On Thu, 28 Jan 2016, Lukas Slebodnik wrote:
On (26/01/16 11:10), Alexander Bokovoy wrote:
On Tue, 26 Jan 2016, Lukas Slebodnik wrote:
On (26/01/16 10:44), Alexander Bokovoy wrote:
On Tue, 26 Jan 2016, Sumit Bose wrote:
On Tue, Jan 26, 2016 at 09:09:06AM +0100, Lukas Slebodnik wrote:
On (25/01/16 18:40), Sumit Bose wrote:
On Mon, Jan 25, 2016 at 06:24:54PM +0100, Lukas Slebodnik wrote:
On (25/01/16 18:12), Sumit Bose wrote:
On Mon, Jan 25, 2016 at 03:35:03PM +0100, Lukas Slebodnik wrote:
ehlo,
we (Jakub, me) didn't catch this as part of review.
I tested on minimal machine. Later I saw conflict when I was testing
latest sssd with freeipa-server.
I think we can ignore unowned directory /usr/share/polkit-1/rules.d
or we can add dependecy (soft dependency on fedora) to polkit.
LS
I think you see the conflict because of different permissions and
ownerships of the directory:
polkit:
drwx------ 2 polkitd root 0 Jul 14 2015
/usr/share/polkit-1/rules.d
sssd-common:
drwxr-xr-x 2 root root 0 Jan 22 18:28
/usr/share/polkit-1/rules.d
so something like
-%dir %{_datadir}/polkit-1/rules.d
+%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
should (hopefully) resolve the conflict.
No :-(,
@see commit message.
ah, sorry for not reading carefully enough. It looks like the other
packages which put stuff in /usr/share/polkit-1/rules.d directly or
indirectly require polkit.
Should we depend on polkit as well?
no, because it is only needed if you want to do Smartcard authentication
and SSSD is not running as root.
Then I would suggest to put these files into a sub-package and make that
sub-package to depend on polkit.
Current situation is definitely a blocker as almost all interactive installs of
Fedora have polkit whether via xorg-x11-drv-intel or rolekit.
Additionally, all IPA clients will have polkit installed due to
ntp/chrony requiring timedatex which requires polkit.
It's not a problem in fedora ATM.
Because fedora is build with --disable-polkit-rules-path.
The question is what soudl be done if we install_pcscd_polkit_rule.
optional sub-package might be a good compromise.
Do you have an idea for name?
sssd-polkit-policies ?
Alexander has already WIP patch
https://github.com/abbra/sssd/commit/5dc6cf3af155c0a014be84aa944a4c7a4aa876ea
But he is busy with preparation for FOSDEM.
He will send patch later.
Patch attached. I've renamed the subpackage to sssd-polkit-rules as
discussed on IRC last week.
--
/ Alexander Bokovoy
From 2bffdd0142960dcf559c072c5d5a6784e8dacec0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 27 Jan 2016 09:48:39 +0200
Subject: [PATCH 7/7] Move polkit rules into sssd-polkit-rules subpackage
---
contrib/sssd.spec.in | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/contrib/sssd.spec.in b/contrib/sssd.spec.in
index 76066de..abaf287 100644
--- a/contrib/sssd.spec.in
+++ b/contrib/sssd.spec.in
@@ -518,6 +518,19 @@ Requires: sssd-common = %{version}-%{release}
Provides the D-Bus responder of the SSSD, called the InfoPipe, that allows
the information from the SSSD to be transmitted over the system bus.
+%if (0%{?install_pcscd_polkit_rule} == 1)
+%package polkit-rules
+Summary: Rules for polkit integration for SSSD
+Group: Applications/System
+License: GPLv3+
+Requires: polkit
+Requires: sssd-common = %{version}-%{release}
+
+%description polkit-rules
+Provides rules for polkit integration with SSSD. This is required
+for smartcard support.
+%endif
+
%package -n libsss_simpleifp
Summary: The SSSD D-Bus responder helper library
Group: Development/Libraries
@@ -711,12 +724,6 @@ rm -rf $RPM_BUILD_ROOT
%{_libexecdir}/%{servicename}/sssd_sudo
%{_libexecdir}/%{servicename}/p11_child
-%if (0%{?install_pcscd_polkit_rule} == 1)
-%dir %{_datadir}/polkit-1
-%dir %{_datadir}/polkit-1/rules.d
-%{_datadir}/polkit-1/rules.d/*
-%endif
-
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/libsss_simple.so
@@ -775,6 +782,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/sssd.8*
%{_mandir}/man8/sss_cache.8*
+%if (0%{?install_pcscd_polkit_rule} == 1)
+%files polkit-rules
+%{_datadir}/polkit-1/rules.d/*
+%endif
+
%files ldap -f sssd_ldap.lang
%defattr(-,root,root,-)
%doc COPYING
--
2.5.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
