Personal tools
You are here: Home Linux Howto set Console ACLs with PolicyKit and HAL for a Palm device
 

Howto set Console ACLs with PolicyKit and HAL for a Palm device

— filed under: , , , ,
by Harald Hoyer last modified Mar 28, 2008 09:50

This article describes how to give the console user access to the USB devices of a Palm to sync with pilot-link without any hacky udev rules on Fedora 8.

As pointed out in https://bugzilla.redhat.com/show_bug.cgi?id=158809#c34 , the problem syncing with a palm device are the changing devices, once you press the hotsync button. Using the USB support in pilot-xfer with

$ pilot-xfer -p usb: -l

instead of the command with a kludgy /dev/pilot symlink

$ pilot-xfer -p /dev/pilot -l

fails because the USB device does not have the right permissions. With the introduction of PolicyKit and ACLs for console users in Fedora 8, we can now solve the problem in the right way.

First we create a policy type pda by creating the file /usr/share/hal/fdi/policy/10osvendor/19-palm-acl-management.fdi

# cat > /usr/share/hal/fdi/policy/10osvendor/19-palm-acl-management.fdi <<EOF
<?xml version="1.0" encoding="UTF-8"?>

<deviceinfo version="0.2">
  <device>
    <match key="info.capabilities" contains="pda">
      <match key="pda.platform" string="palm">
        <append key="info.capabilities" type="strlist">access_control</append>
        <merge key="access_control.type" type="string">pda</merge>
        <merge key="access_control.file" type="copy_property">pda.palm.hotsync_interface</merge>
      </match>
    </match>
  </device>
</deviceinfo>
EOF

Now, we have to assign this policy to the device nodes of a device. This can be done by creating policies which look like:

   <match key="usb_device.vendor_id" int="0x082d">
      <match key="usb_device.product_id" int="0x0100">
          <append key="info.capabilities" type="strlist">pda</append>
          <merge key="pda.platform" type="string">palm</merge>
          <merge key="pda.palm.hotsync_interface" type="copy_property">linux.device_file</merge>
      </match>
   </match>

An example of /usr/share/hal/fdi/policy/10osvendor/20-pda-acl-management.fdi can be installed by:

# wget -O /usr/share/hal/fdi/information/20thirdparty/10-usb-pda-palm.fdi  'https://bugzilla.redhat.com/attachment.cgi?id=294520'

Finally we prevent the "visor" module to be automatically loaded by creating the file /etc/modprobe.d/blacklist-visor, because the visor module would take over the USB device and make it a serial ttyUSB.

# echo 'blacklist visor' > /etc/modprobe.d/blacklist-visor

Now you want to restart HAL and remove the visor module:

# service haldaemon restart
# rmmod visor

With all these files in place, we can now do the

$ pilot-xfer -p usb: -l

as a normal user. That's it. No hacky udev rule involved. This example can be applied to any other device which should be accessible by a console user.

The way I read man PolicyKit.conf, it is even possible to grant access to specific groups and users permanently.

Happy Syncing!

 

Update: Active development also in https://bugzilla.redhat.com/show_bug.cgi?id=280251#c120

Not working? Read the checklist.

Document Actions
  • Print this
  • Hits: 009443
Left arrow Previous: Booting Fedora 8 Test 3 vs openSUSE 10.3 Next: A Python Transaction Class Right arrow  

Huray!

Posted by Radek at Nov 29, 2007 14:57
Great, I've been waiting for an easy solution for some time. This helps me a lot.

Updated packages

Posted by Jesse Keating at Nov 29, 2007 15:01
When are we going to see updated packages in Fedora so that this just works out of the box for folks? It's awesome that we have a way to do it, now we just need to do it (:

Updated packages

Posted by Harald Hoyer at Nov 29, 2007 15:03
Soon. pilot-link update in preparation.

Brilliant!

Posted by Kevin Page at Nov 29, 2007 16:37
Many thanks.

No Love

Posted by Phil at Nov 30, 2007 09:17
Treo 700p no love.

I can see the dmesg connection entries, but pilot-xfer never talks to it.

when to press hotsync

Posted by Kevin Page at Nov 30, 2007 14:16
Are you executing pilot-xfer _then_ pressing the hotsync button?
(This is the other way round to using /dev/pilot and visor)

SELinux avc denied

Posted by Patrick C. F. Ernzer at Nov 30, 2007 09:17
Harald,

I got 21 of these:
type=AVC msg=audit(1196369021.569:254): avc: denied { create } for pid=21211 comm="hal-acl-tool" scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1196369021.569:254): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf7fbe98 a2=ad4ff4 a3=13 items=0 ppid=21128 pid=21211 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)

Guess you want to know about them.

PCFE

missing double-quote

Posted by George N. White III at Dec 07, 2007 06:54
Some people who pasted the above pilot-device-file.policy missed a double-quote,
which results in messages:

Dec 3 07:32:01 X-X hal-acl-tool: libpolkit: ignoring malformed policy file: /usr/share/PolicyKit/policy/pilot-device-file.policy:4: parse error: not well-formed (invalid token)

Does hal-acl-tool process the other files after ignoring one? Bug 411321 indicates that the test update has side effects.


Errors and corrections

Posted by Kevin Page at Feb 11, 2008 17:32
There are a few errors in these rules; for corrected versions and ongoing development see:
https://bugzilla.redhat.com/show_bug.cgi?id=280251

Once settled these rules should end up shipping in Fedora.

Thanks for the groundwork, Harald!

F8 Tunsten E wont sync

Posted by nyjetshead at Feb 18, 2008 06:20
Thanks for the resources.
I created and installed the in the locations you mentioned the above files.
visor was blacklisted already.
Also viewed and installed the file from the bugzilla thread.
10-usb-pda.fdi

pilot-xfer -p usb: -l
Listening for incoming connection on usb:...

Just sits there and does nothing waiting for a response.

 /sbin/lsusb returns this when the palm is set to sync.

Bus 001 Device 008: ID 0830:0060 Palm, Inc. Palm Tungsten T / Zire 71

So far no luck, any ideas?
 

Problem as normal user

Posted by Chuck at Mar 09, 2008 10:08
Seems to be working fine when running as root. However, just hangs waiting for usb: when running as normal user. running pilot-link 2:0.12.2-18.fc8. Have double and triple checked ACLs. Suggestions?

Better fix (sorry Hearld)

Posted by nyjetshead at Mar 28, 2008 09:23
This is a better fix see below.
Read post 110 Be very careful with the file locations I put one in the wrong directory.

https://bugzilla.redhat.com/show_bug.cgi?id=280251

Re: Better fix (sorry Hearld)

Posted by Harald Hoyer at Mar 28, 2008 09:25
Hearld? :)

No offence taken.

Main thing is, that the whole situation has a solution.

Re: Better fix (sorry Hearld)

Posted by Harald Hoyer at Mar 28, 2008 09:51
Updated this page. Thanks!