hal: Branch 'master'

David Zeuthen david at kemper.freedesktop.org
Fri Apr 6 14:04:20 PDT 2007 

 doc/spec/hal-spec-access-control.xml |   30 +++++++++++++++++------------
 doc/spec/hal-spec-properties.xml     |   36 +++++++++++++----------------------
 2 files changed, 32 insertions(+), 34 deletions(-)

New commits:
diff-tree b575b030b15cc7ee927a9d610fb63b79a2b4df46 (from 4e0855fb81b46155bb6895cb875f07ee343a5b93)
Author: David Zeuthen <davidz at redhat.com>
Date:   Fri Apr 6 17:04:07 2007 -0400

    clarify how access control now that our PolicyKit support works
    
    In particular, remove docs for the access_control.grant_local_session
    and access_control.grant_local_active_session as these are now
    obsolete.
    
    (very good thing that 0.5.9 marked them as experimental and subject to
    go the way of the Dodo at any point).

diff --git a/doc/spec/hal-spec-access-control.xml b/doc/spec/hal-spec-access-control.xml
index 57ec962..95006a8 100644
--- a/doc/spec/hal-spec-access-control.xml
+++ b/doc/spec/hal-spec-access-control.xml
@@ -19,12 +19,14 @@
     <title>Device Files</title>
     <para>
       If HAL is built with <literal>--enable-acl-management</literal>
-      (and also <literal>--enable-console-kit</literal>) then ACL's on
-      device objects with the
-      capability <literal>access_control</literal> are automatically
-      managed according to the properties defined in
+      (requires both <literal>--enable-console-kit</literal>
+      and <literal>--enable-policy-kit</literal>) then ACL's on device
+      objects with the capability <literal>access_control</literal>
+      are automatically managed according to the properties defined in
       <xref linkend="device-properties-access-control"/>. In addition,
       for this configuration, HAL ships with a device information file
+      (normally installed in
+      <literal>/usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi</literal>)
       that merges this capability on device objects that are normally
       accessed by unprivileged users through the device file. This
       includes e.g. sound cards, webcams and other devices but
@@ -32,11 +34,12 @@
       accessed by a user through mounting them into the file system.
     </para>
     <para>
-      Currently this HAL device information file specifies that all
-      local users (e.g. logged in at the system console) will gain
-      access to such devices. This hard coded policy is subject to
-      change in the future when the freedesktop.org PolicyKit project
-      will be an optional dependency of HAL.
+      HAL uses PolicyKit to decide what users should have access
+      according to PolicyKit configuration; see the PolicyKit
+      privilege definition
+      file <literal>/etc/PolicyKit/privileges/hal-device-file.priv</literal>
+      on a system with HAL installed for the default access suggested
+      by the HAL package and/or OS vendor.
     </para>
     <para>
       In addition, 3rd party packages can supply device information
@@ -65,9 +68,12 @@
     <para>
       If ConsoleKit support is enabled, access to D-Bus interfaces is
       currently hardcoded to only allow active users at the system
-      console. This hard coded policy is subject to change in the
-      future when the freedesktop.org PolicyKit project is will be an
-      optional dependency of HAL.
+      console. If PolicyKit support is enabled, the PolicyKit library
+      will be in charge of determining access; see the PolicyKit
+      privilege definition files
+      in <literal>/etc/PolicyKit/privileges</literal> on a system with
+      HAL installed for the default access suggested by the HAL
+      package and/or OS vendor.
     </para>
   </sect1>
 
diff --git a/doc/spec/hal-spec-properties.xml b/doc/spec/hal-spec-properties.xml
index c4101ef..481665a 100644
--- a/doc/spec/hal-spec-properties.xml
+++ b/doc/spec/hal-spec-properties.xml
@@ -6311,6 +6311,20 @@ org.freedesktop.Hal.Device.Volume.method
             </row>
             <row>
               <entry>
+                <literal>access_control.type</literal> (string)
+              </entry>
+              <entry>Example: cdrom</entry>
+              <entry>Yes</entry>
+              <entry>
+                Type of access - only makes sense when PolicyKit
+                support is enabled; it's used by PolicyKit to compute
+                what privilege to check for by
+                prepending <literal>hal-device-file-</literal> to the
+                value.
+              </entry>
+            </row>
+            <row>
+              <entry>
                 <literal>access_control.grant_user</literal> (strlist)
               </entry>
               <entry>Example: "gdm, flumotion"</entry>
@@ -6335,28 +6349,6 @@ org.freedesktop.Hal.Device.Volume.method
                 properly.
               </entry>
             </row>
-            <row>
-              <entry>
-                <literal>access_control.grant_local_session</literal> (bool)
-              </entry>
-              <entry></entry>
-              <entry>No</entry>
-              <entry>
-                If true, access to this device should be granted to local sessions.
-                (NOTE NOTE NOTE: this property is experimental and may disappear in the future).
-              </entry>
-            </row>
-            <row>
-              <entry>
-                <literal>access_control.grant_local_active_session</literal> (bool)
-              </entry>
-              <entry></entry>
-              <entry>No</entry>
-              <entry>
-                If true, access to this device should be granted to active local sessions.
-                (NOTE NOTE NOTE: this property is experimental and may disappear in the future).
-              </entry>
-            </row>
           </tbody>
         </tgroup>
       </informaltable>

More information about the hal-commit mailing list