[systemd-devel] Fwd: creating dynamic access control lists for a device: systemd and udev

Kay Sievers kay at vrfy.org
Sun Mar 25 11:50:38 PDT 2012

On Sun, Mar 25, 2012 at 20:31, Ian Malone <ibmalone at gmail.com> wrote:
> Hi, I've posted this to the Fedora developers list, but maybe it's
> more appropriate here. Since writing it I've confirmed the uaccess TAG
> does what I expect, but I'm not sure having that set directly by the
> device rule would be approved in a package to include in Fedora.

Ideally nothing should directly 'execute the policy' by setting the
'uaccess' tag for systemd.

It should be indirectly set by using a variable that classifies a
certain device class which administrators might want to grant or not
grant access to logged-in users. Currently all variables recognized in
the uaccess rules file set the tag, but that could change in the
future, whenever some more fine-grained policy might be needed.

Current generic device classes are:

Just invent some useful generic name for the type of device. :) And we
can add that to the uaccess rules.

Using the indirection over the device class is also potentially
compatible with the deprecated ConsoleKit/udev-acl tool, which is used
on non-systemd systems.


More information about the systemd-devel mailing list