https://bugzilla.novell.com/show_bug.cgi?id=544579 https://bugzilla.novell.com/show_bug.cgi?id=544579#c13 --- Comment #13 from Justin Clift <jclift@redhat.com> 2010-09-14 08:31:26 UTC --- The "set_polkit_default_privs" script (attached), refers to some other PolicyKit related pieces on the filesystem: /etc/sysconfig/security (attached) /etc/polkit-default-privs.d/ (doesn't exist) /etc/polkit-default-privs.standard (attached) <-- this one is used by default /etc/polkit-default-privs.restrictive (attached) <-- this one is unused unless set in the /etc/sysconfig/security file Grepping the /etc/polkit-default-privs.standard file for occurances of "libvirt", gives this: org.libvirt.unix.monitor yes org.libvirt.unix.manage auth_admin_keep_always It looks like the concept used for the openSUSE implementation is to allow management access to any user regarded as an admin by PolicyKit. Investigating that, OpenSUSE ships with the same default local authority file as other distributions: /etc/polkit-1/localauthority.conf.d/50-localauthority.conf With the same contents as elsewhere: # Configuration file for the PolicyKit Local Authority. # # DO NOT EDIT THIS FILE, it will be overwritten on update. # # See the pklocalauthority(8) man page for more information # about configuring the Local Authority. # [Configuration] AdminIdentities=unix-user:0 This gives only root access by default (it seems). ************* Looking at the text of the openSUSE local configuration file, polkit-default-privs.local: # # /etc/polkit-default-privs.local # # This file is used by set_polkit_default_privs to check or set # the implicit default privileges granted by PolicyKit # # In particular, this file will not be touched during an upgrade of the # installation. It is designed to be a placeholder for local # additions by the administrator of the system. # # Note that you need to run /sbin/set_polkit_default_privs for # changes to take effect. # # Format: # <privilege> <any>:<inactive>:<active> # It seems like this is the intended place for PolicyKit config changes in openSUSE's implementation, rather than placing files in the /etc/polkit-1/ directory structure. Conceptually, I'm not sure how to leverage this approach to achieve things like "group access" and similar for libvirt. openSUSE ships with this file by default: /var/lib/polkit-1/localauthority/10-vendor.d/org.libvirt.unix.manage.pkla Containing: [org.libvirt.unix.manage] Identity=unix-user:* Action=org.libvirt.unix.manage ResultAny=auth_admin_keep ResultInactive=auth_admin_keep ResultActive=auth_admin_keep This seems to be (from my point of view at the moment), causing the problem. *Removing* this file allows the more familiar .pkla file approach documented for RHEL 6/Fedora 12+ as working. i.e. Adding /etc/polkit-1/localauthority/50-local.d/50-org.example-libvirt-remote-access.pkla with contents: [libvirt Management Access] Identity=unix-group:libvirt Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes Then creating the unix group "libvirt". Any users added to this group gain the ability to manage libvirt (tested and verified through ssh on openSUSE 11.3). This approach doesn't seem to be in line with how openSUSE intends things to be configured though, so I'm reluctant to recommend this as the official libvirt recommendation of "how to do things on openSUSE". All pointers, suggestions for improvement, thoughts, etc, welcome. :) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.