On (26/01/16 10:44), Alexander Bokovoy wrote:
>On Tue, 26 Jan 2016, Sumit Bose wrote:
>>On Tue, Jan 26, 2016 at 09:09:06AM +0100, Lukas Slebodnik wrote:
>>>On (25/01/16 18:40), Sumit Bose wrote:
>>>>On Mon, Jan 25, 2016 at 06:24:54PM +0100, Lukas Slebodnik wrote:
>>>>> On (25/01/16 18:12), Sumit Bose wrote:
>>>>> >On Mon, Jan 25, 2016 at 03:35:03PM +0100, Lukas Slebodnik wrote:
>>>>> >> ehlo,
>>>>> >>
>>>>> >> we (Jakub, me) didn't catch this as part of review.
>>>>> >> I tested on minimal machine. Later I saw conflict when I was testing
>>>>> >> latest sssd with freeipa-server.
>>>>> >>
>>>>> >> I think we can ignore unowned directory /usr/share/polkit-1/rules.d
>>>>> >> or we can add dependecy (soft dependency on fedora) to polkit.
>>>>> >>
>>>>> >> LS
>>>>> >
>>>>> >I think you see the conflict because of different permissions and
>>>>> >ownerships of the directory:
>>>>> >
>>>>> >polkit:
>>>>> >drwx------ 2 polkitd root 0 Jul 14 2015
>>>>> >/usr/share/polkit-1/rules.d
>>>>> >
>>>>> >sssd-common:
>>>>> >drwxr-xr-x 2 root root 0 Jan 22 18:28
>>>>> >/usr/share/polkit-1/rules.d
>>>>> >
>>>>> >so something like
>>>>> >
>>>>> >-%dir %{_datadir}/polkit-1/rules.d
>>>>> >+%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
>>>>> >
>>>>> >should (hopefully) resolve the conflict.
>>>>> >
>>>>> No :-(,
>>>>> @see commit message.
>>>>
>>>>ah, sorry for not reading carefully enough. It looks like the other
>>>>packages which put stuff in /usr/share/polkit-1/rules.d directly or
>>>>indirectly require polkit.
>>>Should we depend on polkit as well?
>>
>>no, because it is only needed if you want to do Smartcard authentication
>>and SSSD is not running as root.
>Then I would suggest to put these files into a sub-package and make that
>sub-package to depend on polkit.
>
>Current situation is definitely a blocker as almost all interactive installs of
>Fedora have polkit whether via xorg-x11-drv-intel or rolekit.
>Additionally, all IPA clients will have polkit installed due to
>ntp/chrony requiring timedatex which requires polkit.
>
It's not a problem in fedora ATM.
Because fedora is build with --disable-polkit-rules-path.
The question is what soudl be done if we install_pcscd_polkit_rule.
optional sub-package might be a good compromise.
Do you have an idea for name?
LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
