Bug 305801
Summary: | dynamic ACL issues | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jesse Keating <jkeating> |
Component: | ConsoleKit | Assignee: | Julian Sikorski <belegdol> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | davidz, dcantrell, lpoetter, mikeb, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-09-28 19:17:42 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 246107, 257221 |
Description
Jesse Keating
2007-09-25 18:28:52 UTC
This bug is caused by thinkfinger; it errornously merges the access_control capability (from a fdi file provided by this package), the access_control.file property but doesn't set the property access_control.type. Anyway, This means the entry is invalid and as a result hal-acl-tool craps out and aborts changing any properties. This is not optimal so I've fixed hal-acl-tool to cope with this http://gitweb.freedesktop.org/?p=hal.git;a=commit;h=66cb813715538818770df7685ab2be4d85d75a07 Either way, as described above the bug is in thinkfinger. When removing the fdi file provided by thinkfinger, Jesse's system started working as intended. The .fdi file wasn't created by me, CCing the author. access_control.type isn't necessary on F7 hal, right? What should the value be on F8? This is for the fingerprint reader USB device. While we're at it, where should the .fdi file go? Is it ok to drop it into /usr/share/hal/fdi/policy/10osvendor/ ? You need to provide both a .fdi file and a .policy file like the ones pasted below. The fdi file should go in /usr/share/hal/fdi/policy/10osvendor/ and start with 00-. For both files, change my-random-device to e.g. thinkfinger and update the match criteria (e.g. the USB id's) for the device accordingly. System administrators can now lock down access via the PolicyKit action org.freedesktop.hal.device-access.my-random-device (or what you ended up calling it) to only the users he wants using the /etc/PolicyKit/PolicyKit.conf. The defaults are in the .policy file and are currently set to only grant access to active console users. That's probably what you want. Hope this helps. [root@oneill ~]# cat /usr/share/hal/fdi/policy/10osvendor/00-acl-for-my-random-device.fdi <?xml version="1.0" encoding="UTF-8"?> <deviceinfo version="0.2"> <device> <!-- grant access to a random device --> <match key="usb_device.vendor_id" int="0x46d"> <match key="usb_device.product_id" int="0xc505"> <append key="info.capabilities" type="strlist">access_control</append> <merge key="access.control.file" type="copy_property">linux.device_file</merge> <merge key="access.control.type" type="string">my-random-device</merge> </match> </match> </device> </deviceinfo> [root@oneill ~]# cat /usr/share/PolicyKit/policy/my-random-device.policy<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> <policyconfig> <action id="org.freedesktop.hal.device-access.my-random-device"> <description>Directly access My Random Device</description> <message>System policy prevents access to My Random Device</message> <defaults> <allow_inactive>no</allow_inactive> <allow_active>yes</allow_active> </defaults> </action> </policyconfig> (changing Summary to something more accurate) I've created a new build for F8 that fixes the .fdi file and adds the PolicyKit policy provided by davidz. Could someone running F8 with fingerprint reader hardware test these packages? With the latest selinux-policy installed, and the requisite line in /etc/pam.d/system-auth, these packages should work OOTB. http://koji.fedoraproject.org/koji/buildinfo?buildID=19705 Let me know how these work, I'd really like to get them into test3. I've also created new packages for F7 that fix the location of the .fdi file. These work for me with the latest selinux-policy (selinux-policy-2.6.4-45.fc7). Unless there are any issues with them, I'm going to push them as an F7 update once selinux-policy gets pushed. http://koji.fedoraproject.org/koji/buildinfo?buildID=19698 Thanks! The f8 build fixes it for me, I can now use my reader from the screensaver. Nice work! |