From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 4 Jun 2017 20:32:44 -0400
Subject: [refpolicy] [PATCH v2 4/6] consolekit: introduce
consolekit_use_inhibit_lock interface
In-Reply-To: <20170604152350.27036-4-jason@perfinion.com>
References: <20170604152350.27036-1-jason@perfinion.com>
<20170604152350.27036-4-jason@perfinion.com>
Message-ID: <442c330f-fd91-773f-2c0d-f3124c378eda@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 06/04/2017 11:23 AM, Jason Zaman wrote:
> Applications hold FDs while they hold the lock.
> Implements this API:
> https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> ---
> changes from v1:
> - rw_fifo_file_perms -> rw_inherited_fifo_file_perms
> - updated the description in the interface with more detail from the previous summary
> - Added the manage_fifo_fle_perms to the .te file in this patch instead of in the previous one
> ---
> consolekit.if | 23 +++++++++++++++++++++++
> consolekit.te | 1 +
> 2 files changed, 24 insertions(+)
>
> diff --git a/consolekit.if b/consolekit.if
> index 5b830ec..e5cc843 100644
> --- a/consolekit.if
> +++ b/consolekit.if
> @@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',`
>
> ########################################
> ##
> +## Use consolekit inhibit locks.
> +##
> +## The program gets passed an FD to a fifo_file to hold.
> +## When the application is done with the lock, it closes the FD.
> +## Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`consolekit_use_inhibit_lock',`
> + gen_require(`
> + type consolekit_t, consolekit_var_run_t;
> + ')
> +
> + allow $1 consolekit_t:fd use;
> + allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms;
> +')
> +
> +########################################
> +##
> ## Read consolekit log files.
> ##
> ##
> diff --git a/consolekit.te b/consolekit.te
> index ad7ea36..ea4db82 100644
> --- a/consolekit.te
> +++ b/consolekit.te
> @@ -40,6 +40,7 @@ logging_log_filetrans(consolekit_t, consolekit_log_t, file)
>
> manage_dirs_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
> manage_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
> +manage_fifo_files_pattern(consolekit_t, consolekit_var_run_t, consolekit_var_run_t)
> files_pid_filetrans(consolekit_t, consolekit_var_run_t, { dir file })
Merged.
--
Chris PeBenito