Description of problem: For Fedora 16 and 17, eucalyptus used a pkla file with the following contents: Identity=unix-group:eucalyptus Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes This allows the eucalyptus user to perform libvirt functions (launching VMs, attaching virtual disks, etc.) I was trying to produce similar behavior in F18, but it seems that the actions defined in org.libvirt.unix.policy attempt a password prompt before it ever hits my custom rule (which I've placed in /etc/polkit-1/rules.d). Specifically, This error ends up in /var/log/messages: libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2684 : Policy kit denied action org.libvirt.unix.manage from pid 11410, uid 1002: exit status 2 libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2713 : authentication failed: Authorization requires authentication but no agent is available. libvirtd[899]: 2012-08-31 14:11:05.523+0000: 899: error : virNetSocketReadWire:1004 : End of file while reading data: Input/output error I can work around this by changing /usr/share/polkit-1/actions/org.libvirt.unix.policy (replacing auth_admin and auth_admin_keep with yes in a few places), but I'd like to have a better solution than that. FWIW, my custom rule attempt is something like: polkit.addRule(function(action, subject) { if (action == "org.libvirt.unix.manage") { polkit.log("action=" + action); polkit.log("subject=" + subject); return "yes"; } return null; });
Upon re-reading the manpage, perhaps what I want is an addAdminRule? Still, I get the same result. Even if I move the log lines outside the if block, this code just never seems to be called.
Closing as this is a question, not a bug. To answer your questions: 1. polkit logs are in /var/log/secure 2. polkit authorization rules are defined in this man page http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html 3. looks you want s/action.id/action/ in line 2 the snippet in comment 0 4. as of polkit 0.107, you should use 'return polkit.Result.YES;' instead of 'return "yes";' and 'return polkit.Result.NOT_HANDLED;' instead of 'return null;' Hope this helps.