mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 21:55:25 +00:00
756e6ab467
If you are sitting in front of a physical machine and logged in as a regular user, you can connect to the system libvirtd instance by providing a root password to policykit. This is how most virt-manager users talk to libvirt. However, if you are launching virt-manager over ssh -X, or over VNC started from say /etc/sysconfig/vncservers, our policykit policy rejects the user outright, providing no option to provide the root password. This is confusing to users and doesn't seem to serve much point. Change the policy to allow inactive (VNC) and non-local (SSH, VNC) to provide root credentials for accessing system libvirtd. We use auth_admin rather than auth_admin_keep so that credentials aren't cached at all, and every subsequent reconnection to libvirt requires auth. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=625115 Similar change to PackageKit policy: https://bugzilla.redhat.com/show_bug.cgi?id=528511
43 lines
1.6 KiB
Plaintext
43 lines
1.6 KiB
Plaintext
<!DOCTYPE policyconfig PUBLIC
|
|
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
|
|
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
|
|
|
|
<!--
|
|
Policy definitions for libvirt daemon
|
|
|
|
Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>
|
|
|
|
libvirt is licensed to you under the GNU Lesser General Public License
|
|
version 2. See COPYING for details.
|
|
|
|
NOTE: If you make changes to this file, make sure to validate the file
|
|
using the polkit-policy-file-validate(1) tool. Changes made to this
|
|
file are instantly applied.
|
|
-->
|
|
|
|
<policyconfig>
|
|
<action id="org.libvirt.unix.monitor">
|
|
<description>Monitor local virtualized systems</description>
|
|
<message>System policy prevents monitoring of local virtualized systems</message>
|
|
<defaults>
|
|
<!-- Any program can use libvirt in read-only mode for monitoring,
|
|
even if not part of a session -->
|
|
<allow_any>yes</allow_any>
|
|
<allow_inactive>yes</allow_inactive>
|
|
<allow_active>yes</allow_active>
|
|
</defaults>
|
|
</action>
|
|
|
|
<action id="org.libvirt.unix.manage">
|
|
<description>Manage local virtualized systems</description>
|
|
<message>System policy prevents management of local virtualized systems</message>
|
|
<defaults>
|
|
<!-- Only a program in the active host session can use libvirt in
|
|
read-write mode for management, and we require user password -->
|
|
<allow_any>auth_admin</allow_any>
|
|
<allow_inactive>auth_admin</allow_inactive>
|
|
<allow_active>auth_admin_keep_session</allow_active>
|
|
</defaults>
|
|
</action>
|
|
</policyconfig>
|