On (26/01/16 10:44), Alexander Bokovoy wrote: >On Tue, 26 Jan 2016, Sumit Bose wrote: >>On Tue, Jan 26, 2016 at 09:09:06AM +0100, Lukas Slebodnik wrote: >>>On (25/01/16 18:40), Sumit Bose wrote: >>>>On Mon, Jan 25, 2016 at 06:24:54PM +0100, Lukas Slebodnik wrote: >>>>> On (25/01/16 18:12), Sumit Bose wrote: >>>>> >On Mon, Jan 25, 2016 at 03:35:03PM +0100, Lukas Slebodnik wrote: >>>>> >> ehlo, >>>>> >> >>>>> >> we (Jakub, me) didn't catch this as part of review. >>>>> >> I tested on minimal machine. Later I saw conflict when I was testing >>>>> >> latest sssd with freeipa-server. >>>>> >> >>>>> >> I think we can ignore unowned directory /usr/share/polkit-1/rules.d >>>>> >> or we can add dependecy (soft dependency on fedora) to polkit. >>>>> >> >>>>> >> LS >>>>> > >>>>> >I think you see the conflict because of different permissions and >>>>> >ownerships of the directory: >>>>> > >>>>> >polkit: >>>>> >drwx------ 2 polkitd root 0 Jul 14 2015 >>>>> >/usr/share/polkit-1/rules.d >>>>> > >>>>> >sssd-common: >>>>> >drwxr-xr-x 2 root root 0 Jan 22 18:28 >>>>> >/usr/share/polkit-1/rules.d >>>>> > >>>>> >so something like >>>>> > >>>>> >-%dir %{_datadir}/polkit-1/rules.d >>>>> >+%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d >>>>> > >>>>> >should (hopefully) resolve the conflict. >>>>> > >>>>> No :-(, >>>>> @see commit message. >>>> >>>>ah, sorry for not reading carefully enough. It looks like the other >>>>packages which put stuff in /usr/share/polkit-1/rules.d directly or >>>>indirectly require polkit. >>>Should we depend on polkit as well? >> >>no, because it is only needed if you want to do Smartcard authentication >>and SSSD is not running as root. >Then I would suggest to put these files into a sub-package and make that >sub-package to depend on polkit. > >Current situation is definitely a blocker as almost all interactive installs of >Fedora have polkit whether via xorg-x11-drv-intel or rolekit. >Additionally, all IPA clients will have polkit installed due to >ntp/chrony requiring timedatex which requires polkit. > It's not a problem in fedora ATM. Because fedora is build with --disable-polkit-rules-path.
The question is what soudl be done if we install_pcscd_polkit_rule. optional sub-package might be a good compromise. Do you have an idea for name? LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org