From: jason@perfinion.com (Jason Zaman)
Date: Sun,  4 Jun 2017 23:23:48 +0800
Subject: [refpolicy] [PATCH v2 4/6] consolekit: introduce
	consolekit_use_inhibit_lock interface
In-Reply-To: <20170604152350.27036-1-jason@perfinion.com>
References: <20170604152350.27036-1-jason@perfinion.com>
Message-ID: <20170604152350.27036-4-jason@perfinion.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/
---
changes from v1:
- rw_fifo_file_perms -> rw_inherited_fifo_file_perms
- updated the description in the interface with more detail from the previous summary
- Added the manage_fifo_fle_perms to the .te file in this patch instead of in the previous one
---
 consolekit.if | 23 +++++++++++++++++++++++
 consolekit.te |  1 +
 2 files changed, 24 insertions(+)

diff --git a/consolekit.if b/consolekit.if
index 5b830ec..e5cc843 100644
--- a/consolekit.if
+++ b/consolekit.if
@@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',`
 
 ########################################
 ## <summary>
+##	Use consolekit inhibit locks.
+##
+##	The program gets passed an FD to a fifo_file to hold.
+##	When the application is done with the lock, it closes the FD.
+##	Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`consolekit_use_inhibit_lock',`
+	gen_require(`
+		type consolekit_t, consolekit_var_run_t;
+	')
+
+	allow $1 consolekit_t:fd use;
+	allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read consolekit log files.
 ## </summary>
 ## <param name="domain">
diff --git a/consolekit.te b/consolekit.te
index ad7ea36..ea4db82 100644
--- a/consolekit.te
+++ b/consolekit.te
@@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
 
 manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
+manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
 files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
 
 kernel_read_system_state(consolekit_t)
-- 
2.13.0