question about .policy locations

Colin Walters walters at verbum.org
Tue Jan 2 14:54:35 UTC 2018



On Fri, Dec 15, 2017, at 5:19 PM, Ruixin Bao wrote:
> Hello,
> 
> I was wondering if it is possible to have a configuration set so that 
> both /usr/share/polkit-1/actions/xx.policy and /usr/local/share/
> polkit-1/actions/xx.policy
> files can get recognized?

I'm not opposed to this...but I feel like trying to generalize this
is going to be an uphill battle.  What things use /usr/local vs
things that only use /usr in the broader ecosystem is a mess.

@gscrivano suggested adding /etc which makes sense to me.

Bigger picture though for containers like these that are fully
trusted (in the sense that a malicious container can easily
gain CAP_SYS_ADMIN on the host), I think it's clearer if
we install into /usr - and we can support that for rpm-ostree
based systems just as well as traditional via something like
the "generate RPM" path.


More information about the polkit-devel mailing list