit.if b/consolekit.if
> index 5b830ec..c2c203f 100644
> --- a/consolekit.if
> +++ b/consolekit.if
> @@ -42,6 +42,25 @@ interface(`consolekit_dbus_chat',`
>  
>  ########################################
>  ## <summary>
> +##	Take inhibit locks from consolekit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`consolekit_use_inhibit_lock',`
> +	gen_require(`
> +		type consolekit_t, consolekit_var_run_t;
> +	')
> +
> +	allow $1 consolekit_t:fd use;
> +	allow $1 consolekit_var_run_t:fifo_file rw_fifo_file_perms;

I suppose my personal preference would be consolekit_rw_inherited_runtime_fifo_files():

allow $1 consolekit_t:fd use;
allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;

But consolekit_use_inhibit_lock() sounds fine as well...

> +')
> +
> +########################################
> +## <summary>
>  ##	Read consolekit log files.
>  ## </summary>
>  ## <param name="domain">
> -- 
> 2.13.0
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170526/f53b786b/attachment.bin