libhal-policy -> PolicyKit

Artem Kachitchkine Artem.Kachitchkin at Sun.COM
Thu Mar 9 16:45:19 PST 2006

>  7. If successful, gnome-mount does Mount() again on HAL. This flows
>     through HAL and eventually hal-storage-mount is invoked. This binary
>     uses libpolkit in particular libpolkit_is_uid_allowed_for_policy()

Hmm, I think I can implement a subset of libpolkit on top of Solaris 

      int chkauthattr(const char *authname, const char *username);

      The chkauthattr() function verifies whether or  not  a  user
      has  a given authorization. It first reads the AUTHS_GRANTED
      key in the /etc/security/policy.conf file and returns  1  if
      it  finds  a  match  for  the given authorization. If chkau-
      thattr() does not find a match, it reads  the  PROFS_GRANTED
      key  in /etc/security/policy.conf and returns 1 if the given
      authorization  is  in  any  profiles  specified   with   the
      PROFS_GRANTED  keyword.  If  a  match  is not found from the
      default authorizations and default  profiles,  chkauthattr()
      reads the user_attr(4) database. If it does not find a match
      in  user_attr, it reads the prof_attr(4) database, using the
      list  of profiles assigned to the user, and checks if any of
      the profiles assigned to the user has the  given  authoriza-

There are no "resources" per se, but they can be part of the auth name, e.g:

for a disk with uuid 1234-ABCD:

Unfortunately, there is no API for changing authorizations 
programmatically yet, so I'm not sure how setPolicy() would be 
implemented in PolicyKit daemon.

One lesson here is not to try to hard-code policy names whenever 
possible: just pass along the string returned by PermissionDeniedByPolicy.


More information about the hal mailing list