On Thu, 2008-07-10 at 01:02 +0200, Karel Zak wrote:
> On Wed, Jul 09, 2008 at 03:23:36PM -0400, Bill Nottingham wrote:
> > We've carried both pam_console and HAL-based ACL support for a while
> > now. It's time to cut the cord and remove pam_console, so we only
> > have one way of setting device permissions to worry about.
>
> Right. I'd like to remove a support for Fedora/RHEL specific
> 'pamconsole' mount option from mount(8). Comments?

Should be fine with me - hasn't been used (except if users add it
themselves) since FC5.

David


--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, 9 Jul 2008, Bill Nottingham wrote:


libmtp (triad@df.lth.se)
/etc/security/console.perms.d/60-libmtp.perms
libnjb (triad@df.lth.se)
/etc/security/console.perms.d/60-libnjb.perms


I *tried* fixing these in the past but didn't get very far with it. If any
of you guys know exactly what needs to be done, please help. I sadly still
don't get it...


Linus

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

On Wed, 9 Jul 2008, Bill Nottingham wrote:


See /usr/share/hal/fdi/policy/10osvendor/00-thinkfinger.fdi for an
example of something that does access control.


I guess these two does the actual magic:

<merge key="access_control.file" type="copy_property">linux.device_file</merge>
<merge key="access_control.type" type="string">thinkfinger</merge>

But 20-acl-management already has:

<match key="info.capabilities" contains="portable_audio_player">
<append key="info.capabilities" type="strlist">access_control</append>
<merge key="access_control.type" type="string">audio-player</merge>
<merge key="access_control.file" type="copy_property">@info.parent:linux.device_fil e</merge>
</match>

and since libmtp and libnjb already has .fdi files that define them as
portable_audio_player it would thus be as simple as to remove the pam
console file altogether, since HAL already matches and fixes this.


..and it actually seems to work when I do that too, so problem solved I
believe.


Linus

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Bill,

I'm the maintainer for dfu-programmer. I've been trying to get the HAL
permissions to work & I can't figure out what I'm missing. Basically, I
need to be able to recognize a usb device is attached and permit the
console user to communicate with the usb dfu interface. I'm able to see
the device & the properties I added, but get permission denied when I
try to access the device. I'm a member of the uucp group (I don't like
this approach - I'd rather give the active user permissions, but I
couldn't figure that out either).


Any help will be greatly appreciated.

--Wes

What I thought worked for dfu-programmer, but apparently doesn't:
<?xml version="1.0" encoding="ISO-8859-1"?>
<deviceinfo version="0.2">
<device>

<!-- Grant access to program the DFU devices to uucp group. -->

<!-- Atmel -->
<match key="info.subsystem" contains="usb_device">
<match key="usb_device.vendor_id" int="0x03eb">
<!-- 0x2fff - at89c51snd1c, at89c5132 -->
<!-- 0x2ffd - at89c5130, at89c5131 -->
<!-- 0x2ffb - at90usb1287, at90usb1286, at90usb647, at90usb646 -->
<!-- 0x2ffa - at90usb162, at90usb82 -->
<match key="usb_device.product_id"
int_outof="0x2fff;0x2ffb;0x2ffb;0x2ffa">

<append key="info.capabilities" type="strlist">dfu-device</append>
<append key="access_control.grant_group"
type="strlist">uucp</append>

</match>
</match>
</match>

<match key="info.capabilities" contains="dfu-device">
<append key="info.capabilities" type="strlist">access_control</append>
<merge key="access_control.file"
type="copy_property">linux.device_file</merge>

<merge key="access_control.type" type="string">dfu-device</merge>
</match>
</device>
</deviceinfo>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list

Cancel my request. I was able to figure out what was wrong. I placed
the file in the policy directory and it should have been place in the
information directory.


--Wes

Weston T. Schmidt wrote:

Bill,

I'm the maintainer for dfu-programmer. I've been trying to get the
HAL permissions to work & I can't figure out what I'm missing.
Basically, I need to be able to recognize a usb device is attached and
permit the console user to communicate with the usb dfu interface.
I'm able to see the device & the properties I added, but get
permission denied when I try to access the device. I'm a member of
the uucp group (I don't like this approach - I'd rather give the
active user permissions, but I couldn't figure that out either).


Any help will be greatly appreciated.

--Wes

What I thought worked for dfu-programmer, but apparently doesn't:
<?xml version="1.0" encoding="ISO-8859-1"?>
<deviceinfo version="0.2">
<device>

<!-- Grant access to program the DFU devices to uucp group. -->

<!-- Atmel -->
<match key="info.subsystem" contains="usb_device">
<match key="usb_device.vendor_id" int="0x03eb">
<!-- 0x2fff - at89c51snd1c, at89c5132 -->
<!-- 0x2ffd - at89c5130, at89c5131 -->
<!-- 0x2ffb - at90usb1287, at90usb1286, at90usb647, at90usb646 -->
<!-- 0x2ffa - at90usb162, at90usb82 -->
<match key="usb_device.product_id"
int_outof="0x2fff;0x2ffb;0x2ffb;0x2ffa">
<append key="info.capabilities"
type="strlist">dfu-device</append>
<append key="access_control.grant_group"
type="strlist">uucp</append>

</match>
</match>
</match>

<match key="info.capabilities" contains="dfu-device">
<append key="info.capabilities"
type="strlist">access_control</append>
<merge key="access_control.file"
type="copy_property">linux.device_file</merge>

<merge key="access_control.type" type="string">dfu-device</merge>
</match>
</device>
</deviceinfo>



--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list