[PATCH] polkit: Allow libvirt group access to libvirtd ro socket

Wed Dec 2 00:15:33 UTC 2020

On Tue, Dec 1, 2020 at 4:23 PM Jim Fehlig <jfehlig at suse.com> wrote:
>
> On 12/1/20 2:17 AM, Daniel P. Berrangé wrote:
> > On Mon, Nov 30, 2020 at 05:28:16PM -0700, Jim Fehlig wrote:
> >> As a normal user, 'virsh connect qemu:///system' and
> >> 'virsh connect --readonly qemu:///system' will prompt for root password.
> >> If the user is added to the libvirt group, only
> >> 'virsh connect --readonly qemu:///system' will prompt for root password.
> >
> > This doesn't make sense - the readonly case should never prompt for
> > a password, since libvirtd.polkit.in grants that permission out of
> > the box.
>
> I thought something smelled a bit fishy. I meant to annotate the patch with "It
> is possible I have a broader polkit config issue", but forgot before sending it
> last night.
>
> And indeed after looking again today with fresh eyes I see the problem is in our
> polkit-default-privs package -> downstream bug. Ignore this patch.
>

Hah, and I didn't catch this because I rip out the default openSUSE
stuff that ruins usability by restricting polkit too much. :)

Shame on me for not double checking my environment. :)

-- 
真実はいつも一つ！/ Always, there's only one truth!