[libvirt] polkit-auth question

While debugging a PolicyKit issue I noticed that libvirt would proceed with authentication even though polkit-auth failed: testusr@xen134:~> virsh list --all Attempting to obtain authorization for org.libvirt.unix.manage. polkit-grant-helper: given auth type (8 -> yes) is bogus Failed to obtain authorization for org.libvirt.unix.manage. Id Name State ---------------------------------- 0 Domain-0 running - sles11sp1-pv shut off Hmm, authorization failed but domains listed anyway. testusr@xen134:~> virsh start sles11sp1-pv Attempting to obtain authorization for org.libvirt.unix.manage. polkit-grant-helper: given auth type (8 -> yes) is bogus Failed to obtain authorization for org.libvirt.unix.manage. Domain sles11sp1-pv started Ok, authorization failed but testusr was able to start the domain! Checking virConnectAuthGainPolkit() in src/libvirt.c cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL); if (virCommandRun(cmd, &status) < 0 || status > 1) goto cleanup; Why the check for status > 1? I looked at polkit-auth source in PolicyKit 0.9 and AFAICT it sets its default return code to 1, only changing it to 0 in success code paths. Unfortunately, the polkit-auth docs make no mention of return codes. Thanks, Jim