Accepting request 997456 from home:luc14n0:branches:Base:System

Update to 121 stable release. OBS-URL: https://build.opensuse.org/request/show/997456 OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=176
2022-08-17 11:30:42 +00:00 · 2022-08-17 11:30:42 +00:00 · 84c1181306
commit 84c1181306
parent 4f1639eb8f
13 changed files with 175 additions and 3738 deletions
--- a/0001-CVE-2021-4115-GHSL-2021-077-fix.patch
+++ b/0001-CVE-2021-4115-GHSL-2021-077-fix.patch
@ -1,83 +0,0 @@
 From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
 From: Jan Rybar <jrybar@redhat.com>
 Date: Mon, 21 Feb 2022 08:29:05 +0000
 Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
 ---
 src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
 1 file changed, 34 insertions(+), 4 deletions(-)
 diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
 index 8ed1363..2fbf5f1 100644
 --- a/src/polkit/polkitsystembusname.c
 +++ b/src/polkit/polkitsystembusname.c
@@ -62,6 +62,10 @@ enum
   PROP_NAME,
 };
 +
 +guint8 dbus_call_respond_fails;      // has to be global because of callback
 +
 +
 static void subject_iface_init (PolkitSubjectIface *subject_iface);
 G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject              *src,
   if (!v)
     {
       data->caught_error = TRUE;
 +      dbus_call_respond_fails += 1;
     }
   else
     {
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
   tmp_context = g_main_context_new ();
   g_main_context_push_thread_default (tmp_context);
 +  dbus_call_respond_fails = 0;
 +
   /* Do two async calls as it's basically as fast as one sync call.
    */
   g_dbus_connection_call (connection,
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName           *system_bus
 			  on_retrieved_unix_uid_pid,
 			  &data);
 -  while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
 -    g_main_context_iteration (tmp_context, TRUE);
 +  while (TRUE)
 +  {
 +    /* If one dbus call returns error, we must wait until the other call
 +     * calls _call_finish(), otherwise fd leak is possible.
 +     * Resolves: GHSL-2021-077
 +    */
 -  if (data.caught_error)
 -    goto out;
 +    if ( (dbus_call_respond_fails > 1) )
 +    {
 +      // we got two faults, we can leave
 +      goto out;
 +    }
 +
 +    if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
 +    {
 +      // we got one fault and the other call finally finished, we can leave
 +      goto out;
 +    }
 +
 +    if ( !(data.retrieved_uid && data.retrieved_pid) )
 +    {
 +      g_main_context_iteration (tmp_context, TRUE);
 +    }
 +    else
 +    {
 +      break;
 +    }
 +  }
   if (out_uid)
     *out_uid = data.uid;
 -- 
 2.26.2
--- a/CVE-2021-4034-pkexec-fix.patch
+++ b/CVE-2021-4034-pkexec-fix.patch
@ -1,65 +0,0 @@
 --- a/src/programs/pkcheck.c	
 +++ a/src/programs/pkcheck.c	
@@ -363,6 +363,12 @@ main (int argc, char *argv[])
   local_agent_handle = NULL;
   ret = 126;
 +  if (argc < 1)
 +    {
 +      help();
 +      exit(1);
 +    }
 +
   /* Disable remote file access from GIO. */
   setenv ("GIO_USE_VFS", "local", 1);
 --- a/src/programs/pkexec.c	
 +++ a/src/programs/pkexec.c	
@@ -488,6 +488,17 @@ main (int argc, char *argv[])
   pid_t pid_of_caller;
   gpointer local_agent_handle;
 +
 +  /*
 +   * If 'pkexec' is called wrong, just show help and bail out.
 +   */
 +  if (argc<1)
 +    {
 +      clearenv();
 +      usage(argc, argv);
 +      exit(1);
 +    }
 +
   ret = 127;
   authority = NULL;
   subject = NULL;
@@ -614,10 +625,10 @@ main (int argc, char *argv[])
       path = g_strdup (pwstruct.pw_shell);
       if (!path)
 -	{
 +        {
           g_printerr ("No shell configured or error retrieving pw_shell\n");
           goto out;
 -	}
 +        }
       /* If you change this, be sure to change the if (!command_line)
 	 case below too */
       command_line = g_strdup (path);
@@ -636,7 +647,15 @@ main (int argc, char *argv[])
           goto out;
         }
       g_free (path);
 -      argv[n] = path = s;
 +      path = s;
 +
 +      /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
 +       * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
 +       */
 +      if (argv[n] != NULL)
 +      {
 +        argv[n] = path;
 +      }
     }
   if (access (path, F_OK) != 0)
     {
--- a/duktape-support.patch
+++ b/duktape-support.patch
--- a/pkexec.patch
+++ b/pkexec.patch
@ -1,68 +0,0 @@
 From: Andreas Schwab <schwab@suse.de>
 Subject: pkexec: allow --version and --help even if not setuid
 Don't check for setuid invocation until after parsing command line, to allow
 running uninstalled pkexec with --help or --version.  This also helps
 building packages that want to check for pkexec in an emulated environment
 that does not support setuid invocation (eg. QEMU linux-user).
 Index: polkit-0.116/src/programs/pkexec.c
 ===================================================================
 --- polkit-0.116.orig/src/programs/pkexec.c	2018-05-31 13:52:53.000000000 +0200
 +++ polkit-0.116/src/programs/pkexec.c	2019-05-31 22:55:58.014504104 +0200
@@ -504,27 +504,6 @@ main (int argc, char *argv[])
   /* Disable remote file access from GIO. */
   setenv ("GIO_USE_VFS", "local", 1);
 -  /* check for correct invocation */
 -  if (geteuid () != 0)
 -    {
 -      g_printerr ("pkexec must be setuid root\n");
 -      goto out;
 -    }
 -
 -  original_user_name = g_strdup (g_get_user_name ());
 -  if (original_user_name == NULL)
 -    {
 -      g_printerr ("Error getting user name.\n");
 -      goto out;
 -    }
 -
 -  if ((original_cwd = g_get_current_dir ()) == NULL)
 -    {
 -      g_printerr ("Error getting cwd: %s\n",
 -                  g_strerror (errno));
 -      goto out;
 -    }
 -
   /* First process options and find the command-line to invoke. Avoid using fancy library routines
    * that depend on environtment variables since we haven't cleared the environment just yet.
    */
@@ -580,6 +559,27 @@ main (int argc, char *argv[])
       goto out;
     }
 +  /* check for correct invocation */
 +  if (geteuid () != 0)
 +    {
 +      g_printerr ("pkexec must be setuid root\n");
 +      goto out;
 +    }
 +
 +  original_user_name = g_strdup (g_get_user_name ());
 +  if (original_user_name == NULL)
 +    {
 +      g_printerr ("Error getting user name.\n");
 +      goto out;
 +    }
 +
 +  if ((original_cwd = g_get_current_dir ()) == NULL)
 +    {
 +      g_printerr ("Error getting cwd: %s\n",
 +                  g_strerror (errno));
 +      goto out;
 +    }
 +
   if (opt_user == NULL)
     opt_user = g_strdup ("root");
--- a/polkit-0.120.tar.gz
+++ b/polkit-0.120.tar.gz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:ee7a599a853117bf273548725719fa92fabd2f136915c7a4906cee98567aee03
 size 1626659
--- a/polkit-0.120.tar.gz.sign
+++ b/polkit-0.120.tar.gz.sign
@ -1,11 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmFbBdIACgkQjOswMP/c
 4ljEgQgAtj7WctCA7ZqOBAgcr+8NHSzxMJHbiNPDMg4bJB3xVipyQYCfyv8dNANd
 33tTjDGjBN5Dn/Mp7FbxBHsTaUCcvnV11IeDq4AnVT1yrL3E1Tc4B08rQAEUSwZY
 eIuO4GJTbIs79Qtj6tjILcKhKNBBezUyMRgRpq/XYZKlwdlPZkhec2tGtP3wVZCW
 VlYliQfMvV4aJV2PRcVcITnFuWYvV28iI5nl466iE60MmaJOiPeJKFbXM73jiVeP
 QGPljAeGWiZ9xa2a2EFbBbyyiKo1B1kvdp0wgYaeGElw/ulcbUAPpzsh4+aTaX6l
 xJpnVpz9f+opD7/YpyAms4RRkQbMLQ==
 =UyNU
 -----END PGP SIGNATURE-----
--- a/polkit-121.tar.gz
+++ b/polkit-121.tar.gz
--- a/polkit-121.tar.gz.sign
+++ b/polkit-121.tar.gz.sign
@ -0,0 +1,11 @@
 -----BEGIN PGP SIGNATURE-----
 iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmLMIyMACgkQjOswMP/c
 4ljnPggAirGfeho8FcKzvi8V7Gya8tHUf0eGqdlJUr8owSHx0FjTzBSATHxhFtFZ
 pMPXXUkM0myKgqFQntL9ZYtM7l9MnCdS2rvEPkUg+uoJ4uJuuorsxkxaFdBOXFn9
 xUSgLIpsVIVVTDLaChgbRvgZQXLO27fz3PVchLlqLIfyyiKvxBCftx+4EXZzQgor
 HA0qpWFTdH1LxhhHrZibkNxBwI6uQum20fDzRiyIu5oUtRyZqRt+lBuimzFHrCLz
 AOGZJANTxNVpZmpXEJqM/N93133852S2UJtCbgp4zmcnAWeBJSD5NodbVq65JzAs
 4ZjD5iN/MumSAnQyKBknisT5UH5vwg==
 =mLHt
 -----END PGP SIGNATURE-----
--- a/polkit-adjust-libexec-path.patch
+++ b/polkit-adjust-libexec-path.patch
@ -1,7 +1,5 @@
-Index: polkit-0.118/src/polkitagent/polkitagentsession.c
+--- a/src/polkitagent/polkitagentsession.c
-===================================================================
+++ b/src/polkitagent/polkitagentsession.c
 --- polkit-0.118.orig/src/polkitagent/polkitagentsession.c
 +++ polkit-0.118/src/polkitagent/polkitagentsession.c
@@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge
       goto error;
     }
@ -11,3 +9,14 @@ Index: polkit-0.118/src/polkitagent/polkitagentsession.c
   helper_argv[1] = passwd->pw_name;
   helper_argv[2] = NULL;
 --- a/meson.build
 +++ b/meson.build
@@ -28,7 +28,7 @@ pk_sysconfdir = get_option('sysconfdir')
 pk_pkgdatadir = pk_datadir / pk_api_name
 pk_pkgincludedir = pk_includedir / pk_api_name
 # note that this is always 'lib', not lib64 or lib/x86_64-linux-gnu
 -pk_libprivdir = 'lib' / pk_api_name
 +pk_libprivdir = 'libexec' / pk_api_name
 pk_pkgsysconfdir = pk_sysconfdir / pk_api_name
 pk_actiondir = pk_api_name / 'actions'
--- a/polkit-fix-pam-prefix.patch
+++ b/polkit-fix-pam-prefix.patch
@ -0,0 +1,33 @@
 https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/131
 build: Honour pam_prefix meson option
 Make the use of pam_prefix worth its while since, at the moment, its value
 is not being used. Instead, a hard-coded path is being deployed when it
 shouldn't anymore.
 The pam_prefix Meson option was designed to allow us to choose where pam
 configuration files should end up. But at the moment it is not being used at
 all where it should be.
 --- a/meson.build
 +++ b/meson.build
@@ -241,7 +241,7 @@ if enable_pam
   pam_prefix = get_option('pam_prefix')
   if pam_prefix == ''
 -    pam_prefix = pk_sysconfdir
 +    pam_prefix = pk_sysconfdir / 'pam.d'
   else
     message('PAM files will be installed in prefix ' + pam_prefix)
   endif
 --- a/data/meson.build
 +++ b/data/meson.build
@@ -22,7 +22,7 @@ if enable_pam
     output: '@BASENAME@',
     configuration: pam_conf,
     install: true,
 -    install_dir: pk_sysconfdir / 'pam.d',
 +    install_dir: pam_prefix,
   )
 endif
--- a/polkit-no-wheel-group.patch
+++ b/polkit-no-wheel-group.patch
@ -1,7 +1,5 @@
-Index: polkit-0.116/src/polkitbackend/50-default.rules
+--- a/src/polkitbackend/50-default.rules
-===================================================================
+++ b/src/polkitbackend/50-default.rules
 --- polkit-0.116.orig/src/polkitbackend/50-default.rules	2018-03-27 13:46:06.000000000 +0200
 +++ polkit-0.116/src/polkitbackend/50-default.rules	2019-05-31 22:55:57.990503876 +0200
@@ -8,5 +8,5 @@
 // about configuring polkit.
--- a/polkit.changes
+++ b/polkit.changes
@ -1,3 +1,43 @@
 -------------------------------------------------------------------
 Tue Aug  9 06:11:08 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>
 - Update to version 121:
  + Addition of duktape as a JS engine backend.
  + Other small fixes and improvements. For more details, visit:
    gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md
  + Updated translations.
 - Drop merged-upstream patches:
  + CVE-2021-4034-pkexec-fix.patch;
  + 0001-CVE-2021-4115-GHSL-2021-077-fix.patch;
  + duktape-support.patch;
  + pkexec.patch.
 - Replace Intltool with Gettext as a build requirement following
  the migration from last release (0.120).
 - Add Meson as a build requirement while dropping Libtool and
  replace all Autotools macros with Meson ones. And pass the
  following options to Meson: session_tracking=libsystemd-login;
  systemdsystemunitdir=%{_unitdir}; os_type=suse;
  pam_module_dir=%{_pam_moduledir}; pam_prefix=%{_pam_vendordir};
  examples=true; tests=true; gtk_doc=true; man=true and
  js_engine=duktape.
 - Drop no longer needed Libtool as a build requirement, following
  Autotools replacement.
 - Add explicit pkgconfig module build requirements for glib-2.0 and
  gobject-2.0 that are searched by the build scripts. They were
  already being pulled by their siblings [pkgconfig(gio-2.0) and
  pkgconfig(gio-unix-2.0)].
 - Drop conditional macro, which was wrapping "BuildArch: noarch"
  for the doc subpackage, based on long gone EOLed (open)SUSE
  release (11.2).
 - Add missing 'Requires(post): permissions' for the pkexec
  subpackage.
 - Add python3-dbus-python and python3-python-dbusmock as build
  requirements in order to run test in the check section.
 - Add polkit-fix-pam-prefix.patch to use the value of pam_prefix
  Meson option, like it was designed to, rather than hard-coded
  path for pam configuration files.
 - Remove unneeded executable bit from 50-default.rules file.
 -------------------------------------------------------------------
 Mon Aug  8 07:28:25 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
--- a/polkit.spec
+++ b/polkit.spec
@ -16,8 +16,12 @@
 #
 %define _polkit_rulesdir %{_datadir}/polkit-1/rules.d
 %define glib_br_version  2.30.0
 %define run_tests        1
 Name:           polkit
-Version:        0.120
+Version:        121
 Release:        0
 Summary:        PolicyKit Authorization Framework
 License:        LGPL-2.1-or-later
@ -28,50 +32,58 @@ Source1:        https://www.freedesktop.org/software/polkit/releases/%{name}-%{v
 Source2:        %{name}.keyring
 Source3:        system-user-polkitd.conf
 Source99:       baselibs.conf
 # Upstream First - Policy:
 # Never add any patches to this package without the upstream commit id
 # in the patch. Any patches added here without a very good reason to make
 # an exception will be silently removed with the next version update.
 # PATCH-FIX-OPENSUSE polkit-no-wheel-group.patch vuntz@opensuse.org -- In openSUSE, there's no special meaning for the wheel group, so we shouldn't allow it to be admin
 Patch0:         polkit-no-wheel-group.patch
 # PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations
 # polkit-use-gettext-as-fallback.patch
 Patch1:         polkit-gettext.patch
 # PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid
 Patch2:         pkexec.patch
 # PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file
 Patch3:         polkit-keyinit.patch
-# adjust path to polkit-agent-helper-1 (bsc#1180474)
+# PATCH-FIX-OPENSUSE polkit-adjust-libexec-path.patch -- Adjust path to polkit-agent-helper-1 (bsc#1180474)
 Patch4:         polkit-adjust-libexec-path.patch
-# PATCH-FIX-UPSTREAM CVE-2021-4034-pkexec-fix.patch meissner@ -- bsc#1194568 VUL-0: CVE-2021-4034: polkit: pkexec Local Privilege Escalation aka pwnkit
+# PATCH-FIX-UPSTREAM polkit-fix-pam-prefix.patch luc14n0@opensuse.org -- Make
-Patch5:         CVE-2021-4034-pkexec-fix.patch
+# intended use of pam_prefix meson option rather than hard-coded path
-# PATCH-FIX-UPSTREAM https://gitlab.freedesktop.org/polkit/polkit/-/commit/c7fc4e1b61f0fd82fc697c19c604af7e9fb291a2.patch, without .gitlab-ci.yml (not in the tarball)
+Patch5:         polkit-fix-pam-prefix.patch
-Patch6:         duktape-support.patch
+
 # PATCH-FIX-UPSTREAM 0001-CVE-2021-4115-GHSL-2021-077-fix.patch meissner@ -- bsc#1195542 VUL-0: CVE-2021-4115: polkit: denial of service via file descriptor leak
 Patch7:         0001-CVE-2021-4115-GHSL-2021-077-fix.patch
 BuildRequires:  gcc-c++
 BuildRequires:  gettext
 BuildRequires:  gtk-doc
 BuildRequires:  intltool
 BuildRequires:  libexpat-devel
-# needed for patch1 and 2
+BuildRequires:  meson >= 0.50
 BuildRequires:  libtool
 BuildRequires:  pam-devel
 BuildRequires:  pkgconfig
 BuildRequires:  systemd-rpm-macros
 BuildRequires:  sysuser-tools
 BuildRequires:  pkgconfig(duktape) >= 2.2.0
-BuildRequires:  pkgconfig(gio-unix-2.0) >= 2.32.0
+BuildRequires:  pkgconfig(gio-unix-2.0) >= %{glib_br_version}
-BuildRequires:  pkgconfig(gmodule-2.0) >= 2.32.0
+BuildRequires:  pkgconfig(glib-2.0) >= %{glib_br_version}
 BuildRequires:  pkgconfig(gmodule-2.0) >= %{glib_br_version}
 BuildRequires:  pkgconfig(gobject-introspection-1.0) >= 0.6.2
 BuildRequires:  pkgconfig(libsystemd)
 BuildRequires:  pkgconfig(systemd)
 %if 0%{?run_tests}
 #################################################################
 # python3-dbus-python and python3-python-dbusmock are needed for
 # test-polkitbackendjsauthority test:
 BuildRequires:  python3-dbus-python
 BuildRequires:  python3-python-dbusmock
 #################################################################
 %endif
 # gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
 #!BuildIgnore:  ruby
 Requires:       dbus-1
 Requires:       libpolkit-agent-1-0 = %{version}-%{release}
 Requires:       libpolkit-gobject-1-0 = %{version}-%{release}
 Requires(post): permissions
 %sysusers_requires
 %systemd_ordering
 # Upstream First - Policy:
 # Never add any patches to this package without the upstream commit id
 # in the patch. Any patches added here without a very good reason to make
 # an exception will be silently removed with the next version update.
 %description
 PolicyKit is a toolkit for defining and handling authorizations.
@ -91,9 +103,10 @@ Requires:       typelib-1_0-Polkit-1_0 = %{version}
 Development files for PolicyKit Authorization Framework.
 %package -n pkexec
-Summary:        pkexec component of polkit
+Summary:        Pkexec component of polkit
 Group:          System/Libraries
 Requires:       %{name} = %{version}-%{release}
 Requires(post): permissions
 Provides:       polkit:/usr/bin/pkexec
 %description -n pkexec
@ -102,9 +115,7 @@ This package contains the pkexec setuid root binary part of polkit.
 %package doc
 Summary:        Development documentation for PolicyKit
 Group:          Development/Libraries/C and C++
 %if 0%{?suse_version} >= 1120
 BuildArch:      noarch
 %endif
 %description doc
 Development documentation for PolicyKit Authorization Framework.
@ -147,39 +158,49 @@ processes.
 This package provides the GObject Introspection bindings for PolicyKit.
 %prep
-%autosetup -p1
+%autosetup -p1 -n polkit-v.%{version}
 %build
-# Needed for patch1 and patch2
+%meson                                     \
-autoreconf -fi
+    -D session_tracking=libsystemd-login   \
-export SUID_CFLAGS="-fPIE"
+    -D systemdsystemunitdir="%{_unitdir}"  \
-export SUID_LDFLAGS="-z now -pie"
+    -D os_type=suse                        \
-%configure \
+    -D pam_module_dir="%{_pam_moduledir}"  \
-	--with-os-type=suse \
+    -D pam_prefix="%{_pam_vendordir}"      \
-	--enable-gtk-doc \
+    -D examples=true                       \
-	--disable-static \
+    -D tests=true                          \
-	--enable-introspection \
+    -D gtk_doc=true                        \
-	--enable-examples \
+    -D man=true                            \
-	--enable-libsystemd-login \
+    -D js_engine=duktape                   \
 	--with-duktape \
    %{nil}
-%make_build libprivdir=%{_libexecdir}/polkit-1
+%meson_build
 %sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf
 %if 0%{?run_tests}
 %check
 %meson_test
 %endif
 %install
 # install explicitly into libexec. upstream has some unflexible logic for
 # this executable at the moment, but there is a PR# open to fix this:
 #     https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63
 # once this has been resolved upstream and we update to a new release we can
 # remove this and also patch4 above.
-%make_install libprivdir=%{_libexecdir}/polkit-1
+#
-find %{buildroot} -type f -name "*.la" -delete -print
+# Additional note: Upstream turned down the MR above, preferring to stick to
 # using ${prefix}/lib/polkit-1 and non-distro-configurable.
 %meson_install
 %find_lang polkit-1
 # create $HOME for polkit user
 install -d %{buildroot}%{_localstatedir}/lib/polkit
-%find_lang polkit-1
+
-mkdir -p %{buildroot}%{_pam_vendordir}
+# We use /usr/share as prefix for the rules.d directory
-mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
+mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules \
-mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules %{buildroot}%{_datadir}/polkit-1/rules.d/50-default.rules
+   %{buildroot}%{_polkit_rulesdir}/50-default.rules
 # Install the polkitd user creation file:
 mkdir -p %{buildroot}%{_sysusersdir}
 install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
@ -221,6 +242,7 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
 %{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib
 %files -f polkit-1.lang
 %doc NEWS.md README.md
 %license COPYING
 %{_mandir}/man1/pkaction.1%{?ext_man}
@ -234,10 +256,11 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
 %dir %{_datadir}/dbus-1/system.d
 %{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
 %dir %{_datadir}/polkit-1
 %{_datadir}/polkit-1/policyconfig-1.dtd
 %dir %{_datadir}/polkit-1/actions
 %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
-%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
+%attr(0700,polkitd,root) %dir %{_polkit_rulesdir}
-%attr(0700,polkitd,root) %{_datadir}/polkit-1/rules.d/50-default.rules
+%attr(0600,polkitd,root) %{_polkit_rulesdir}/50-default.rules
 %{_pam_vendordir}/polkit-1
 %dir %{_sysconfdir}/polkit-1
 %attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
@ -269,7 +292,6 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
 %verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec
 %files doc
 %doc NEWS
 %doc %{_datadir}/gtk-doc/html/polkit-1/
 %changelog