On (26/01/16 11:10), Alexander Bokovoy wrote:
>On Tue, 26 Jan 2016, Lukas Slebodnik wrote:
>>On (26/01/16 10:44), Alexander Bokovoy wrote:
>>>On Tue, 26 Jan 2016, Sumit Bose wrote:
>>>>On Tue, Jan 26, 2016 at 09:09:06AM +0100, Lukas Slebodnik wrote:
>>>>>On (25/01/16 18:40), Sumit Bose wrote:
>>>>>>On Mon, Jan 25, 2016 at 06:24:54PM +0100, Lukas Slebodnik wrote:
>>>>>>>On (25/01/16 18:12), Sumit Bose wrote:
>>>>>>>>On Mon, Jan 25, 2016 at 03:35:03PM +0100, Lukas Slebodnik wrote:
>>>>>>>>> ehlo,
>>>>>>>>>
>>>>>>>>> we (Jakub, me) didn't catch this as part of review.
>>>>>>>>> I tested on minimal machine. Later I saw conflict when I was testing
>>>>>>>>> latest sssd with freeipa-server.
>>>>>>>>>
>>>>>>>>> I think we can ignore unowned directory /usr/share/polkit-1/rules.d
>>>>>>>>> or we can add dependecy (soft dependency on fedora) to polkit.
>>>>>>>>>
>>>>>>>>> LS
>>>>>>>>
>>>>>>>>I think you see the conflict because of different permissions and
>>>>>>>>ownerships of the directory:
>>>>>>>>
>>>>>>>>polkit:
>>>>>>>>drwx------ 2 polkitd root 0 Jul 14 2015
>>>>>>>>/usr/share/polkit-1/rules.d
>>>>>>>>
>>>>>>>>sssd-common:
>>>>>>>>drwxr-xr-x 2 root root 0 Jan 22 18:28
>>>>>>>>/usr/share/polkit-1/rules.d
>>>>>>>>
>>>>>>>>so something like
>>>>>>>>
>>>>>>>>-%dir %{_datadir}/polkit-1/rules.d
>>>>>>>>+%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
>>>>>>>>
>>>>>>>>should (hopefully) resolve the conflict.
>>>>>>>>
>>>>>>>No :-(,
>>>>>>>@see commit message.
>>>>>>
>>>>>>ah, sorry for not reading carefully enough. It looks like the other
>>>>>>packages which put stuff in /usr/share/polkit-1/rules.d directly or
>>>>>>indirectly require polkit.
>>>>>Should we depend on polkit as well?
>>>>
>>>>no, because it is only needed if you want to do Smartcard authentication
>>>>and SSSD is not running as root.
>>>Then I would suggest to put these files into a sub-package and make that
>>>sub-package to depend on polkit.
>>>
>>>Current situation is definitely a blocker as almost all interactive installs
>>>of
>>>Fedora have polkit whether via xorg-x11-drv-intel or rolekit.
>>>Additionally, all IPA clients will have polkit installed due to
>>>ntp/chrony requiring timedatex which requires polkit.
>>>
>>It's not a problem in fedora ATM.
>>Because fedora is build with --disable-polkit-rules-path.
>>
>>The question is what soudl be done if we install_pcscd_polkit_rule.
>>optional sub-package might be a good compromise.
>>
>>Do you have an idea for name?
>sssd-polkit-policies ?
Alexander has already WIP patch
https://github.com/abbra/sssd/commit/5dc6cf3af155c0a014be84aa944a4c7a4aa876ea
But he is busy with preparation for FOSDEM.
He will send patch later.
LS
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
