[libvirt] [PATCH repost] daemon: Make the default PolicyKit policy auth_admin_keep.

Reposted at Cole's request. Previous discussion here: https://www.redhat.com/archives/libvir-list/2012-October/thread.html#00682 Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora

On 11/01/2012 09:20 AM, Richard W.M. Jones wrote:
Reposted at Cole's request. Previous discussion here: https://www.redhat.com/archives/libvir-list/2012-October/thread.html#00682
Rich.
My take away from the internal discussion was that libvirt doesn't use polkit optimally but in the current state auth_admin_keep doesn't hurt. So, ACK Thanks, Cole

On Thu, Nov 01, 2012 at 01:20:18PM +0000, Richard W.M. Jones wrote:
Reposted at Cole's request. Previous discussion here: https://www.redhat.com/archives/libvir-list/2012-October/thread.html#00682
Rich.
-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
From 91b1c69f9f1e300be0ac577339c248611e2abc70 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" <rjones@redhat.com> Date: Mon, 15 Oct 2012 09:01:13 +0100 Subject: [PATCH] daemon: Make the default PolicyKit policy auth_admin_keep.
--- daemon/libvirtd.policy.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemon/libvirtd.policy.in b/daemon/libvirtd.policy.in index 2ec7716..de1aba4 100644 --- a/daemon/libvirtd.policy.in +++ b/daemon/libvirtd.policy.in @@ -43,8 +43,8 @@ License along with this library. If not, see <defaults> <!-- Any program can use libvirt in read/write mode if they provide the root password --> - <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin</allow_inactive> + <allow_any>@authaction@</allow_any> + <allow_inactive>@authaction@</allow_inactive> <allow_active>@authaction@</allow_active> </defaults> </action>
ACK I talked with David Z. Based on the way libvirt uses policykit, this change will not adversely impact security. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

On Thu, Nov 01, 2012 at 02:41:09PM +0000, Daniel P. Berrange wrote:
On Thu, Nov 01, 2012 at 01:20:18PM +0000, Richard W.M. Jones wrote:
Reposted at Cole's request. Previous discussion here: https://www.redhat.com/archives/libvir-list/2012-October/thread.html#00682
Rich.
-- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming blog: http://rwmj.wordpress.com Fedora now supports 80 OCaml packages (the OPEN alternative to F#) http://cocan.org/getting_started_with_ocaml_on_red_hat_and_fedora
From 91b1c69f9f1e300be0ac577339c248611e2abc70 Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" <rjones@redhat.com> Date: Mon, 15 Oct 2012 09:01:13 +0100 Subject: [PATCH] daemon: Make the default PolicyKit policy auth_admin_keep.
--- daemon/libvirtd.policy.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemon/libvirtd.policy.in b/daemon/libvirtd.policy.in index 2ec7716..de1aba4 100644 --- a/daemon/libvirtd.policy.in +++ b/daemon/libvirtd.policy.in @@ -43,8 +43,8 @@ License along with this library. If not, see <defaults> <!-- Any program can use libvirt in read/write mode if they provide the root password --> - <allow_any>auth_admin</allow_any> - <allow_inactive>auth_admin</allow_inactive> + <allow_any>@authaction@</allow_any> + <allow_inactive>@authaction@</allow_inactive> <allow_active>@authaction@</allow_active> </defaults> </action>
ACK I talked with David Z. Based on the way libvirt uses policykit, this change will not adversely impact security.
Thanks, I have pushed this. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones libguestfs lets you edit virtual machines. Supports shell scripting, bindings from many languages. http://libguestfs.org
participants (3)
-
Cole Robinson
-
Daniel P. Berrange
-
Richard W.M. Jones