Re: [PATCH] polkit: Allow libvirt group access to libvirtd ro socket
On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:
As a normal user, 'virsh connect qemu:///system' and
'virsh connect --readonly qemu:///system' will prompt for root password.
If the user is added to the libvirt group, only
'virsh connect --readonly qemu:///system' will prompt for root password.
This doesn't make sense - the readonly case should never prompt for
a password, since libvirtd.polkit.in grants that permission out of
the box. The libvirtd.rules file should just be extending what is
defined in the main libvirtd.polkit file.
The libvirt polkit rules already allow libvirt group members access to
the rw socket. Add a rule allowing to access the ro socket.
Signed-off-by: Jim Fehlig <jfehlig(a)suse.com>
---
src/remote/libvirtd.rules | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/remote/libvirtd.rules b/src/remote/libvirtd.rules
index 01a15fac2e..d9be94fcc4 100644
--- a/src/remote/libvirtd.rules
+++ b/src/remote/libvirtd.rules
@@ -1,5 +1,12 @@
-// Allow any user in the 'libvirt' group to connect to system libvirtd
-// without entering a password.
+// Allow any user in the 'libvirt' group to connect to the system libvirtd
+// ro and rw sockets without entering a password.
+
+polkit.addRule(function(action, subject) {
+ if (action.id == "org.libvirt.unix.monitor" &&
+ subject.isInGroup("libvirt")) {
+ return polkit.Result.YES;
+ }
+});
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
--
2.29.2
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|