libhal-policy -> PolicyKit

[Artem Kachitchkine]

>  7. If successful, gnome-mount does Mount() again on HAL. This flows
>     through HAL and eventually hal-storage-mount is invoked. This binary
>     uses libpolkit in particular libpolkit_is_uid_allowed_for_policy()

Hmm, I think I can implement a subset of libpolkit on top of Solaris 
authorizations:

      int chkauthattr(const char *authname, const char *username);

      The chkauthattr() function verifies whether or  not  a  user
      has  a given authorization. It first reads the AUTHS_GRANTED
      key in the /etc/security/policy.conf file and returns  1  if
      it  finds  a  match  for  the given authorization. If chkau-
      thattr() does not find a match, it reads  the  PROFS_GRANTED
      key  in /etc/security/policy.conf and returns 1 if the given
      authorization  is  in  any  profiles  specified   with   the
      PROFS_GRANTED  keyword.  If  a  match  is not found from the
      default authorizations and default  profiles,  chkauthattr()
      reads the user_attr(4) database. If it does not find a match
      in  user_attr, it reads the prof_attr(4) database, using the
      list  of profiles assigned to the user, and checks if any of
      the profiles assigned to the user has the  given  authoriza-
      tion.

There are no "resources" per se, but they can be part of the auth name, e.g:

	solaris.admin.storage.removable.mount

for a disk with uuid 1234-ABCD:

	solaris.admin.storage.removable.mount.uuid.1234-UUID

Unfortunately, there is no API for changing authorizations 
programmatically yet, so I'm not sure how setPolicy() would be 
implemented in PolicyKit daemon.

One lesson here is not to try to hard-code policy names whenever 
possible: just pass along the string returned by PermissionDeniedByPolicy.

-Artem.