hal: Branch 'master'
David Zeuthen
david at kemper.freedesktop.org
Fri Apr 6 14:04:20 PDT 2007
doc/spec/hal-spec-access-control.xml | 30 +++++++++++++++++------------
doc/spec/hal-spec-properties.xml | 36 +++++++++++++----------------------
2 files changed, 32 insertions(+), 34 deletions(-)
New commits:
diff-tree b575b030b15cc7ee927a9d610fb63b79a2b4df46 (from 4e0855fb81b46155bb6895cb875f07ee343a5b93)
Author: David Zeuthen <davidz at redhat.com>
Date: Fri Apr 6 17:04:07 2007 -0400
clarify how access control now that our PolicyKit support works
In particular, remove docs for the access_control.grant_local_session
and access_control.grant_local_active_session as these are now
obsolete.
(very good thing that 0.5.9 marked them as experimental and subject to
go the way of the Dodo at any point).
diff --git a/doc/spec/hal-spec-access-control.xml b/doc/spec/hal-spec-access-control.xml
index 57ec962..95006a8 100644
--- a/doc/spec/hal-spec-access-control.xml
+++ b/doc/spec/hal-spec-access-control.xml
@@ -19,12 +19,14 @@
<title>Device Files</title>
<para>
If HAL is built with <literal>--enable-acl-management</literal>
- (and also <literal>--enable-console-kit</literal>) then ACL's on
- device objects with the
- capability <literal>access_control</literal> are automatically
- managed according to the properties defined in
+ (requires both <literal>--enable-console-kit</literal>
+ and <literal>--enable-policy-kit</literal>) then ACL's on device
+ objects with the capability <literal>access_control</literal>
+ are automatically managed according to the properties defined in
<xref linkend="device-properties-access-control"/>. In addition,
for this configuration, HAL ships with a device information file
+ (normally installed in
+ <literal>/usr/share/hal/fdi/policy/10osvendor/20-acl-management.fdi</literal>)
that merges this capability on device objects that are normally
accessed by unprivileged users through the device file. This
includes e.g. sound cards, webcams and other devices but
@@ -32,11 +34,12 @@
accessed by a user through mounting them into the file system.
</para>
<para>
- Currently this HAL device information file specifies that all
- local users (e.g. logged in at the system console) will gain
- access to such devices. This hard coded policy is subject to
- change in the future when the freedesktop.org PolicyKit project
- will be an optional dependency of HAL.
+ HAL uses PolicyKit to decide what users should have access
+ according to PolicyKit configuration; see the PolicyKit
+ privilege definition
+ file <literal>/etc/PolicyKit/privileges/hal-device-file.priv</literal>
+ on a system with HAL installed for the default access suggested
+ by the HAL package and/or OS vendor.
</para>
<para>
In addition, 3rd party packages can supply device information
@@ -65,9 +68,12 @@
<para>
If ConsoleKit support is enabled, access to D-Bus interfaces is
currently hardcoded to only allow active users at the system
- console. This hard coded policy is subject to change in the
- future when the freedesktop.org PolicyKit project is will be an
- optional dependency of HAL.
+ console. If PolicyKit support is enabled, the PolicyKit library
+ will be in charge of determining access; see the PolicyKit
+ privilege definition files
+ in <literal>/etc/PolicyKit/privileges</literal> on a system with
+ HAL installed for the default access suggested by the HAL
+ package and/or OS vendor.
</para>
</sect1>
diff --git a/doc/spec/hal-spec-properties.xml b/doc/spec/hal-spec-properties.xml
index c4101ef..481665a 100644
--- a/doc/spec/hal-spec-properties.xml
+++ b/doc/spec/hal-spec-properties.xml
@@ -6311,6 +6311,20 @@ org.freedesktop.Hal.Device.Volume.method
</row>
<row>
<entry>
+ <literal>access_control.type</literal> (string)
+ </entry>
+ <entry>Example: cdrom</entry>
+ <entry>Yes</entry>
+ <entry>
+ Type of access - only makes sense when PolicyKit
+ support is enabled; it's used by PolicyKit to compute
+ what privilege to check for by
+ prepending <literal>hal-device-file-</literal> to the
+ value.
+ </entry>
+ </row>
+ <row>
+ <entry>
<literal>access_control.grant_user</literal> (strlist)
</entry>
<entry>Example: "gdm, flumotion"</entry>
@@ -6335,28 +6349,6 @@ org.freedesktop.Hal.Device.Volume.method
properly.
</entry>
</row>
- <row>
- <entry>
- <literal>access_control.grant_local_session</literal> (bool)
- </entry>
- <entry></entry>
- <entry>No</entry>
- <entry>
- If true, access to this device should be granted to local sessions.
- (NOTE NOTE NOTE: this property is experimental and may disappear in the future).
- </entry>
- </row>
- <row>
- <entry>
- <literal>access_control.grant_local_active_session</literal> (bool)
- </entry>
- <entry></entry>
- <entry>No</entry>
- <entry>
- If true, access to this device should be granted to active local sessions.
- (NOTE NOTE NOTE: this property is experimental and may disappear in the future).
- </entry>
- </row>
</tbody>
</tgroup>
</informaltable>
More information about the hal-commit
mailing list