| Message ID | 1724833600-2270-1-git-send-email-wangmy@fujitsu.com |
|---|---|
| State | New |
| Headers | show |
| Series | systemd: use update-alternatives to solve conflicts with polkit | expand |
This is really not the right way to resolve the issue: both recipes install files into this directory and expect those files to be present where they put them. Is the real solution installing systemd or polkit but not both maybe? Or if you need both, then you should look into why package manager thinks they conflict in trying to create that directory. Alex On Wed, 28 Aug 2024 at 10:26, wangmy via lists.openembedded.org <wangmy=fujitsu.com@lists.openembedded.org> wrote: > > From: Wang Mingyu <wangmy@fujitsu.com> > > Error: Transaction test error: > file /usr/share/polkit-1/rules.d conflicts between attempted installs of polkit-125-r0.core2_64 and systemd-1:256.5-r0.core2_64 > > polkit also uses the doc '/usr/share/polkit-1/rules.d'. > polkit has a priority of 100. > > Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> > --- > meta/recipes-core/systemd/systemd_256.5.bb | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/meta/recipes-core/systemd/systemd_256.5.bb b/meta/recipes-core/systemd/systemd_256.5.bb > index ee656c81e5..1c408d075f 100644 > --- a/meta/recipes-core/systemd/systemd_256.5.bb > +++ b/meta/recipes-core/systemd/systemd_256.5.bb > @@ -848,7 +848,7 @@ python do_warn_musl() { > } > addtask warn_musl before do_configure > > -ALTERNATIVE:${PN} = "halt reboot shutdown poweroff runlevel ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'resolv-conf', '', d)}" > +ALTERNATIVE:${PN} = "halt reboot shutdown poweroff runlevel rules.d ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'resolv-conf', '', d)}" > > ALTERNATIVE_TARGET[resolv-conf] = "${sysconfdir}/resolv-conf.systemd" > ALTERNATIVE_LINK_NAME[resolv-conf] = "${sysconfdir}/resolv.conf" > @@ -874,6 +874,10 @@ ALTERNATIVE_TARGET[runlevel] = "${base_bindir}/systemctl" > ALTERNATIVE_LINK_NAME[runlevel] = "${base_sbindir}/runlevel" > ALTERNATIVE_PRIORITY[runlevel] ?= "300" > > +ALTERNATIVE_TARGET[rules.d] = "${datadir_native}/polkit-1/rules.d" > +ALTERNATIVE_LINK_NAME[rules.d] = "${datadir_native}/polkit-1/rules.d" > +ALTERNATIVE_PRIORITY[rules.d] ?= "50" > + > pkg_postinst:${PN}:libc-glibc () { > if ${@bb.utils.contains('PACKAGECONFIG', 'myhostname', 'true', 'false', d)}; then > sed -e '/^hosts:/s/\s*\<myhostname\>//' \ > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#203869): https://lists.openembedded.org/g/openembedded-core/message/203869 > Mute This Topic: https://lists.openembedded.org/mt/108138529/1686489 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alex.kanavin@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
The name of /usr/share/polkit-1/rules.d are the same, but the files contained in the path are different. What methods can be chosen to solve this problem in this situation? -- Best Regards --------------------------------------------------- Wang Mingyu FUJITSU NANJING SOFTWARE TECHNOLOGY CO., LTD. (FNST) No.6 Wenzhu Road, Nanjing, 210012, China TEL:+86+25-86630566--8568 COINS: 79988548 FAX: +86+25-83317685 MAIL: wangmy@fujitsu.com > -----Original Message----- > From: Alexander Kanavin <alex.kanavin@gmail.com> > Sent: Wednesday, August 28, 2024 4:36 PM > To: Wang, Mingyu/王 鸣瑜 <wangmy@fujitsu.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [PATCH] [OE-core] [PATCH] systemd: use update-alternatives to > solve conflicts with polkit > > This is really not the right way to resolve the issue: both recipes install files into > this directory and expect those files to be present where they put them. > > Is the real solution installing systemd or polkit but not both maybe? > Or if you need both, then you should look into why package manager thinks they > conflict in trying to create that directory. > > Alex > > On Wed, 28 Aug 2024 at 10:26, wangmy via lists.openembedded.org > <wangmy=fujitsu.com@lists.openembedded.org> wrote: > > > > From: Wang Mingyu <wangmy@fujitsu.com> > > > > Error: Transaction test error: > > file /usr/share/polkit-1/rules.d conflicts between attempted > > installs of polkit-125-r0.core2_64 and systemd-1:256.5-r0.core2_64 > > > > polkit also uses the doc '/usr/share/polkit-1/rules.d'. > > polkit has a priority of 100. > > > > Signed-off-by: Wang Mingyu <wangmy@fujitsu.com> > > --- > > meta/recipes-core/systemd/systemd_256.5.bb | 6 +++++- > > 1 file changed, 5 insertions(+), 1 deletion(-) > > > > diff --git a/meta/recipes-core/systemd/systemd_256.5.bb > > b/meta/recipes-core/systemd/systemd_256.5.bb > > index ee656c81e5..1c408d075f 100644 > > --- a/meta/recipes-core/systemd/systemd_256.5.bb > > +++ b/meta/recipes-core/systemd/systemd_256.5.bb > > @@ -848,7 +848,7 @@ python do_warn_musl() { } addtask warn_musl > > before do_configure > > > > -ALTERNATIVE:${PN} = "halt reboot shutdown poweroff runlevel > ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'resolv-conf', '', d)}" > > +ALTERNATIVE:${PN} = "halt reboot shutdown poweroff runlevel rules.d > ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'resolv-conf', '', d)}" > > > > ALTERNATIVE_TARGET[resolv-conf] = "${sysconfdir}/resolv-conf.systemd" > > ALTERNATIVE_LINK_NAME[resolv-conf] = "${sysconfdir}/resolv.conf" > > @@ -874,6 +874,10 @@ ALTERNATIVE_TARGET[runlevel] = > "${base_bindir}/systemctl" > > ALTERNATIVE_LINK_NAME[runlevel] = "${base_sbindir}/runlevel" > > ALTERNATIVE_PRIORITY[runlevel] ?= "300" > > > > +ALTERNATIVE_TARGET[rules.d] = "${datadir_native}/polkit-1/rules.d" > > +ALTERNATIVE_LINK_NAME[rules.d] = "${datadir_native}/polkit-1/rules.d" > > +ALTERNATIVE_PRIORITY[rules.d] ?= "50" > > + > > pkg_postinst:${PN}:libc-glibc () { > > if ${@bb.utils.contains('PACKAGECONFIG', 'myhostname', 'true', > 'false', d)}; then > > sed -e '/^hosts:/s/\s*\<myhostname\>//' \ > > -- > > 2.34.1 > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#203869): > > https://lists.openembedded.org/g/openembedded-core/message/203869 > > Mute This Topic: https://lists.openembedded.org/mt/108138529/1686489 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > > [alex.kanavin@gmail.com] > > -=-=-=-=-=-=-=-=-=-=-=- > >
On Wed, 28 Aug 2024 at 11:04, Mingyu Wang (Fujitsu) <wangmy@fujitsu.com> wrote: > > The name of /usr/share/polkit-1/rules.d are the same, but the files contained in the path are different. > What methods can be chosen to solve this problem in this situation? Are you using package_rpm and dnf to compose the image? If so, you can look at the spec files used to produce the packages in ${WORKDIR} of systemd and polkit to see how /usr/share/polkit-1/rules.d is specified in both. It might be that permissions or ownership are different and dnf can't resolve that. Alex
| Are you using package_rpm and dnf to compose the image? Yes. I checked the permission of rules.d, they are different: systemd: %attr(700,polkitd,root) %dir "/usr/share/polkit-1/rules.d" polkit: %attr(755,root,root) %dir "/usr/share/polkit-1/rules.d" If the permission need to be unified, which one should be unified into? -- Best Regards --------------------------------------------------- Wang Mingyu FUJITSU NANJING SOFTWARE TECHNOLOGY CO., LTD. (FNST) No.6 Wenzhu Road, Nanjing, 210012, China TEL:+86+25-86630566--8568 COINS: 79988548 FAX: +86+25-83317685 MAIL: wangmy@fujitsu.com > -----Original Message----- > From: Alexander Kanavin <alex.kanavin@gmail.com> > Sent: Wednesday, August 28, 2024 5:15 PM > To: Wang, Mingyu/王 鸣瑜 <wangmy@fujitsu.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [PATCH] [OE-core] [PATCH] systemd: use update-alternatives to > solve conflicts with polkit > > On Wed, 28 Aug 2024 at 11:04, Mingyu Wang (Fujitsu) <wangmy@fujitsu.com> > wrote: > > > > The name of /usr/share/polkit-1/rules.d are the same, but the files contained > in the path are different. > > What methods can be chosen to solve this problem in this situation? > > Are you using package_rpm and dnf to compose the image? If so, you can look at > the spec files used to produce the packages in ${WORKDIR} of systemd and > polkit to see how /usr/share/polkit-1/rules.d is specified in both. It might be that > permissions or ownership are different and dnf can't resolve that. > > Alex
On Wed, Aug 28, 2024 at 6:22 PM wangmy via lists.openembedded.org <wangmy= fujitsu.com@lists.openembedded.org> wrote: > | Are you using package_rpm and dnf to compose the image? > Yes. > > I checked the permission of rules.d, they are different: > > systemd: %attr(700,polkitd,root) %dir "/usr/share/polkit-1/rules.d" > polkit: %attr(755,root,root) %dir "/usr/share/polkit-1/rules.d" > > If the permission need to be unified, which one should be unified into? > Stricter is better so 700 seems good from security pov but we need to ensure it works with polkit > > -- > Best Regards > --------------------------------------------------- > Wang Mingyu > FUJITSU NANJING SOFTWARE TECHNOLOGY CO., LTD. (FNST) > No.6 Wenzhu Road, Nanjing, 210012, Chi > <https://www.google.com/maps/search/6+Wenzhu+Road,+Nanjing,+210012,+Chi?entry=gmail&source=g> > na > TEL:+86+25-86630566--8568 > COINS: 79988548 > FAX: +86+25-83317685 > MAIL: wangmy@fujitsu.com > > > -----Original Message----- > > From: Alexander Kanavin <alex.kanavin@gmail.com> > > Sent: Wednesday, August 28, 2024 5:15 PM > > To: Wang, Mingyu/王 鸣瑜 <wangmy@fujitsu.com> > > Cc: openembedded-core@lists.openembedded.org > > Subject: Re: [PATCH] [OE-core] [PATCH] systemd: use update-alternatives > to > > solve conflicts with polkit > > > > On Wed, 28 Aug 2024 at 11:04, Mingyu Wang (Fujitsu) <wangmy@fujitsu.com> > > wrote: > > > > > > The name of /usr/share/polkit-1/rules.d are the same, but the files > contained > > in the path are different. > > > What methods can be chosen to solve this problem in this situation? > > > > Are you using package_rpm and dnf to compose the image? If so, you can > look at > > the spec files used to produce the packages in ${WORKDIR} of systemd and > > polkit to see how /usr/share/polkit-1/rules.d is specified in both. It > might be that > > permissions or ownership are different and dnf can't resolve that. > > > > Alex > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#203898): > https://lists.openembedded.org/g/openembedded-core/message/203898 > Mute This Topic: https://lists.openembedded.org/mt/108138529/1997914 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi Khem, the owner/permission change is from the following commit in meta-oe:
commit 6da0fd21c900e32a0693a6b27d38182f19c8c76c
Author: Luca Boccassi bluca@debian.org<mailto:bluca@debian.org>
Date: Mon Aug 12 12:15:40 2024 +0100
polkit: stop overriding DAC on /usr/share/polkit-1/rules.d
This is no longer required by upstream for data in /usr/, as it ships
in packages so there's no point hiding its content. Still required for
/etc/ as that's for local modifications.
So either other recipes (e.g., systemd) adapt to this change, or we revert this change.
Regards,
Qi
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Khem Raj
Sent: Thursday, August 29, 2024 9:46 AM
To: wangmy@fujitsu.com
Cc: Alexander Kanavin <alex.kanavin@gmail.com>; openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] [OE-core] [PATCH] systemd: use update-alternatives to solve conflicts with polkit
On Wed, Aug 28, 2024 at 6:22 PM wangmy via lists.openembedded.org<https://urldefense.com/v3/__http:/lists.openembedded.org__;!!AjveYdw8EvQ!bnEcUpbumHuTlZhWSalUVRI5pENjFzvB8Dyo_0Apcb-ZwHemDqMVurWfDumRGTuJgEI3jeBx76OPe_C8xDKFuw$> <wangmy=fujitsu.com@lists.openembedded.org<mailto:fujitsu.com@lists.openembedded.org>> wrote:
| Are you using package_rpm and dnf to compose the image?
Yes.
I checked the permission of rules.d, they are different:
systemd: %attr(700,polkitd,root) %dir "/usr/share/polkit-1/rules.d"
polkit: %attr(755,root,root) %dir "/usr/share/polkit-1/rules.d"
If the permission need to be unified, which one should be unified into?
Stricter is better so 700 seems good from security pov but we need to ensure it works with polkit
--
Best Regards
---------------------------------------------------
Wang Mingyu
FUJITSU NANJING SOFTWARE TECHNOLOGY CO., LTD. (FNST)
No.6 Wenzhu Road, Nanjing, 210012, Chi<https://urldefense.com/v3/__https:/www.google.com/maps/search/6*Wenzhu*Road,*Nanjing,*210012,*Chi?entry=gmail&source=g__;KysrKys!!AjveYdw8EvQ!bnEcUpbumHuTlZhWSalUVRI5pENjFzvB8Dyo_0Apcb-ZwHemDqMVurWfDumRGTuJgEI3jeBx76OPe_BzmA8PRQ$>na
TEL:+86+25-86630566--8568
COINS: 79988548
FAX: +86+25-83317685
MAIL: wangmy@fujitsu.com<mailto:wangmy@fujitsu.com>
> -----Original Message-----
> From: Alexander Kanavin <alex.kanavin@gmail.com<mailto:alex.kanavin@gmail.com>>
> Sent: Wednesday, August 28, 2024 5:15 PM
> To: Wang, Mingyu/王 鸣瑜 <wangmy@fujitsu.com<mailto:wangmy@fujitsu.com>>
> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>
> Subject: Re: [PATCH] [OE-core] [PATCH] systemd: use update-alternatives to
> solve conflicts with polkit
>
> On Wed, 28 Aug 2024 at 11:04, Mingyu Wang (Fujitsu) <wangmy@fujitsu.com<mailto:wangmy@fujitsu.com>>
> wrote:
> >
> > The name of /usr/share/polkit-1/rules.d are the same, but the files contained
> in the path are different.
> > What methods can be chosen to solve this problem in this situation?
>
> Are you using package_rpm and dnf to compose the image? If so, you can look at
> the spec files used to produce the packages in ${WORKDIR} of systemd and
> polkit to see how /usr/share/polkit-1/rules.d is specified in both. It might be that
> permissions or ownership are different and dnf can't resolve that.
>
> Alex
diff --git a/meta/recipes-core/systemd/systemd_256.5.bb b/meta/recipes-core/systemd/systemd_256.5.bb index ee656c81e5..1c408d075f 100644 --- a/meta/recipes-core/systemd/systemd_256.5.bb +++ b/meta/recipes-core/systemd/systemd_256.5.bb @@ -848,7 +848,7 @@ python do_warn_musl() { } addtask warn_musl before do_configure -ALTERNATIVE:${PN} = "halt reboot shutdown poweroff runlevel ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'resolv-conf', '', d)}" +ALTERNATIVE:${PN} = "halt reboot shutdown poweroff runlevel rules.d ${@bb.utils.contains('PACKAGECONFIG', 'resolved', 'resolv-conf', '', d)}" ALTERNATIVE_TARGET[resolv-conf] = "${sysconfdir}/resolv-conf.systemd" ALTERNATIVE_LINK_NAME[resolv-conf] = "${sysconfdir}/resolv.conf" @@ -874,6 +874,10 @@ ALTERNATIVE_TARGET[runlevel] = "${base_bindir}/systemctl" ALTERNATIVE_LINK_NAME[runlevel] = "${base_sbindir}/runlevel" ALTERNATIVE_PRIORITY[runlevel] ?= "300" +ALTERNATIVE_TARGET[rules.d] = "${datadir_native}/polkit-1/rules.d" +ALTERNATIVE_LINK_NAME[rules.d] = "${datadir_native}/polkit-1/rules.d" +ALTERNATIVE_PRIORITY[rules.d] ?= "50" + pkg_postinst:${PN}:libc-glibc () { if ${@bb.utils.contains('PACKAGECONFIG', 'myhostname', 'true', 'false', d)}; then sed -e '/^hosts:/s/\s*\<myhostname\>//' \