Bug 853555

Summary: New polkit seems to prevent programmatic access to libvirt management
Product: [Fedora] Fedora Reporter: Andy Grimm <agrimm>
Component: polkitAssignee: David Zeuthen <davidz>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: davidz, jgoulding, mclasen
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-04 16:39:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andy Grimm 2012-08-31 20:28:11 UTC
Description of problem:

For Fedora 16 and 17, eucalyptus used a pkla file with the following contents:

Identity=unix-group:eucalyptus
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

This allows the eucalyptus user to perform libvirt functions (launching VMs, attaching virtual disks, etc.)

I was trying to produce similar behavior in F18, but it seems that the actions defined in org.libvirt.unix.policy attempt a password prompt before it ever hits my custom rule (which I've placed in /etc/polkit-1/rules.d).  Specifically, This error ends up in /var/log/messages:

libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2684 : Policy kit denied action org.libvirt.unix.manage from pid 11410, uid 1002: exit status 2
libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2713 : authentication failed: Authorization requires authentication but no agent is available.
libvirtd[899]: 2012-08-31 14:11:05.523+0000: 899: error : virNetSocketReadWire:1004 : End of file while reading data: Input/output error

I can work around this by changing /usr/share/polkit-1/actions/org.libvirt.unix.policy (replacing auth_admin and auth_admin_keep with yes in a few places), but I'd like to have a better solution than that.

FWIW, my custom rule attempt is something like:

polkit.addRule(function(action, subject) {
   if (action == "org.libvirt.unix.manage") {
       polkit.log("action=" + action);
       polkit.log("subject=" + subject);
       return "yes";
   }
   return null;
});

Comment 1 Andy Grimm 2012-08-31 20:33:49 UTC
Upon re-reading the manpage, perhaps what I want is an addAdminRule?  Still, I get the same result.  Even if I move the log lines outside the if block, this code just never seems to be called.

Comment 2 David Zeuthen 2012-09-04 16:39:06 UTC
Closing as this is a question, not a bug.

To answer your questions:

 1. polkit logs are in /var/log/secure

 2. polkit authorization rules are defined in this man page
    http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

 3. looks you want s/action.id/action/ in line 2 the snippet in comment 0

 4. as of polkit 0.107, you should use
     'return polkit.Result.YES;' instead of 'return "yes";'
    and
     'return polkit.Result.NOT_HANDLED;' instead of 'return null;'

Hope this helps.