ACC SHELL
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Concepts</title>
<meta name="generator" content="DocBook XSL Stylesheets V1.75.2">
<link rel="home" href="index.html" title="PolicyKit Library Reference Manual">
<link rel="up" href="model.html" title="PolicyKit Model">
<link rel="prev" href="model.html" title="PolicyKit Model">
<link rel="next" href="model-theory-of-operation.html" title="Theory of Operation">
<meta name="generator" content="GTK-Doc V1.14 (XML mode)">
<link rel="stylesheet" href="style.css" type="text/css">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<table class="navigation" id="top" width="100%" summary="Navigation header" cellpadding="2" cellspacing="2"><tr valign="middle">
<td><a accesskey="p" href="model.html"><img src="left.png" width="24" height="24" border="0" alt="Prev"></a></td>
<td><a accesskey="u" href="model.html"><img src="up.png" width="24" height="24" border="0" alt="Up"></a></td>
<td><a accesskey="h" href="index.html"><img src="home.png" width="24" height="24" border="0" alt="Home"></a></td>
<th width="100%" align="center">PolicyKit Library Reference Manual</th>
<td><a accesskey="n" href="model-theory-of-operation.html"><img src="right.png" width="24" height="24" border="0" alt="Next"></a></td>
</tr></table>
<div class="sect1" title="Concepts">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="model-concepts"></a>Concepts</h2></div></div></div>
<p>
Typically the entities that a Mechanism cares about can be split
into three groups:
</p>
<div class="itemizedlist"><ul class="itemizedlist" type="disc">
<li class="listitem"><p>
<span class="emphasis"><em>Subject</em></span>: the entity requesting the
Action; ie. an unprivileged application. To make a
decision about whether to carry out the Action, the
Mechanism needs to know as much about the Subject as
possible, e.g. UNIX user id, UNIX process id, possible
security attributes (such as SELinux security context) and
other data such as if the Subject is a participant in a
local or remote desktop session, whether said desktop
session is currently active and so forth.
</p></li>
<li class="listitem"><p>
<span class="emphasis"><em>Object</em></span>: some canonical representation
of the Object; some Objects represent tangible things such
as a UNIX device file, other Objects can be more abstract
and represent e.g. a network connection to a specific
destination, a reference to the power management
subsystem, a reference to a piece of software tracked by
the native package manager.
</p></li>
<li class="listitem"><p>
<span class="emphasis"><em>Action:</em></span> what the Subject is
attempting to do to the Object; this depends of the nature
of the Object and examples include mounting a block
device, formatting a block device with a file system,
establishing a dial-up connection to connect to private or
public networks, putting the system into a suspended
state, installing an unsigned piece of software, updating
the system with signed software, changing the timezone,
gaining access to a webcam and so forth.
</p></li>
</ul></div>
<p>
</p>
<p>
One way to think about a Mechanism is that the Mechanism is
split into an enforcer and a decider component. When an
application attempts to access the Mechanism, the enforcer
component will only carry out the Action if the decider
component (supplied with the appropriate input parameters about
the Subject, Object and Action) says it's OK.
</p>
</div>
<div class="footer">
<hr>
Generated by GTK-Doc V1.14</div>
</body>
</html>
ACC SHELL 2018