On Thu, 2007-11-01 at 11:22 -0800, Jeff Spaleta wrote: > On 11/1/07, David Zeuthen <david@xxxxxxxx> wrote: > > http://people.freedesktop.org/~david/polkit-gnome-authorizations.png > > > > but the UI is likely to change. > > > > Hope this helps. > > Is per device policy granting in the works? So that certain disks are > mountable but others aren't on a user by user basis? See the last two paragraphs of http://hal.freedesktop.org/docs/PolicyKit/model-theory-of-operation.html Basically the way it works right now is that Mechanisms split actions depending on type. Specifically for hal there's a "fixed" and "removable" split. For NM there will be "can-dial-to-trusted-number" and "can-dial-to-untrusted-number"; then the act of making something a trusted number is some other privileged operation (e.g. trusted numbers are the ones listed in a file in /etc, whatever, I don't know). FWIW, we might add functionality later (the API is extensible) such that PolicyKit can answer questions like "Is $PROCESS authorized to do $ACTION on $OBJECT on behalf of the user" (now it's "Is $PROCESS authorized to do $ACTION on behalf of the user") but right now this isn't there - mainly because there's a ton of problems in how to sanely describe an object (/dev/sda? /dev/disk/by-label ? phonenumber? etc.) and also how to build sane UI around this. Hope this helps. > -jef"Idle thought: How well does policy granting work with sabayon?"spaleta Someone just needs to do it. It's more interesting, however, to consider PolicyKit together with http://freeipa.org/page/Main_Page . As a matter of fact, I'm already working with the FreeIPA guys on this. David -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
