pool/polkit
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 997456 from home:luc14n0:branches:Base:System

Browse Source 
Update to 121 stable release.

OBS-URL: https://build.opensuse.org/request/show/997456
OBS-URL: https://build.opensuse.org/package/show/Base:System/polkit?expand=0&rev=176
This commit is contained in:
Marcus Meissner 2022-08-17 11:30:42 +00:00 committed by Git OBS Bridge
parent 4f1639eb8f
commit 84c1181306
13 changed files with 175 additions and 3738 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
0001-CVE-2021-4115-GHSL-2021-077-fix.patch
View File

@ -1,83 +0,0 @@
From 41cb093f554da8772362654a128a84dd8a5542a7 Mon Sep 17 00:00:00 2001
From: Jan Rybar <jrybar@redhat.com>
Date: Mon, 21 Feb 2022 08:29:05 +0000
Subject: [PATCH] CVE-2021-4115 (GHSL-2021-077) fix
---
src/polkit/polkitsystembusname.c | 38 ++++++++++++++++++++++++++++----
1 file changed, 34 insertions(+), 4 deletions(-)
diff --git a/src/polkit/polkitsystembusname.c b/src/polkit/polkitsystembusname.c
index 8ed1363..2fbf5f1 100644
--- a/src/polkit/polkitsystembusname.c
+++ b/src/polkit/polkitsystembusname.c
@@ -62,6 +62,10 @@ enum
PROP_NAME,
};
+
+guint8 dbus_call_respond_fails; // has to be global because of callback
+
+
static void subject_iface_init (PolkitSubjectIface *subject_iface);
G_DEFINE_TYPE_WITH_CODE (PolkitSystemBusName, polkit_system_bus_name, G_TYPE_OBJECT,
@@ -364,6 +368,7 @@ on_retrieved_unix_uid_pid (GObject *src,
if (!v)
{
data->caught_error = TRUE;
+ dbus_call_respond_fails += 1;
}
else
{
@@ -405,6 +410,8 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
tmp_context = g_main_context_new ();
g_main_context_push_thread_default (tmp_context);
+ dbus_call_respond_fails = 0;
+
/* Do two async calls as it's basically as fast as one sync call.
*/
g_dbus_connection_call (connection,
@@ -432,11 +439,34 @@ polkit_system_bus_name_get_creds_sync (PolkitSystemBusName *system_bus
on_retrieved_unix_uid_pid,
&data);
- while (!((data.retrieved_uid && data.retrieved_pid) || data.caught_error))
- g_main_context_iteration (tmp_context, TRUE);
+ while (TRUE)
+ {
+ /* If one dbus call returns error, we must wait until the other call
+ * calls _call_finish(), otherwise fd leak is possible.
+ * Resolves: GHSL-2021-077
+ */
- if (data.caught_error)
- goto out;
+ if ( (dbus_call_respond_fails > 1) )
+ {
+ // we got two faults, we can leave
+ goto out;
+ }
+
+ if ((data.caught_error && (data.retrieved_pid || data.retrieved_uid)))
+ {
+ // we got one fault and the other call finally finished, we can leave
+ goto out;
+ }
+
+ if ( !(data.retrieved_uid && data.retrieved_pid) )
+ {
+ g_main_context_iteration (tmp_context, TRUE);
+ }
+ else
+ {
+ break;
+ }
+ }
if (out_uid)
*out_uid = data.uid;
--
2.26.2

65
CVE-2021-4034-pkexec-fix.patch
View File

@ -1,65 +0,0 @@
--- a/src/programs/pkcheck.c
+++ a/src/programs/pkcheck.c
@@ -363,6 +363,12 @@ main (int argc, char *argv[])
local_agent_handle = NULL;
ret = 126;
+ if (argc < 1)
+ {
+ help();
+ exit(1);
+ }
+
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
--- a/src/programs/pkexec.c
+++ a/src/programs/pkexec.c
@@ -488,6 +488,17 @@ main (int argc, char *argv[])
pid_t pid_of_caller;
gpointer local_agent_handle;
+
+ /*
+ * If 'pkexec' is called wrong, just show help and bail out.
+ */
+ if (argc<1)
+ {
+ clearenv();
+ usage(argc, argv);
+ exit(1);
+ }
+
ret = 127;
authority = NULL;
subject = NULL;
@@ -614,10 +625,10 @@ main (int argc, char *argv[])
path = g_strdup (pwstruct.pw_shell);
if (!path)
- {
+ {
g_printerr ("No shell configured or error retrieving pw_shell\n");
goto out;
- }
+ }
/* If you change this, be sure to change the if (!command_line)
case below too */
command_line = g_strdup (path);
@@ -636,7 +647,15 @@ main (int argc, char *argv[])
goto out;
}
g_free (path);
- argv[n] = path = s;
+ path = s;
+
+ /* argc<2 and pkexec runs just shell, argv is guaranteed to be null-terminated.
+ * /-less shell shouldn't happen, but let's be defensive and don't write to null-termination
+ */
+ if (argv[n] != NULL)
+ {
+ argv[n] = path;
+ }
}
if (access (path, F_OK) != 0)
{

3449
duktape-support.patch
View File

File diff suppressed because it is too large Load Diff

68
pkexec.patch
View File

@ -1,68 +0,0 @@
From: Andreas Schwab <schwab@suse.de>
Subject: pkexec: allow --version and --help even if not setuid
Don't check for setuid invocation until after parsing command line, to allow
running uninstalled pkexec with --help or --version. This also helps
building packages that want to check for pkexec in an emulated environment
that does not support setuid invocation (eg. QEMU linux-user).
Index: polkit-0.116/src/programs/pkexec.c
===================================================================
--- polkit-0.116.orig/src/programs/pkexec.c 2018-05-31 13:52:53.000000000 +0200
+++ polkit-0.116/src/programs/pkexec.c 2019-05-31 22:55:58.014504104 +0200
@@ -504,27 +504,6 @@ main (int argc, char *argv[])
/* Disable remote file access from GIO. */
setenv ("GIO_USE_VFS", "local", 1);
- /* check for correct invocation */
- if (geteuid () != 0)
- {
- g_printerr ("pkexec must be setuid root\n");
- goto out;
- }
-
- original_user_name = g_strdup (g_get_user_name ());
- if (original_user_name == NULL)
- {
- g_printerr ("Error getting user name.\n");
- goto out;
- }
-
- if ((original_cwd = g_get_current_dir ()) == NULL)
- {
- g_printerr ("Error getting cwd: %s\n",
- g_strerror (errno));
- goto out;
- }
-
/* First process options and find the command-line to invoke. Avoid using fancy library routines
* that depend on environtment variables since we haven't cleared the environment just yet.
*/
@@ -580,6 +559,27 @@ main (int argc, char *argv[])
goto out;
}
+ /* check for correct invocation */
+ if (geteuid () != 0)
+ {
+ g_printerr ("pkexec must be setuid root\n");
+ goto out;
+ }
+
+ original_user_name = g_strdup (g_get_user_name ());
+ if (original_user_name == NULL)
+ {
+ g_printerr ("Error getting user name.\n");
+ goto out;
+ }
+
+ if ((original_cwd = g_get_current_dir ()) == NULL)
+ {
+ g_printerr ("Error getting cwd: %s\n",
+ g_strerror (errno));
+ goto out;
+ }
+
if (opt_user == NULL)
opt_user = g_strdup ("root");

3
polkit-0.120.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:ee7a599a853117bf273548725719fa92fabd2f136915c7a4906cee98567aee03
size 1626659

11
polkit-0.120.tar.gz.sign
View File

@ -1,11 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmFbBdIACgkQjOswMP/c
4ljEgQgAtj7WctCA7ZqOBAgcr+8NHSzxMJHbiNPDMg4bJB3xVipyQYCfyv8dNANd
33tTjDGjBN5Dn/Mp7FbxBHsTaUCcvnV11IeDq4AnVT1yrL3E1Tc4B08rQAEUSwZY
eIuO4GJTbIs79Qtj6tjILcKhKNBBezUyMRgRpq/XYZKlwdlPZkhec2tGtP3wVZCW
VlYliQfMvV4aJV2PRcVcITnFuWYvV28iI5nl466iE60MmaJOiPeJKFbXM73jiVeP
QGPljAeGWiZ9xa2a2EFbBbyyiKo1B1kvdp0wgYaeGElw/ulcbUAPpzsh4+aTaX6l
xJpnVpz9f+opD7/YpyAms4RRkQbMLQ==
=UyNU
-----END PGP SIGNATURE-----

BIN
polkit-121.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

11
polkit-121.tar.gz.sign Normal file
View File

@ -0,0 +1,11 @@
-----BEGIN PGP SIGNATURE-----
iQEzBAABCAAdFiEEf/t9a9gxR9dChOMXjOswMP/c4lgFAmLMIyMACgkQjOswMP/c
4ljnPggAirGfeho8FcKzvi8V7Gya8tHUf0eGqdlJUr8owSHx0FjTzBSATHxhFtFZ
pMPXXUkM0myKgqFQntL9ZYtM7l9MnCdS2rvEPkUg+uoJ4uJuuorsxkxaFdBOXFn9
xUSgLIpsVIVVTDLaChgbRvgZQXLO27fz3PVchLlqLIfyyiKvxBCftx+4EXZzQgor
HA0qpWFTdH1LxhhHrZibkNxBwI6uQum20fDzRiyIu5oUtRyZqRt+lBuimzFHrCLz
AOGZJANTxNVpZmpXEJqM/N93133852S2UJtCbgp4zmcnAWeBJSD5NodbVq65JzAs
4ZjD5iN/MumSAnQyKBknisT5UH5vwg==
=mLHt
-----END PGP SIGNATURE-----

17
polkit-adjust-libexec-path.patch
View File

@ -1,7 +1,5 @@
Index: polkit-0.118/src/polkitagent/polkitagentsession.c
===================================================================
--- polkit-0.118.orig/src/polkitagent/polkitagentsession.c
+++ polkit-0.118/src/polkitagent/polkitagentsession.c
--- a/src/polkitagent/polkitagentsession.c
+++ b/src/polkitagent/polkitagentsession.c
@@ -596,7 +596,7 @@ polkit_agent_session_initiate (PolkitAge
goto error;
}
@ -11,3 +9,14 @@ Index: polkit-0.118/src/polkitagent/polkitagentsession.c
helper_argv[1] = passwd->pw_name;
helper_argv[2] = NULL;
--- a/meson.build
+++ b/meson.build
@@ -28,7 +28,7 @@ pk_sysconfdir = get_option('sysconfdir')
pk_pkgdatadir = pk_datadir / pk_api_name
pk_pkgincludedir = pk_includedir / pk_api_name
# note that this is always 'lib', not lib64 or lib/x86_64-linux-gnu
-pk_libprivdir = 'lib' / pk_api_name
+pk_libprivdir = 'libexec' / pk_api_name
pk_pkgsysconfdir = pk_sysconfdir / pk_api_name
pk_actiondir = pk_api_name / 'actions'

33
polkit-fix-pam-prefix.patch Normal file
View File

@ -0,0 +1,33 @@
https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/131
build: Honour pam_prefix meson option
Make the use of pam_prefix worth its while since, at the moment, its value
is not being used. Instead, a hard-coded path is being deployed when it
shouldn't anymore.
The pam_prefix Meson option was designed to allow us to choose where pam
configuration files should end up. But at the moment it is not being used at
all where it should be.
--- a/meson.build
+++ b/meson.build
@@ -241,7 +241,7 @@ if enable_pam
pam_prefix = get_option('pam_prefix')
if pam_prefix == ''
- pam_prefix = pk_sysconfdir
+ pam_prefix = pk_sysconfdir / 'pam.d'
else
message('PAM files will be installed in prefix ' + pam_prefix)
endif
--- a/data/meson.build
+++ b/data/meson.build
@@ -22,7 +22,7 @@ if enable_pam
output: '@BASENAME@',
configuration: pam_conf,
install: true,
- install_dir: pk_sysconfdir / 'pam.d',
+ install_dir: pam_prefix,
)
endif

6
polkit-no-wheel-group.patch
View File

@ -1,7 +1,5 @@
Index: polkit-0.116/src/polkitbackend/50-default.rules
===================================================================
--- polkit-0.116.orig/src/polkitbackend/50-default.rules 2018-03-27 13:46:06.000000000 +0200
+++ polkit-0.116/src/polkitbackend/50-default.rules 2019-05-31 22:55:57.990503876 +0200
--- a/src/polkitbackend/50-default.rules
+++ b/src/polkitbackend/50-default.rules
@@ -8,5 +8,5 @@
// about configuring polkit.

50
polkit.changes
View File

@ -1,3 +1,43 @@
-------------------------------------------------------------------
Tue Aug 9 06:11:08 UTC 2022 - Luciano Santos <luc14n0@opensuse.org>
- Update to version 121:
+ Addition of duktape as a JS engine backend.
+ Other small fixes and improvements. For more details, visit:
gitlab.freedesktop.org/polkit/polkit/-/blob/121/NEWS.md
+ Updated translations.
- Drop merged-upstream patches:
+ CVE-2021-4034-pkexec-fix.patch;
+ 0001-CVE-2021-4115-GHSL-2021-077-fix.patch;
+ duktape-support.patch;
+ pkexec.patch.
- Replace Intltool with Gettext as a build requirement following
the migration from last release (0.120).
- Add Meson as a build requirement while dropping Libtool and
replace all Autotools macros with Meson ones. And pass the
following options to Meson: session_tracking=libsystemd-login;
systemdsystemunitdir=%{_unitdir}; os_type=suse;
pam_module_dir=%{_pam_moduledir}; pam_prefix=%{_pam_vendordir};
examples=true; tests=true; gtk_doc=true; man=true and
js_engine=duktape.
- Drop no longer needed Libtool as a build requirement, following
Autotools replacement.
- Add explicit pkgconfig module build requirements for glib-2.0 and
gobject-2.0 that are searched by the build scripts. They were
already being pulled by their siblings [pkgconfig(gio-2.0) and
pkgconfig(gio-unix-2.0)].
- Drop conditional macro, which was wrapping "BuildArch: noarch"
for the doc subpackage, based on long gone EOLed (open)SUSE
release (11.2).
- Add missing 'Requires(post): permissions' for the pkexec
subpackage.
- Add python3-dbus-python and python3-python-dbusmock as build
requirements in order to run test in the check section.
- Add polkit-fix-pam-prefix.patch to use the value of pam_prefix
Meson option, like it was designed to, rather than hard-coded
path for pam configuration files.
- Remove unneeded executable bit from 50-default.rules file.
-------------------------------------------------------------------
Mon Aug 8 07:28:25 UTC 2022 - Thorsten Kukuk <kukuk@suse.com>
@ -278,7 +318,7 @@ Tue Jun 7 15:25:00 UTC 2016 - fbui@suse.com
Thu Nov 26 16:26:09 UTC 2015 - meissner@suse.com
- polkit-revert-session-magic.patch: revert a session detection change
that could lead to sessions not being detected as active due to
that could lead to sessions not being detected as active due to
a systemd bug. bsc#954139
-------------------------------------------------------------------
@ -520,13 +560,13 @@ Mon Jan 9 09:33:30 UTC 2012 - vuntz@opensuse.org
-------------------------------------------------------------------
Wed Jan 4 22:03:54 UTC 2012 - crrodriguez@opensuse.org
- A quick test reveals that the systemd backend does not
- A quick test reveals that the systemd backend does not
integrate very well with packages yet, revert.
-------------------------------------------------------------------
Wed Jan 4 21:02:38 UTC 2012 - crrodriguez@opensuse.org
- Previous update missed systemd-devel in buildrequires
- Previous update missed systemd-devel in buildrequires
without it no systemd support is built
-------------------------------------------------------------------
@ -617,7 +657,7 @@ Wed Apr 6 15:40:51 UTC 2011 - fcrozat@novell.com
-------------------------------------------------------------------
Wed Mar 9 13:54:11 UTC 2011 - coolo@novell.com
- update to 0.101:
- update to 0.101:
* tons of bug fixes, see NEWS
-------------------------------------------------------------------
@ -745,7 +785,7 @@ Tue Aug 11 21:23:49 CEST 2009 - kay.sievers@novell.com
- add upstream patches:
polkit-close-stdfds.patch
polkit-no-man-spawn.patch
polkit-proc-stat-parse-fix.patch
polkit-proc-stat-parse-fix.patch
- drop rpmlint patch
-------------------------------------------------------------------

114
polkit.spec
View File

@ -16,8 +16,12 @@
#
%define _polkit_rulesdir %{_datadir}/polkit-1/rules.d
%define glib_br_version 2.30.0
%define run_tests 1
Name: polkit
Version: 0.120
Version: 121
Release: 0
Summary: PolicyKit Authorization Framework
License: LGPL-2.1-or-later
@ -28,50 +32,58 @@ Source1: https://www.freedesktop.org/software/polkit/releases/%{name}-%{v
Source2: %{name}.keyring
Source3: system-user-polkitd.conf
Source99: baselibs.conf
# Upstream First - Policy:
# Never add any patches to this package without the upstream commit id
# in the patch. Any patches added here without a very good reason to make
# an exception will be silently removed with the next version update.
# PATCH-FIX-OPENSUSE polkit-no-wheel-group.patch vuntz@opensuse.org -- In openSUSE, there's no special meaning for the wheel group, so we shouldn't allow it to be admin
Patch0: polkit-no-wheel-group.patch
# PATCH-FIX-OPENSUSE polkit-gettext.patch lnussel@suse.de -- allow fallback to gettext for polkit action translations
# polkit-use-gettext-as-fallback.patch
Patch1: polkit-gettext.patch
# PATCH-FIX-UPSTREAM pkexec.patch schwab@suse.de -- pkexec: allow --version and --help even if not setuid
Patch2: pkexec.patch
# PATCH-FIX-OPENSUSE polkit-keyinit.patch meissner@ -- bsc#1144053 Please add "pam_keyinit.so" to the /etc/pam.d/polkit-1 configuration file
Patch3: polkit-keyinit.patch
# adjust path to polkit-agent-helper-1 (bsc#1180474)
# PATCH-FIX-OPENSUSE polkit-adjust-libexec-path.patch -- Adjust path to polkit-agent-helper-1 (bsc#1180474)
Patch4: polkit-adjust-libexec-path.patch
# PATCH-FIX-UPSTREAM CVE-2021-4034-pkexec-fix.patch meissner@ -- bsc#1194568 VUL-0: CVE-2021-4034: polkit: pkexec Local Privilege Escalation aka pwnkit
Patch5: CVE-2021-4034-pkexec-fix.patch
# PATCH-FIX-UPSTREAM https://gitlab.freedesktop.org/polkit/polkit/-/commit/c7fc4e1b61f0fd82fc697c19c604af7e9fb291a2.patch, without .gitlab-ci.yml (not in the tarball)
Patch6: duktape-support.patch
# PATCH-FIX-UPSTREAM 0001-CVE-2021-4115-GHSL-2021-077-fix.patch meissner@ -- bsc#1195542 VUL-0: CVE-2021-4115: polkit: denial of service via file descriptor leak
Patch7: 0001-CVE-2021-4115-GHSL-2021-077-fix.patch
# PATCH-FIX-UPSTREAM polkit-fix-pam-prefix.patch luc14n0@opensuse.org -- Make
# intended use of pam_prefix meson option rather than hard-coded path
Patch5: polkit-fix-pam-prefix.patch
BuildRequires: gcc-c++
BuildRequires: gettext
BuildRequires: gtk-doc
BuildRequires: intltool
BuildRequires: libexpat-devel
# needed for patch1 and 2
BuildRequires: libtool
BuildRequires: meson >= 0.50
BuildRequires: pam-devel
BuildRequires: pkgconfig
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: pkgconfig(duktape) >= 2.2.0
BuildRequires: pkgconfig(gio-unix-2.0) >= 2.32.0
BuildRequires: pkgconfig(gmodule-2.0) >= 2.32.0
BuildRequires: pkgconfig(gio-unix-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(glib-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(gmodule-2.0) >= %{glib_br_version}
BuildRequires: pkgconfig(gobject-introspection-1.0) >= 0.6.2
BuildRequires: pkgconfig(libsystemd)
BuildRequires: pkgconfig(systemd)
%if 0%{?run_tests}
#################################################################
# python3-dbus-python and python3-python-dbusmock are needed for
# test-polkitbackendjsauthority test:
BuildRequires: python3-dbus-python
BuildRequires: python3-python-dbusmock
#################################################################
%endif
# gtk-doc drags indirectyly ruby in for one of the helpers. This in turn causes a build cycle.
#!BuildIgnore: ruby
Requires: dbus-1
Requires: libpolkit-agent-1-0 = %{version}-%{release}
Requires: libpolkit-gobject-1-0 = %{version}-%{release}
Requires(post): permissions
%sysusers_requires
%systemd_ordering
# Upstream First - Policy:
# Never add any patches to this package without the upstream commit id
# in the patch. Any patches added here without a very good reason to make
# an exception will be silently removed with the next version update.
%description
PolicyKit is a toolkit for defining and handling authorizations.
@ -91,9 +103,10 @@ Requires: typelib-1_0-Polkit-1_0 = %{version}
Development files for PolicyKit Authorization Framework.
%package -n pkexec
Summary: pkexec component of polkit
Summary: Pkexec component of polkit
Group: System/Libraries
Requires: %{name} = %{version}-%{release}
Requires(post): permissions
Provides: polkit:/usr/bin/pkexec
%description -n pkexec
@ -102,9 +115,7 @@ This package contains the pkexec setuid root binary part of polkit.
%package doc
Summary: Development documentation for PolicyKit
Group: Development/Libraries/C and C++
%if 0%{?suse_version} >= 1120
BuildArch: noarch
%endif
%description doc
Development documentation for PolicyKit Authorization Framework.
@ -147,39 +158,49 @@ processes.
This package provides the GObject Introspection bindings for PolicyKit.
%prep
%autosetup -p1
%autosetup -p1 -n polkit-v.%{version}
%build
# Needed for patch1 and patch2
autoreconf -fi
export SUID_CFLAGS="-fPIE"
export SUID_LDFLAGS="-z now -pie"
%configure \
--with-os-type=suse \
--enable-gtk-doc \
--disable-static \
--enable-introspection \
--enable-examples \
--enable-libsystemd-login \
--with-duktape \
%{nil}
%make_build libprivdir=%{_libexecdir}/polkit-1
%meson \
-D session_tracking=libsystemd-login \
-D systemdsystemunitdir="%{_unitdir}" \
-D os_type=suse \
-D pam_module_dir="%{_pam_moduledir}" \
-D pam_prefix="%{_pam_vendordir}" \
-D examples=true \
-D tests=true \
-D gtk_doc=true \
-D man=true \
-D js_engine=duktape \
%{nil}
%meson_build
%sysusers_generate_pre %{SOURCE3} polkit system-user-polkitd.conf
%if 0%{?run_tests}
%check
%meson_test
%endif
%install
# install explicitly into libexec. upstream has some unflexible logic for
# this executable at the moment, but there is a PR# open to fix this:
# https://gitlab.freedesktop.org/polkit/polkit/-/merge_requests/63
# once this has been resolved upstream and we update to a new release we can
# remove this and also patch4 above.
%make_install libprivdir=%{_libexecdir}/polkit-1
find %{buildroot} -type f -name "*.la" -delete -print
#
# Additional note: Upstream turned down the MR above, preferring to stick to
# using ${prefix}/lib/polkit-1 and non-distro-configurable.
%meson_install
%find_lang polkit-1
# create $HOME for polkit user
install -d %{buildroot}%{_localstatedir}/lib/polkit
%find_lang polkit-1
mkdir -p %{buildroot}%{_pam_vendordir}
mv %{buildroot}%{_sysconfdir}/pam.d/* %{buildroot}%{_pam_vendordir}/
mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules %{buildroot}%{_datadir}/polkit-1/rules.d/50-default.rules
# We use /usr/share as prefix for the rules.d directory
mv %{buildroot}%{_sysconfdir}/polkit-1/rules.d/50-default.rules \
%{buildroot}%{_polkit_rulesdir}/50-default.rules
# Install the polkitd user creation file:
mkdir -p %{buildroot}%{_sysusersdir}
install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
@ -221,6 +242,7 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
%{_libdir}/girepository-1.0/PolkitAgent-1.0.typelib
%files -f polkit-1.lang
%doc NEWS.md README.md
%license COPYING
%{_mandir}/man1/pkaction.1%{?ext_man}
@ -234,10 +256,11 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
%dir %{_datadir}/dbus-1/system.d
%{_datadir}/dbus-1/system.d/org.freedesktop.PolicyKit1.conf
%dir %{_datadir}/polkit-1
%{_datadir}/polkit-1/policyconfig-1.dtd
%dir %{_datadir}/polkit-1/actions
%{_datadir}/polkit-1/actions/org.freedesktop.policykit.policy
%attr(0700,polkitd,root) %dir %{_datadir}/polkit-1/rules.d
%attr(0700,polkitd,root) %{_datadir}/polkit-1/rules.d/50-default.rules
%attr(0700,polkitd,root) %dir %{_polkit_rulesdir}
%attr(0600,polkitd,root) %{_polkit_rulesdir}/50-default.rules
%{_pam_vendordir}/polkit-1
%dir %{_sysconfdir}/polkit-1
%attr(0700,polkitd,root) %dir %{_sysconfdir}/polkit-1/rules.d
@ -269,7 +292,6 @@ install -m0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/
%verify(not mode) %attr(4755,root,root) %{_bindir}/pkexec
%files doc
%doc NEWS
%doc %{_datadir}/gtk-doc/html/polkit-1/
%changelog