Chapter 4. PolicyKit

The PolicyKit utility is a framework that provides an authorization API used by privileged programs (also called mechanisms) offering services to unprivileged programs (also called subjects). The following are details on the changes PolicyKit, or its system name polkit, has undergone.

4.1. Policy Configuration

As far as the new features are concerned, authorization rules are now defined in JavaScript .rules files. This means that the same files are used for defining both the rules and the administrator status. Previously, this information was stored in two different file types - *.pkla and *.conf, which used key/value pairs to define additional local authorizations.
These new .rules files are stored in two locations; whereas polkit rules for local customization are stored in the /etc/polkit-1/rules.d/ directory, the third party packages are stored in /usr/share/polkit-1/rules.d/.
The existing .conf and .pkla configuration files have been preserved and exist side by side with .rules files. polkit has been upgraded for Red Hat Enterprise Linux 7 with the compatibility issue in mind.
The logic in precedence in rules has changed. polkitd now reads .rules files in lexicographic order from the /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d directories. If two files are named identically, files in /etc are processed before files in /usr. In addition, existing rules are applied by the /etc/polkit-1/rules.d/49-polkit-pkla-compat.rules file. They can therefore be overridden by .rules files in either /usr or /etc with a name that comes before 49-polkit-pkla-compat in lexicographic order. The simplest way to ensure that your old rules are not overridden is to begin the name of all other .rules files with a number higher than 49.
Here is an example of a .rules file. It creates a rule that allows mounting a file system on a system device for the storage group. The rule is stored in the /etc/polkit-1/rules.d/10-enable-mount.rules file:

Example 4.1. Allow Mounting a File system on a System device

polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.filesystem-mount-system" &&
        subject.isInGroup("storage")) {
        return polkit.Result.YES;
    }
});

For more information, see:

  • polkit(8) – The man page for the description of the JavaScript rules and the precedence rules.
  • pkla-admin-identities(8) and pkla-check-authorization(8) – The man pages for documentation of the .conf and .pkla file formats, respectively.