diff options
author | Jason Zaman <jason@perfinion.com> | 2017-06-04 23:23:48 +0800 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2017-06-06 01:16:18 +0800 |
commit | 2873694ba1cc11acf324afb6778b947452d060ec (patch) | |
tree | 3cb8b784dc1091de85926b239ab57191ba35ceb9 | |
parent | consolekit: allow purging tmp (diff) | |
download | hardened-refpolicy-2873694b.tar.gz hardened-refpolicy-2873694b.tar.bz2 hardened-refpolicy-2873694b.zip |
consolekit: introduce consolekit_use_inhibit_lock interface
Applications hold FDs while they hold the lock.
Implements this API:
https://www.freedesktop.org/wiki/Software/systemd/inhibit/
-rw-r--r-- | policy/modules/contrib/consolekit.if | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/policy/modules/contrib/consolekit.if b/policy/modules/contrib/consolekit.if index 5b830ec9..e5cc8434 100644 --- a/policy/modules/contrib/consolekit.if +++ b/policy/modules/contrib/consolekit.if @@ -42,6 +42,29 @@ interface(`consolekit_dbus_chat',` ######################################## ## <summary> +## Use consolekit inhibit locks. +## +## The program gets passed an FD to a fifo_file to hold. +## When the application is done with the lock, it closes the FD. +## Implements this API: https://www.freedesktop.org/wiki/Software/systemd/inhibit/ +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`consolekit_use_inhibit_lock',` + gen_require(` + type consolekit_t, consolekit_var_run_t; + ') + + allow $1 consolekit_t:fd use; + allow $1 consolekit_var_run_t:fifo_file rw_inherited_fifo_file_perms; +') + +######################################## +## <summary> ## Read consolekit log files. ## </summary> ## <param name="domain"> |