http://bugzilla.suse.com/show_bug.cgi?id=1140151 Bug ID: 1140151 Summary: AUDIT-0: libvirt: new polkit permissions for networkport Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jfehlig@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- libvirt 5.5.0 got some new polkit permissions for the networkport object via commit e69444e1793, which cause the following lint failures [ 732s] libvirt-daemon.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.libvirt.api.network-port.getattr (yes:yes:yes) [ 732s] libvirt-daemon.x86_64: E: polkit-unauthorized-privilege (Badness: 10000) org.libvirt.api.network-port.read (yes:yes:yes) [ 732s] The package allows unprivileged users to carry out privileged operations [ 732s] without authentication. This could cause security problems if not done [ 732s] carefully. If the package is intended for inclusion in any SUSE product please [ 732s] open a bug report to request review of the package by the security team. [ 732s] Please refer to [ 732s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 732s] more information. [ 732s] [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network-port.create (no:no:no) [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network-port.delete (no:no:no) [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network-port.write (no:no:no) [ 732s] libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.network.search-ports (no:no:no) [ 732s] The privilege is not listed in /etc/polkit-default-privs.* which makes it [ 732s] harder for admins to find. Furthermore polkit authorization checks can easily [ 732s] introduce security issues. If the package is intended for inclusion in any [ 732s] SUSE product please open a bug report to request review of the package by the [ 732s] security team. Please refer to [ 732s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 732s] more information. -- You are receiving this mail because: You are on the CC list for the bug.