On or about Wednesday 20 May 2009 at approximately 04:00:48 am bardo composed: > 2009/5/20 David C. Rankin, J.D.,P.E. <drankinatty@xxxxxxxxxxxxxxxxxx>: > > On or about Tuesday 19 May 2009 at approximately 03:33:03 bardo composed: > >> 2009/5/18 David C. Rankin, J.D.,P.E. <drankinatty@xxxxxxxxxxxxxxxxxx>: > >> > <match group="users"> > >> > <return result="yes"/> > >> > </match> > >> > >> I think this may be your problem. I searched some time ago and found > >> out PolicyKit didn't support group matches. A quick look to the > >> PolicyKit.conf(5) man page seems to confirm this is still the case. > >> Now, I don't know if an invalid entry could invalidate the whole > >> config, but it's worth a try. > >> > >> Corrado > > > > Corrado, > > > > You and I may be saying the same thing for two different circumstances. > > Admin_auth certainly allows both user and group auths for actions (man 5 > > PolicyKit.conf): > > > > define_admin_auth > > I wasn't saying you can't use "group" as an attribute for > "define_admin_auth", I was saying you can't use it as an attribute for > "match". So at least that rule won't work, I tried it before. Now, I > don't know how PolicyKit deals with wrong parameters, but in the worst > case it could treat the whole file as invalid, and that could be why > your *other* rules don't work. > > I hope I made myself clearer this time :) > > Corrado Yep, I'll give Policy kit another shot when I pop the archlinux drive back in. If Policy Kit is ignoring the whole file (which it shouldn't do, but seems like it is), then that should be logged somewhere. I have been through everything.log and messages.log, etc. and there isn't any message like that. If it isn't logging rejections, then we need to find a way to have it do so. It would sure make troubleshooting policy kit problems a whole lot easier. Thank you for your help.
