You are here: Home Linux Howto set Console ACLs with PolicyKit and HAL for a Palm device

Howto set Console ACLs with PolicyKit and HAL for a Palm device

by Harald Hoyer last modified Mar 28, 2008 08:50 AM
This article describes how to give the console user access to the USB devices of a Palm to sync with pilot-link without any hacky udev rules on Fedora 8.

As pointed out in https://bugzilla.redhat.com/show_bug.cgi?id=158809#c34 , the problem syncing with a palm device are the changing devices, once you press the hotsync button. Using the USB support in pilot-xfer with

$ pilot-xfer -p usb: -l

instead of the command with a kludgy /dev/pilot symlink

$ pilot-xfer -p /dev/pilot -l

fails because the USB device does not have the right permissions. With the introduction of PolicyKit and ACLs for console users in Fedora 8, we can now solve the problem in the right way.

First we create a policy type pda by creating the file /usr/share/hal/fdi/policy/10osvendor/19-palm-acl-management.fdi

# cat > /usr/share/hal/fdi/policy/10osvendor/19-palm-acl-management.fdi <<EOF
<?xml version="1.0" encoding="UTF-8"?>

<deviceinfo version="0.2">
  <device>
    <match key="info.capabilities" contains="pda">
      <match key="pda.platform" string="palm">
        <append key="info.capabilities" type="strlist">access_control</append>
        <merge key="access_control.type" type="string">pda</merge>
        <merge key="access_control.file" type="copy_property">pda.palm.hotsync_interface</merge>
      </match>
    </match>
  </device>
</deviceinfo>
EOF

Now, we have to assign this policy to the device nodes of a device. This can be done by creating policies which look like:

   <match key="usb_device.vendor_id" int="0x082d">
      <match key="usb_device.product_id" int="0x0100">
          <append key="info.capabilities" type="strlist">pda</append>
          <merge key="pda.platform" type="string">palm</merge>
          <merge key="pda.palm.hotsync_interface" type="copy_property">linux.device_file</merge>
      </match>
   </match>

An example of /usr/share/hal/fdi/policy/10osvendor/20-pda-acl-management.fdi can be installed by:

# wget -O /usr/share/hal/fdi/information/20thirdparty/10-usb-pda-palm.fdi  'https://bugzilla.redhat.com/attachment.cgi?id=294520'

Finally we prevent the "visor" module to be automatically loaded by creating the file /etc/modprobe.d/blacklist-visor, because the visor module would take over the USB device and make it a serial ttyUSB.

# echo 'blacklist visor' > /etc/modprobe.d/blacklist-visor

Now you want to restart HAL and remove the visor module:

# service haldaemon restart
# rmmod visor

With all these files in place, we can now do the

$ pilot-xfer -p usb: -l

as a normal user. That's it. No hacky udev rule involved. This example can be applied to any other device which should be accessible by a console user.

The way I read man PolicyKit.conf, it is even possible to grant access to specific groups and users permanently.

Happy Syncing!

 

Update: Active development also in https://bugzilla.redhat.com/show_bug.cgi?id=280251#c120

Not working? Read the checklist.

Filed under: , , , ,
 

Huray!

Avatar Posted by Radek at Nov 29, 2007 01:57 PM
Great, I've been waiting for an easy solution for some time. This helps me a lot.

Updated packages

Avatar Posted by Jesse Keating at Nov 29, 2007 02:01 PM
When are we going to see updated packages in Fedora so that this just works out of the box for folks? It's awesome that we have a way to do it, now we just need to do it (:

Updated packages

Avatar Posted by Harald Hoyer at Nov 29, 2007 02:03 PM
Soon. pilot-link update in preparation.

Brilliant!

Avatar Posted by Kevin Page at Nov 29, 2007 03:37 PM
Many thanks.

No Love

Avatar Posted by Phil at Nov 30, 2007 08:17 AM
Treo 700p no love.

I can see the dmesg connection entries, but pilot-xfer never talks to it.

when to press hotsync

Avatar Posted by Kevin Page at Nov 30, 2007 01:16 PM
Are you executing pilot-xfer _then_ pressing the hotsync button?
(This is the other way round to using /dev/pilot and visor)

SELinux avc denied

Avatar Posted by Patrick C. F. Ernzer at Nov 30, 2007 08:17 AM
Harald,

I got 21 of these:
type=AVC msg=audit(1196369021.569:254): avc: denied { create } for pid=21211 comm="hal-acl-tool" scontext=system_u:system_r:hald_acl_t:s0 tcontext=system_u:system_r:hald_acl_t:s0 tclass=unix_dgram_socket
type=SYSCALL msg=audit(1196369021.569:254): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bf7fbe98 a2=ad4ff4 a3=13 items=0 ppid=21128 pid=21211 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="hal-acl-tool" exe="/usr/libexec/hal-acl-tool" subj=system_u:system_r:hald_acl_t:s0 key=(null)

Guess you want to know about them.

PCFE

missing double-quote

Avatar Posted by George N. White III at Dec 07, 2007 05:54 AM
Some people who pasted the above pilot-device-file.policy missed a double-quote,
which results in messages:

Dec 3 07:32:01 X-X hal-acl-tool: libpolkit: ignoring malformed policy file: /usr/share/PolicyKit/policy/pilot-device-file.policy:4: parse error: not well-formed (invalid token)

Does hal-acl-tool process the other files after ignoring one? Bug 411321 indicates that the test update has side effects.


Errors and corrections

Avatar Posted by Kevin Page at Feb 11, 2008 04:32 PM
There are a few errors in these rules; for corrected versions and ongoing development see:
https://bugzilla.redhat.com/show_bug.cgi?id=280251

Once settled these rules should end up shipping in Fedora.

Thanks for the groundwork, Harald!

F8 Tunsten E wont sync

Avatar Posted by nyjetshead at Feb 18, 2008 05:20 AM
Thanks for the resources.
I created and installed the in the locations you mentioned the above files.
visor was blacklisted already.
Also viewed and installed the file from the bugzilla thread.
10-usb-pda.fdi

pilot-xfer -p usb: -l
Listening for incoming connection on usb:...

Just sits there and does nothing waiting for a response.

 /sbin/lsusb returns this when the palm is set to sync.

Bus 001 Device 008: ID 0830:0060 Palm, Inc. Palm Tungsten T / Zire 71

So far no luck, any ideas?
 

Problem as normal user

Avatar Posted by Chuck at Mar 09, 2008 09:08 AM
Seems to be working fine when running as root. However, just hangs waiting for usb: when running as normal user. running pilot-link 2:0.12.2-18.fc8. Have double and triple checked ACLs. Suggestions?

Better fix (sorry Hearld)

Avatar Posted by nyjetshead at Mar 28, 2008 08:23 AM
This is a better fix see below.
Read post 110 Be very careful with the file locations I put one in the wrong directory.

https://bugzilla.redhat.com/show_bug.cgi?id=280251

Re: Better fix (sorry Hearld)

Avatar Posted by Harald Hoyer at Mar 28, 2008 08:25 AM
Hearld? :)

No offence taken.

Main thing is, that the whole situation has a solution.

Re: Better fix (sorry Hearld)

Avatar Posted by Harald Hoyer at Mar 28, 2008 08:51 AM
Updated this page. Thanks!

Add comment

You can add a comment by filling out the form below. Plain text formatting.

(Required)
Please enter your name.
(Required)
(Required)
(Required)
Enter the word