question about .policy locations
Colin Walters
walters at verbum.org
Tue Jan 2 14:54:35 UTC 2018
On Fri, Dec 15, 2017, at 5:19 PM, Ruixin Bao wrote:
> Hello,
>
> I was wondering if it is possible to have a configuration set so that
> both /usr/share/polkit-1/actions/xx.policy and /usr/local/share/
> polkit-1/actions/xx.policy
> files can get recognized?
I'm not opposed to this...but I feel like trying to generalize this
is going to be an uphill battle. What things use /usr/local vs
things that only use /usr in the broader ecosystem is a mess.
@gscrivano suggested adding /etc which makes sense to me.
Bigger picture though for containers like these that are fully
trusted (in the sense that a malicious container can easily
gain CAP_SYS_ADMIN on the host), I think it's clearer if
we install into /usr - and we can support that for rpm-ostree
based systems just as well as traditional via something like
the "generate RPM" path.
More information about the polkit-devel
mailing list