- Add desktop_admin_r and desktop_user_r groups along with a first cut of

default authorizations for users in these groups.

polkit.spec

@@ -1,7 +1,7 @@
 Summary: PolicyKit Authorization Framework
 Name: polkit
 Version: 0.94
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: LGPLv2+
 URL: http://www.freedesktop.org/wiki/Software/PolicyKit
 Source0: http://hal.freedesktop.org/releases/%{name}-%{version}.tar.gz
@@ -43,6 +43,17 @@ Requires: gtk-doc
 %description docs
 Development documentation for PolicyKit.
 
+%package desktop-policy
+Summary: Roles and default policy for desktop usage
+Group: Development/Libraries
+#Requires: %name = %{version}-%{release}
+Requires(pre): /usr/sbin/groupadd
+Requires(preun): /usr/sbin/groupdel
+BuildArch: noarch
+
+%description desktop-policy
+Roles and default policy for desktop usage.
+
 %prep
 %setup -q
 
@@ -59,6 +70,51 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/polkit-1/extensions/*.la
 
 %find_lang polkit-1
 
+###
+### BEGIN DESKTOP POLICY CONFIGURATION ###
+###
+
+cat > $RPM_BUILD_ROOT%{_sysconfdir}/polkit-1/localauthority.conf.d/60-desktop-policy.conf << EOF
+# This allows users in the desktop_admin_r group to authenticate as
+# the administrator.
+#
+# DO NOT EDIT THIS FILE, it will be overwritten on update.
+
+[Configuration]
+AdminIdentities=unix-group:desktop_admin_r
+EOF
+
+cat > $RPM_BUILD_ROOT%{_localstatedir}/lib/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla << EOF
+# Authorizations/policy for the desktop_admin_r and desktop_user_r groups.
+#
+# DO NOT EDIT THIS FILE, it will be overwritten on update.
+
+# Allow "standard users" to do some things without being interrupted by
+# password dialogs (TODO: not complete)
+#
+[Desktop User Permissions]
+Identity=unix-group:desktop_user_r
+Action=org.gnome.clockapplet.mechanism.settimezone
+ResultAny=no
+ResultInactive=no
+ResultActive=yes
+
+# Allow "administrative users" to do a lot of things without being interrupted by
+# password dialogs (TODO: not complete)
+#
+[Desktop Administrator Permissions]
+Identity=unix-group:desktop_admin_r
+Action=org.gnome.clockapplet.mechanism.*;org.freedesktop.devicekit.disks.*;org.freedesktop.RealtimeKit1.*
+ResultAny=no
+ResultInactive=no
+ResultActive=yes
+
+EOF
+
+###
+### END DESKTOP POLICY CONFIGURATION
+###
+
 %clean
 rm -rf $RPM_BUILD_ROOT
 
@@ -66,6 +122,18 @@ rm -rf $RPM_BUILD_ROOT
 
 %postun -p /sbin/ldconfig
 
+%pre desktop-policy
+/usr/sbin/groupadd -r desktop_admin_r 2> /dev/null || :
+/usr/sbin/groupadd -r desktop_user_r 2> /dev/null || :
+
+%preun desktop-policy
+/usr/sbin/groupdel desktop_admin_r 2> /dev/null || :
+/usr/sbin/groupdel desktop_user_r 2> /dev/null || :
+
+%files desktop-policy
+%{_sysconfdir}/polkit-1/localauthority.conf.d/60-desktop-policy.conf
+%{_localstatedir}/lib/polkit-1/localauthority/10-vendor.d/10-desktop-policy.pkla
+
 %files -f polkit-1.lang
 %defattr(-,root,root,-)
 %doc COPYING
@@ -114,6 +182,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/gtk-doc/html/*
 
 %changelog
+* Thu Aug 13 2009 David Zeuthen <davidz@redhat.com> - 0.94-3
+- Add desktop_admin_r and desktop_user_r groups along with a first cut
+  of default authorizations for users in these groups.
+
 * Wed Aug 12 2009 David Zeuthen <davidz@redhat.com> - 0.94-2
 - Disable GObject Introspection for now as it breaks the build