853555 – New polkit seems to prevent programmatic access to libvirt management

Bug 853555 - New polkit seems to prevent programmatic access to libvirt management

Summary: New polkit seems to prevent programmatic access to libvirt management

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	polkit
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	David Zeuthen
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-08-31 20:28 UTC by Andy Grimm
Modified:	2016-11-08 03:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-09-04 16:39:06 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Andy Grimm 2012-08-31 20:28:11 UTC

Description of problem:

For Fedora 16 and 17, eucalyptus used a pkla file with the following contents:

Identity=unix-group:eucalyptus
Action=org.libvirt.unix.manage
ResultAny=yes
ResultInactive=yes
ResultActive=yes

This allows the eucalyptus user to perform libvirt functions (launching VMs, attaching virtual disks, etc.)

I was trying to produce similar behavior in F18, but it seems that the actions defined in org.libvirt.unix.policy attempt a password prompt before it ever hits my custom rule (which I've placed in /etc/polkit-1/rules.d).  Specifically, This error ends up in /var/log/messages:

libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2684 : Policy kit denied action org.libvirt.unix.manage from pid 11410, uid 1002: exit status 2
libvirtd[899]: 2012-08-31 14:11:05.522+0000: 1010: error : remoteDispatchAuthPolkit:2713 : authentication failed: Authorization requires authentication but no agent is available.
libvirtd[899]: 2012-08-31 14:11:05.523+0000: 899: error : virNetSocketReadWire:1004 : End of file while reading data: Input/output error

I can work around this by changing /usr/share/polkit-1/actions/org.libvirt.unix.policy (replacing auth_admin and auth_admin_keep with yes in a few places), but I'd like to have a better solution than that.

FWIW, my custom rule attempt is something like:

polkit.addRule(function(action, subject) {
   if (action == "org.libvirt.unix.manage") {
       polkit.log("action=" + action);
       polkit.log("subject=" + subject);
       return "yes";
   }
   return null;
});

Comment 1 Andy Grimm 2012-08-31 20:33:49 UTC

Upon re-reading the manpage, perhaps what I want is an addAdminRule?  Still, I get the same result.  Even if I move the log lines outside the if block, this code just never seems to be called.

Comment 2 David Zeuthen 2012-09-04 16:39:06 UTC

Closing as this is a question, not a bug.

To answer your questions:

 1. polkit logs are in /var/log/secure

 2. polkit authorization rules are defined in this man page
    http://www.freedesktop.org/software/polkit/docs/latest/polkit.8.html

 3. looks you want s/action.id/action/ in line 2 the snippet in comment 0

 4. as of polkit 0.107, you should use
     'return polkit.Result.YES;' instead of 'return "yes";'
    and
     'return polkit.Result.NOT_HANDLED;' instead of 'return null;'

Hope this helps.

Note You need to log in before you can comment on or make changes to this bug.