Accepting request 997456 from home:luc14n0:branches:Base:System

Update to 121 stable release.

OBS-URL: https://build.opensuse.org/request/show/997456
OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=176
This commit is contained in:
Marcus Meissner 2022-08-17 11:30:42 +00:00 committed by Git OBS Bridge
parent 4f1639eb8f
commit 84c1181306
13 changed files with 175 additions and 3738 deletions

View File

@ -1,83 +0,0 @@
From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Mon, 21 Feb 2022 08:29:05 +0000
Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
---
src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
index 8ed1363..2fbf5f1 100644
--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
@@ -62,6 +62,10 @@ enum
PROP_NAME,
};
+
+guint8 dbus_call_respond_fails; // has to be global because of callback
+
+
static void subject_iface_init (PolkitSubjectIface *subject_iface);
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
if (!v)
{
data->caught_error = TRUE;
+ dbus_call_respond_fails += 1;
}
else
{
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
tmp_context = g_main_context_new ();
g_main_context_push_thread_default (tmp_context);
+ dbus_call_respond_fails = 0;
+
/* Do two async calls as it's basically as fast as one sync call.
*/
g_dbus_connection_call (connection,
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
on_retrieved_unix_uid_pid,
&data);
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
- g_main_context_iteration (tmp_context, TRUE);
+ while (TRUE)
+ {
+ /* If one dbus call returns error, we must wait until the other call
+ * calls _call_finish(), otherwise fd leak is possible.
+ * Resolves: GHSL-2021-077
+ */
- if (data.caught_error)
- goto out;
+ if ( (dbus_call_respond_fails > 1) )
+ {
+ // we got two faults, we can leave
+ goto out;
+ }
+
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
+ {
+ // we got one fault and the other call finally finished, we can leave
+ goto out;
+ }
+
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
+ {
+ g_main_context_iteration (tmp_context, TRUE);
+ }
+ else
+ {
+ break;
+ }
+ }
if (out_uid)
*out_uid = data.uid;
--
2.26.2

View File

@ -1,65 +0,0 @@
--- a/src/programs/pkcheck.c
+++ a/src/programs/pkcheck.c
@@ -363,6 +363,12 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ help();
+ exit(1);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
--- a/src/programs/pkexec.c
+++ a/src/programs/pkexec.c
@@ -488,6 +488,17 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called wrong, just show help and bail out.
+ */
+ if (argc<1)
+ {
+ clearenv();
+ usage(argc, argv);
+ exit(1);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +625,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +647,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{

File diff suppressed because it is too large Load Diff

View File

@ -1,68 +0,0 @@
From: Andreas Schwab <schwab@suse.de>
Subject: pkexec: allow --version and --help even if not setuid
Don't check for setuid invocation until after parsing command line, to allow
running uninstalled pkexec with --help or --version. This also helps
building packages that want to check for pkexec in an emulated environment
that does not support setuid invocation (eg. QEMU linux-user).
Index: polkit-0.116/src/programs/pkexec.c
===================================================================
--- polkit-0.116.orig/src/programs/pkexec.c 2018-05-31 13:52:53.000000000 +0200
+++ polkit-0.116/src/programs/pkexec.c 2019-05-31 22:55:58.014504104 +0200
@@ -504,27 +504,6 @@ main (int argc, char *argv[])
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
- /* check for correct invocation */
- if (geteuid () != 0)
- {
- g_printerr ("pkexec must be setuid root\n");
- goto out;
- }
-
- original_user_name = g_strdup (g_get_user_name ());
- if (original_user_name == NULL)
- {
- g_printerr ("Error getting user name.\n");
- goto out;
- }
-
- if ((original_cwd = g_get_current_dir ()) == NULL)
- {
- g_printerr ("Error getting cwd: %s\n",
- g_strerror (errno));
- goto out;
- }
-
/* First process options and find the command-line to invoke. Avoid using fancy library routines
* that depend on environtment variables since we haven't cleared the environment just yet.
*/
@@ -580,6 +559,27 @@ main (int argc, char *argv[])
goto out;
}
+ /* check for correct invocation */
+ if (geteuid () != 0)
+ {
+ g_printerr ("pkexec must be setuid root\n");
+ goto out;
+ }
+
+ original_user_name = g_strdup (g_get_user_name ());
+ if (original_user_name == NULL)
+ {
+ g_printerr ("Error getting user name.\n");
+ goto out;
+ }
+
+ if ((original_cwd = g_get_current_dir ()) == NULL)
+ {
+ g_printerr ("Error getting cwd: %s\n",
+ g_strerror (errno));
+ goto out;
+ }
+
if (opt_user == NULL)
opt_user = g_strdup ("root");

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ee7a599a853117bf273548725719fa92fabd2f136915c7a4906cee98567aee03
size 1626659

View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmFbBdIACgkQjOswMP/c
4ljEgQgAtj7WctCA7ZqOBAgcr+8NHSzxMJHbiNPDMg4bJB3xVipyQYCfyv8dNANd
33tTjDGjBN5Dn/Mp7FbxBHsTaUCcvnV11IeDq4AnVT1yrL3E1Tc4B08rQAEUSwZY
eIuO4GJTbIs79Qtj6tjILcKhKNBBezUyMRgRpq/XYZKlwdlPZkhec2tGtP3wVZCW
VlYliQfMvV4aJV2PRcVcITnFuWYvV28iI5nl466iE60MmaJOiPeJKFbXM73jiVeP
QGPljAeGWiZ9xa2a2EFbBbyyiKo1B1kvdp0wgYaeGElw/ulcbUAPpzsh4+aTaX6l
xJpnVpz9f+opD7/YpyAms4RRkQbMLQ==
=UyNU
-----END PGP SIGNATURE-----

BIN
polkit-121.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

11
polkit-121.tar.gz.sign Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmLMIyMACgkQjOswMP/c
4ljnPggAirGfeho8FcKzvi8V7Gya8tHUf0eGqdlJUr8owSHx0FjTzBSATHxhFtFZ
pMPXXUkM0myKgqFQntL9ZYtM7l9MnCdS2rvEPkUg+uoJ4uJuuorsxkxaFdBOXFn9
xUSgLIpsVIVVTDLaChgbRvgZQXLO27fz3PVchLlqLIfyyiKvxBCftx+4EXZzQgor
HA0qpWFTdH1LxhhHrZibkNxBwI6uQum20fDzRiyIu5oUtRyZqRt+lBuimzFHrCLz
AOGZJANTxNVpZmpXEJqM/N93133852S2UJtCbgp4zmcnAWeBJSD5NodbVq65JzAs
4ZjD5iN/MumSAnQyKBknisT5UH5vwg==
=mLHt
-----END PGP SIGNATURE-----

View File

@ -1,7 +1,5 @@
Index: polkit-0.118/src/polkitagent/polkitagentsession.c --- a/src/polkitagent/polkitagentsession.c
=================================================================== +++ b/src/polkitagent/polkitagentsession.c
--- polkit-0.118.orig/src/polkitagent/polkitagentsession.c
+++ polkit-0.118/src/polkitagent/polkitagentsession.c
@@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge @@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge
goto error; goto error;
} }
@ -11,3 +9,14 @@ Index: polkit-0.118/src/polkitagent/polkitagentsession.c
helper_argv[1] = passwd->pw_name; helper_argv[1] = passwd->pw_name;
helper_argv[2] = NULL; helper_argv[2] = NULL;
--- a/meson.build
+++ b/meson.build
@@ -28,7 +28,7 @@ pk_sysconfdir = get_option('sysconfdir')
pk_pkgdatadir = pk_datadir / pk_api_name
pk_pkgincludedir = pk_includedir / pk_api_name
# note that this is always 'lib', not lib64 or lib/x86_64-linux-gnu
-pk_libprivdir = 'lib' / pk_api_name
+pk_libprivdir = 'libexec' / pk_api_name
pk_pkgsysconfdir = pk_sysconfdir / pk_api_name
pk_actiondir = pk_api_name / 'actions'

View File

@ -0,0 +1,33 @@
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/131
build: Honour pam_prefix meson option
Make the use of pam_prefix worth its while since, at the moment, its value
is not being used. Instead, a hard-coded path is being deployed when it
shouldn't anymore.
The pam_prefix Meson option was designed to allow us to choose where pam
configuration files should end up. But at the moment it is not being used at
all where it should be.
--- a/meson.build
+++ b/meson.build
@@ -241,7 +241,7 @@ if enable_pam
pam_prefix = get_option('pam_prefix')
if pam_prefix == ''
- pam_prefix = pk_sysconfdir
+ pam_prefix = pk_sysconfdir / 'pam.d'
else
message('PAM files will be installed in prefix ' + pam_prefix)
endif
--- a/data/meson.build
+++ b/data/meson.build
@@ -22,7 +22,7 @@ if enable_pam
output: '@BASENAME@',
configuration: pam_conf,
install: true,
- install_dir: pk_sysconfdir / 'pam.d',
+ install_dir: pam_prefix,
)
endif

View File

@ -1,7 +1,5 @@
Index: polkit-0.116/src/polkitbackend/50-default.rules --- a/src/polkitbackend/50-default.rules
=================================================================== +++ b/src/polkitbackend/50-default.rules
--- polkit-0.116.orig/src/polkitbackend/50-default.rules 2018-03-27 13:46:06.000000000 +0200
+++ polkit-0.116/src/polkitbackend/50-default.rules 2019-05-31 22:55:57.990503876 +0200
@@ -8,5 +8,5 @@ @@ -8,5 +8,5 @@
// about configuring polkit. // about configuring polkit.

View File

@ -1,3 +1,43 @@
-------------------------------------------------------------------
Tue Aug 9 06:11:08 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>
- Update to version 121:
+ Addition of duktape as a JS engine backend.
+ Other small fixes and improvements. For more details, visit:
gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md
+ Updated translations.
- Drop merged-upstream patches:
+ CVE-2021-4034-pkexec-fix.patch;
+ 0001-CVE-2021-4115-GHSL-2021-077-fix.patch;
+ duktape-support.patch;
+ pkexec.patch.
- Replace Intltool with Gettext as a build requirement following
the migration from last release (0.120).
- Add Meson as a build requirement while dropping Libtool and
replace all Autotools macros with Meson ones. And pass the
following options to Meson: session_tracking=libsystemd-login;
systemdsystemunitdir=%{_unitdir}; os_type=suse;
pam_module_dir=%{_pam_moduledir}; pam_prefix=%{_pam_vendordir};
examples=true; tests=true; gtk_doc=true; man=true and
js_engine=duktape.
- Drop no longer needed Libtool as a build requirement, following
Autotools replacement.
- Add explicit pkgconfig module build requirements for glib-2.0 and
gobject-2.0 that are searched by the build scripts. They were
already being pulled by their siblings [pkgconfig(gio-2.0) and
pkgconfig(gio-unix-2.0)].
- Drop conditional macro, which was wrapping "BuildArch: noarch"
for the doc subpackage, based on long gone EOLed (open)SUSE
release (11.2).
- Add missing 'Requires(post): permissions' for the pkexec
subpackage.
- Add python3-dbus-python and python3-python-dbusmock as build
requirements in order to run test in the check section.
- Add polkit-fix-pam-prefix.patch to use the value of pam_prefix
Meson option, like it was designed to, rather than hard-coded
path for pam configuration files.
- Remove unneeded executable bit from 50-default.rules file.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Aug 8 07:28:25 UTC 2022 - Thorsten Kukuk <kukuk@suse.com> Mon Aug 8 07:28:25 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>

View File

@ -16,8 +16,12 @@
# #
%define _polkit_rulesdir %{_datadir}/polkit-1/rules.d
%define glib_br_version 2.30.0
%define run_tests 1
Name: polkit Name: polkit
Version: 0.120 Version: 121
Release: 0 Release: 0
Summary: PolicyKit Authorization Framework Summary: PolicyKit Authorization Framework
License: LGPL-2.1-or-later License: LGPL-2.1-or-later
@ -28,50 +32,58 @@ Source1: https://www.freedesktop.org/software/polkit/releases/%{name}-%{v
Source2: %{name}.keyring Source2: %{name}.keyring
Source3: system-user-polkitd.conf Source3: system-user-polkitd.conf
Source99: baselibs.conf Source99: baselibs.conf
# Upstream First - Policy:
# Never add any patches to this package without the upstream commit id
# in the patch. Any patches added here without a very good reason to make
# an exception will be silently removed with the next version update.
# PATCH-FIX-OPENSUSE polkit-no-wheel-group.patch vuntz@opensuse.org -- In openSUSE, there's no special meaning for the wheel group, so we shouldn't allow it to be admin # PATCH-FIX-OPENSUSE polkit-no-wheel-group.patch vuntz@opensuse.org -- In openSUSE, there's no special meaning for the wheel group, so we shouldn't allow it to be admin
Patch0: polkit-no-wheel-group.patch Patch0: polkit-no-wheel-group.patch
# PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations # PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations
# polkit-use-gettext-as-fallback.patch
Patch1: polkit-gettext.patch Patch1: polkit-gettext.patch
# PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid
Patch2: pkexec.patch
# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file # PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file
Patch3: polkit-keyinit.patch Patch3: polkit-keyinit.patch
# adjust path to polkit-agent-helper-1 (bsc#1180474) # PATCH-FIX-OPENSUSE polkit-adjust-libexec-path.patch -- Adjust path to polkit-agent-helper-1 (bsc#1180474)
Patch4: polkit-adjust-libexec-path.patch Patch4: polkit-adjust-libexec-path.patch
# PATCH-FIX-UPSTREAM CVE-2021-4034-pkexec-fix.patch meissner@ -- bsc#1194568 VUL-0: CVE-2021-4034: polkit: pkexec Local Privilege Escalation aka pwnkit # PATCH-FIX-UPSTREAM polkit-fix-pam-prefix.patch luc14n0@opensuse.org -- Make
Patch5: CVE-2021-4034-pkexec-fix.patch # intended use of pam_prefix meson option rather than hard-coded path
# PATCH-FIX-UPSTREAM https://gitlab.freedesktop.org/polkit/polkit/-/commit/c7fc4e1b61f0fd82fc697c19c604af7e9fb291a2.patch, without .gitlab-ci.yml (not in the tarball) Patch5: polkit-fix-pam-prefix.patch
Patch6: duktape-support.patch
# PATCH-FIX-UPSTREAM 0001-CVE-2021-4115-GHSL-2021-077-fix.patch meissner@ -- bsc#1195542 VUL-0: CVE-2021-4115: polkit: denial of service via file descriptor leak
Patch7: 0001-CVE-2021-4115-GHSL-2021-077-fix.patch
BuildRequires: gcc-c++ BuildRequires: gcc-c++
BuildRequires: gettext
BuildRequires: gtk-doc BuildRequires: gtk-doc
BuildRequires: intltool
BuildRequires: libexpat-devel BuildRequires: libexpat-devel
# needed for patch1 and 2 BuildRequires: meson >= 0.50
BuildRequires: libtool
BuildRequires: pam-devel BuildRequires: pam-devel
BuildRequires: pkgconfig BuildRequires: pkgconfig
BuildRequires: systemd-rpm-macros BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools BuildRequires: sysuser-tools
BuildRequires: pkgconfig(duktape) >= 2.2.0 BuildRequires: pkgconfig(duktape) >= 2.2.0
BuildRequires: pkgconfig(gio-unix-2.0) >= 2.32.0 BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(gmodule-2.0) >= 2.32.0 BuildRequires: pkgconfig(glib-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(gmodule-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2 BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2
BuildRequires: pkgconfig(libsystemd) BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(systemd) BuildRequires: pkgconfig(systemd)
%if 0%{?run_tests}
#################################################################
# python3-dbus-python and python3-python-dbusmock are needed for
# test-polkitbackendjsauthority test:
BuildRequires: python3-dbus-python
BuildRequires: python3-python-dbusmock
#################################################################
%endif
# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle. # gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
#!BuildIgnore: ruby #!BuildIgnore: ruby
Requires: dbus-1 Requires: dbus-1
Requires: libpolkit-agent-1-0 = %{version}-%{release} Requires: libpolkit-agent-1-0 = %{version}-%{release}
Requires: libpolkit-gobject-1-0 = %{version}-%{release} Requires: libpolkit-gobject-1-0 = %{version}-%{release}
Requires(post): permissions Requires(post): permissions
%sysusers_requires %sysusers_requires
%systemd_ordering %systemd_ordering
# Upstream First - Policy:
# Never add any patches to this package without the upstream commit id
# in the patch. Any patches added here without a very good reason to make
# an exception will be silently removed with the next version update.
%description %description
PolicyKit is a toolkit for defining and handling authorizations. PolicyKit is a toolkit for defining and handling authorizations.
@ -91,9 +103,10 @@ Requires: typelib-1_0-Polkit-1_0 = %{version}
Development files for PolicyKit Authorization Framework. Development files for PolicyKit Authorization Framework.
%package -n pkexec %package -n pkexec
Summary: pkexec component of polkit Summary: Pkexec component of polkit
Group: System/Libraries Group: System/Libraries
Requires: %{name} = %{version}-%{release} Requires: %{name} = %{version}-%{release}
Requires(post): permissions
Provides: polkit:/usr/bin/pkexec Provides: polkit:/usr/bin/pkexec
%description -n pkexec %description -n pkexec
@ -102,9 +115,7 @@ This package contains the pkexec setuid root binary part of polkit.
%package doc %package doc
Summary: Development documentation for PolicyKit Summary: Development documentation for PolicyKit
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
%if 0%{?suse_version} >= 1120
BuildArch: noarch BuildArch: noarch
%endif
%description doc %description doc
Development documentation for PolicyKit Authorization Framework. Development documentation for PolicyKit Authorization Framework.
@ -147,39 +158,49 @@ processes.
This package provides the GObject Introspection bindings for PolicyKit. This package provides the GObject Introspection bindings for PolicyKit.
%prep %prep
%autosetup -p1 %autosetup -p1 -n polkit-v.%{version}
%build %build
# Needed for patch1 and patch2 %meson \
autoreconf -fi -D session_tracking=libsystemd-login \
export SUID_CFLAGS="-fPIE" -D systemdsystemunitdir="%{_unitdir}" \
export SUID_LDFLAGS="-z now -pie" -D os_type=suse \
%configure \ -D pam_module_dir="%{_pam_moduledir}" \
--with-os-type=suse \ -D pam_prefix="%{_pam_vendordir}" \
--enable-gtk-doc \ -D examples=true \
--disable-static \ -D tests=true \
--enable-introspection \ -D gtk_doc=true \
--enable-examples \ -D man=true \
--enable-libsystemd-login \ -D js_engine=duktape \
--with-duktape \ %{nil}
%{nil} %meson_build
%make_build libprivdir=%{_libexecdir}/polkit-1
%sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf %sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf
%if 0%{?run_tests}
%check
%meson_test
%endif
%install %install
# install explicitly into libexec. upstream has some unflexible logic for # install explicitly into libexec. upstream has some unflexible logic for
# this executable at the moment, but there is a PR# open to fix this: # this executable at the moment, but there is a PR# open to fix this:
# https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63 # https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63
# once this has been resolved upstream and we update to a new release we can # once this has been resolved upstream and we update to a new release we can
# remove this and also patch4 above. # remove this and also patch4 above.
%make_install libprivdir=%{_libexecdir}/polkit-1 #
find %{buildroot} -type f -name "*.la" -delete -print # Additional note: Upstream turned down the MR above, preferring to stick to
# using ${prefix}/lib/polkit-1 and non-distro-configurable.
%meson_install
%find_lang polkit-1
# create $HOME for polkit user # create $HOME for polkit user
install -d %{buildroot}%{_localstatedir}/lib/polkit install -d %{buildroot}%{_localstatedir}/lib/polkit
%find_lang polkit-1
mkdir -p %{buildroot}%{_pam_vendordir} # We use /usr/share as prefix for the rules.d directory
mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/ mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules \
mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules %{buildroot}%{_datadir}/polkit-1/rules.d/50-default.rules %{buildroot}%{_polkit_rulesdir}/50-default.rules
# Install the polkitd user creation file:
mkdir -p %{buildroot}%{_sysusersdir} mkdir -p %{buildroot}%{_sysusersdir}
install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
@ -221,6 +242,7 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
%{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib %{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib
%files -f polkit-1.lang %files -f polkit-1.lang
%doc NEWS.md README.md
%license COPYING %license COPYING
%{_mandir}/man1/pkaction.1%{?ext_man} %{_mandir}/man1/pkaction.1%{?ext_man}
@ -234,10 +256,11 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
%dir %{_datadir}/dbus-1/system.d %dir %{_datadir}/dbus-1/system.d
%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf %{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%dir %{_datadir}/polkit-1 %dir %{_datadir}/polkit-1
%{_datadir}/polkit-1/policyconfig-1.dtd
%dir %{_datadir}/polkit-1/actions %dir %{_datadir}/polkit-1/actions
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy %{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d %attr(0700,polkitd,root) %dir %{_polkit_rulesdir}
%attr(0700,polkitd,root) %{_datadir}/polkit-1/rules.d/50-default.rules %attr(0600,polkitd,root) %{_polkit_rulesdir}/50-default.rules
%{_pam_vendordir}/polkit-1 %{_pam_vendordir}/polkit-1
%dir %{_sysconfdir}/polkit-1 %dir %{_sysconfdir}/polkit-1
%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d %attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
@ -269,7 +292,6 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
%verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec %verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec
%files doc %files doc
%doc NEWS
%doc %{_datadir}/gtk-doc/html/polkit-1/ %doc %{_datadir}/gtk-doc/html/polkit-1/
%changelog %changelog