libhal-policy -> PolicyKit
David Zeuthen
david at fubar.dk
Thu Mar 9 17:02:27 PST 2006
On Thu, 2006-03-09 at 16:45 -0800, Artem Kachitchkine wrote:
> > 7. If successful, gnome-mount does Mount() again on HAL. This flows
> > through HAL and eventually hal-storage-mount is invoked. This binary
> > uses libpolkit in particular libpolkit_is_uid_allowed_for_policy()
>
> Hmm, I think I can implement a subset of libpolkit on top of Solaris
> authorizations:
Ok, this is to ensure that libpolkit don't circumvent system policy
proprietary to the operating system, yes? [1]
Fortunately, AFAICT, Linux (and operating systems based on Linux) don't
have all this yet. But I think PolicyKit fits the bill at least for
desktop use. Time will tell if this is true. Maybe it might have use
outside the desktop too. I'm less sure of that though.
> Unfortunately, there is no API for changing authorizations
> programmatically yet, so I'm not sure how setPolicy() would be
> implemented in PolicyKit daemon.
Right.
> One lesson here is not to try to hard-code policy names whenever
> possible: just pass along the string returned by PermissionDeniedByPolicy.
Actually just the first word of the string is what you want as we now
use the convention
"$POLICY refused uid $HAL_METHOD_INVOKED_BY_UID"
This is the best compromise I think.
Cheers,
David
[1] : That is interesting, we kinda do the same for Mount(), e.g. refuse
to mount if the device is listed in the /etc/fstab
More information about the hal
mailing list