On (26/01/16 11:10), Alexander Bokovoy wrote: >On Tue, 26 Jan 2016, Lukas Slebodnik wrote: >>On (26/01/16 10:44), Alexander Bokovoy wrote: >>>On Tue, 26 Jan 2016, Sumit Bose wrote: >>>>On Tue, Jan 26, 2016 at 09:09:06AM +0100, Lukas Slebodnik wrote: >>>>>On (25/01/16 18:40), Sumit Bose wrote: >>>>>>On Mon, Jan 25, 2016 at 06:24:54PM +0100, Lukas Slebodnik wrote: >>>>>>>On (25/01/16 18:12), Sumit Bose wrote: >>>>>>>>On Mon, Jan 25, 2016 at 03:35:03PM +0100, Lukas Slebodnik wrote: >>>>>>>>> ehlo, >>>>>>>>> >>>>>>>>> we (Jakub, me) didn't catch this as part of review. >>>>>>>>> I tested on minimal machine. Later I saw conflict when I was testing >>>>>>>>> latest sssd with freeipa-server. >>>>>>>>> >>>>>>>>> I think we can ignore unowned directory /usr/share/polkit-1/rules.d >>>>>>>>> or we can add dependecy (soft dependency on fedora) to polkit. >>>>>>>>> >>>>>>>>> LS >>>>>>>> >>>>>>>>I think you see the conflict because of different permissions and >>>>>>>>ownerships of the directory: >>>>>>>> >>>>>>>>polkit: >>>>>>>>drwx------ 2 polkitd root 0 Jul 14 2015 >>>>>>>>/usr/share/polkit-1/rules.d >>>>>>>> >>>>>>>>sssd-common: >>>>>>>>drwxr-xr-x 2 root root 0 Jan 22 18:28 >>>>>>>>/usr/share/polkit-1/rules.d >>>>>>>> >>>>>>>>so something like >>>>>>>> >>>>>>>>-%dir %{_datadir}/polkit-1/rules.d >>>>>>>>+%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d >>>>>>>> >>>>>>>>should (hopefully) resolve the conflict. >>>>>>>> >>>>>>>No :-(, >>>>>>>@see commit message. >>>>>> >>>>>>ah, sorry for not reading carefully enough. It looks like the other >>>>>>packages which put stuff in /usr/share/polkit-1/rules.d directly or >>>>>>indirectly require polkit. >>>>>Should we depend on polkit as well? >>>> >>>>no, because it is only needed if you want to do Smartcard authentication >>>>and SSSD is not running as root. >>>Then I would suggest to put these files into a sub-package and make that >>>sub-package to depend on polkit. >>> >>>Current situation is definitely a blocker as almost all interactive installs >>>of >>>Fedora have polkit whether via xorg-x11-drv-intel or rolekit. >>>Additionally, all IPA clients will have polkit installed due to >>>ntp/chrony requiring timedatex which requires polkit. >>> >>It's not a problem in fedora ATM. >>Because fedora is build with --disable-polkit-rules-path. >> >>The question is what soudl be done if we install_pcscd_polkit_rule. >>optional sub-package might be a good compromise. >> >>Do you have an idea for name? >sssd-polkit-policies ? Alexander has already WIP patch https://github.com/abbra/sssd/commit/5dc6cf3af155c0a014be84aa944a4c7a4aa876ea
But he is busy with preparation for FOSDEM. He will send patch later. LS _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org