question about .policy locations

[Ruixin Bao]

Hello,

I was wondering if it is possible to have a configuration set so that both /usr/share/polkit-1/actions/xx.policy and /usr/local/share/polkit-1/actions/xx.policy
files can get recognized? I am going to try to explain the use case of /usr/local/share/xxxxx/'s policies. However, I am not very familiar with policy kit,
so if I made mistakes in the email, feel free to correct me.

I have been working on atomic system containers[1], a way to run container in production using read only images. One of its main ideas is to let the host run the containerized services.
Recently, I tried to make firewalld as a system container[2]. Firewalld interacts with dbus-daemon and policy kit. To make firewalld containerized, we need to find a way to interact with
host via dbus-daemon and policy kit rules. Then, we decided to copy the policy kit related files from the container onto the host so they can be visible.

However, the OS that I am currently working with has a read only /usr and therefore do not support any files copying into /usr/share. The only exception is for /usr/local related files.
Thus, I tried to copy policy files into /usr/local/share/, but that sometimes will make polkit not recognize the firewalld action. (e.g: Error: Action org.fedoraproject.FirewallD1.config is not registered)

I hope my explanation makes sense. Are there any suggestions for a work around when policy files can not be copied to /usr/share/polkit-1/actions?

[1]https://github.com/projectatomic/atomic-system-containers
[2]https://github.com/projectatomic/atomic-system-containers/pull/150

Thank you for your time.