#1 Add polkit rule to authorize zincati to perform upgrades
Merged 2 months ago by rfairley. Opened 2 months ago by rfairley.
rpms/ rfairley/rust-zincati rfairley-polkit-rule  into  master

@@ -0,0 +1,26 @@ 

+ From 6b98e164cd233fb1a68d49d2b6b9f9bf2c2dcb8a Mon Sep 17 00:00:00 2001

+ From: Robert Fairley <rfairley@redhat.com>

+ Date: Thu, 4 Jul 2019 09:21:18 -0400

+ Subject: [PATCH] dist: add polkit rule for rpm-ostree

+ 

+ Add a polkit rule to allow the `zincati` user to make `deploy` and

+ `finalize-deployment` calls to the D-Bus API exposed by rpm-ostree.

+ ---

+  dist/polkit-1/rules.d/zincati.rules | 8 ++++++++

+  1 file changed, 8 insertions(+)

+  create mode 100644 dist/polkit-1/rules.d/zincati.rules

+ 

+ diff --git a/dist/polkit-1/rules.d/zincati.rules b/dist/polkit-1/rules.d/zincati.rules

+ new file mode 100644

+ index 0000000..2171bde

+ --- /dev/null

+ +++ b/dist/polkit-1/rules.d/zincati.rules

+ @@ -0,0 +1,8 @@

+ +// Allow Zincati to deploy, and finalize a staged deployment through rpm-ostree.

+ +polkit.addRule(function(action, subject) {

+ +    if ((action.id == "org.projectatomic.rpmostree1.deploy" ||

+ +         action.id == "org.projectatomic.rpmostree1.finalize-deployment") &&

+ +        subject.user == "zincati") {

+ +        return polkit.Result.YES;

+ +    }

+ +})

file modified
+11 -1

@@ -6,7 +6,7 @@ 

  

  Name:           rust-%{crate}

  Version:        0.0.2

- Release:        5%{?dist}

+ Release:        6%{?dist}

  Summary:        Update agent for Fedora CoreOS

  

  # Upstream license specification: Apache-2.0

@@ -15,12 +15,16 @@ 

  Source:         %{crates_source}

  # Initial patched metadata

  Patch0:         zincati-fix-metadata.diff

+ # Add polkit rule to authorize zincati to perform upgrades https://github.com/coreos/zincati/pull/59

+ Patch0001:      0001-dist-add-polkit-rule-for-rpm-ostree-59.patch

  

  ExclusiveArch:  %{rust_arches}

  

  BuildRequires:  rust-packaging

  BuildRequires:  systemd-rpm-macros

  

+ Requires:       %{_datadir}/polkit-1/rules.d

+ 

  %global _description %{expand:

  Update agent for Fedora CoreOS.}

  

@@ -47,6 +51,7 @@ 

  %{_unitdir}/zincati.service

  %{_sysusersdir}/50-zincati.conf

  %{_tmpfilesdir}/zincati.conf

+ %{_datadir}/polkit-1/rules.d/zincati.rules

  

  %pre         -n %{crate}

  %sysusers_create_package %{crate} 50-zincati.conf

@@ -84,6 +89,8 @@ 

    dist/sysusers.d/*.conf

  install -Dpm0644 -t %{buildroot}%{_tmpfilesdir} \

    dist/tmpfiles.d/*.conf

+ install -Dpm0644 -t %{buildroot}%{_datadir}/polkit-1/rules.d \

+   dist/polkit-1/rules.d/*.rules

  

  %if %{with check}

  %check

@@ -91,6 +98,9 @@ 

  %endif

  

  %changelog

+ * Thu Jul 04 2019 Robert Fairley <rfairley@redhat.com> - 0.0.2-6

+ - Add polkit rule to authorize zincati to perform upgrades https://github.com/coreos/zincati/pull/59

+ 

  * Tue Jul 02 2019 Robert Fairley <rfairley@redhat.com> - 0.0.2-5

  - Add missing owned directories, tidy owned files list

  

Change is brought forward from: https://github.com/coreos/zincati/pull/59

Signed-off-by: Robert Fairley rfairley@redhat.com

One comment, otherwise LGTM!

One comment, otherwise LGTM!

rebased onto 176cce2

2 months ago

Pull-Request has been merged by rfairley

2 months ago

You should not depend on a directory... Really...

@ignatenkobrain thanks - updated now to just depend on polkit.