[systemd-devel] Fwd: creating dynamic access control lists for a device: systemd and udev
Kay Sievers
kay at vrfy.org
Sun Mar 25 11:50:38 PDT 2012
On Sun, Mar 25, 2012 at 20:31, Ian Malone <ibmalone at gmail.com> wrote:
> Hi, I've posted this to the Fedora developers list, but maybe it's
> more appropriate here. Since writing it I've confirmed the uaccess TAG
> does what I expect, but I'm not sure having that set directly by the
> device rule would be approved in a package to include in Fedora.
Ideally nothing should directly 'execute the policy' by setting the
'uaccess' tag for systemd.
It should be indirectly set by using a variable that classifies a
certain device class which administrators might want to grant or not
grant access to logged-in users. Currently all variables recognized in
the uaccess rules file set the tag, but that could change in the
future, whenever some more fine-grained policy might be needed.
Current generic device classes are:
ID_CDROM
ID_SMARTCARD_READER
ID_FFADO
ID_PDA
ID_REMOTE_CONTROL
ID_MEDIA_PLAYER
Just invent some useful generic name for the type of device. :) And we
can add that to the uaccess rules.
Using the indirection over the device class is also potentially
compatible with the deprecated ConsoleKit/udev-acl tool, which is used
on non-systemd systems.
Thanks,
Kay
More information about the systemd-devel
mailing list