Bug 853555 - New polkit seems to prevent programmatic access to libvirt management
New polkit seems to prevent programmatic access to libvirt management
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: polkit (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: David Zeuthen
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-31 16:28 EDT by Andy Grimm
Modified: 2013-03-05 23:08 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-04 12:39:06 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andy Grimm 2012-08-31 16:28:11 EDT
Description of problem:

For Fedora 16 and 17, eucalyptus used a pkla file with the following contents:

Identity=unix-group:eucalyptus
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

This allows the eucalyptus user to perform libvirt functions (launching VMs, attaching virtual disks, etc.)

I was trying to produce similar behavior in F18, but it seems that the actions defined in org.libvirt.unix.policy attempt a password prompt before it ever hits my custom rule (which I've placed in /etc/polkit-1/rules.d).  Specifically, This error ends up in /var/log/messages:

libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2684 : Policy kit denied action org.libvirt.unix.manage from pid 11410, uid 1002: exit status 2
libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2713 : authentication failed: Authorization requires authentication but no agent is available.
libvirtd[899]: 2012-08-31 14:11:05.523+0000: 899: error : virNetSocketReadWire:1004 : End of file while reading data: Input/output error

I can work around this by changing /usr/share/polkit-1/actions/org.libvirt.unix.policy (replacing auth_admin and auth_admin_keep with yes in a few places), but I'd like to have a better solution than that.

FWIW, my custom rule attempt is something like:

polkit.addRule(function(action, subject) {
   if (action == "org.libvirt.unix.manage") {
       polkit.log("action=" + action);
       polkit.log("subject=" + subject);
       return "yes";
   }
   return null;
});
Comment 1 Andy Grimm 2012-08-31 16:33:49 EDT
Upon re-reading the manpage, perhaps what I want is an addAdminRule?  Still, I get the same result.  Even if I move the log lines outside the if block, this code just never seems to be called.
Comment 2 David Zeuthen 2012-09-04 12:39:06 EDT
Closing as this is a question, not a bug.

To answer your questions:

 1. polkit logs are in /var/log/secure

 2. polkit authorization rules are defined in this man page
    http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

 3. looks you want s/action.id/action/ in line 2 the snippet in comment 0

 4. as of polkit 0.107, you should use
     'return polkit.Result.YES;' instead of 'return "yes";'
    and
     'return polkit.Result.NOT_HANDLED;' instead of 'return null;'

Hope this helps.

Note You need to log in before you can comment on or make changes to this bug.