diff options
author | Cole Robinson <crobinso@redhat.com> | 2012-02-07 11:50:29 -0500 |
---|---|---|
committer | Cole Robinson <crobinso@redhat.com> | 2012-02-07 11:59:35 -0500 |
commit | 756e6ab467a27e8228bfa2704d1c4883355ac666 (patch) | |
tree | 168344582d960cada2a4c2795c19af42732c4626 /daemon/libvirtd.policy-1 | |
parent | pyhton: Don't link against libvirt_util.la (diff) | |
download | libvirt-756e6ab467a27e8228bfa2704d1c4883355ac666.tar.gz libvirt-756e6ab467a27e8228bfa2704d1c4883355ac666.tar.bz2 libvirt-756e6ab467a27e8228bfa2704d1c4883355ac666.zip |
Allow polkit auth for VNC and SSH users
If you are sitting in front of a physical machine and logged in as
a regular user, you can connect to the system libvirtd instance
by providing a root password to policykit. This is how most
virt-manager users talk to libvirt.
However, if you are launching virt-manager over ssh -X, or over
VNC started from say /etc/sysconfig/vncservers, our policykit policy
rejects the user outright, providing no option to provide the root
password. This is confusing to users and doesn't seem to serve much
point.
Change the policy to allow inactive (VNC) and non-local (SSH, VNC)
to provide root credentials for accessing system libvirtd. We use
auth_admin rather than auth_admin_keep so that credentials aren't
cached at all, and every subsequent reconnection to libvirt requires
auth.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=625115
Similar change to PackageKit policy:
https://bugzilla.redhat.com/show_bug.cgi?id=528511
Diffstat (limited to 'daemon/libvirtd.policy-1')
-rw-r--r-- | daemon/libvirtd.policy-1 | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/daemon/libvirtd.policy-1 b/daemon/libvirtd.policy-1 index 6fa3a5e71..c2bec1f2a 100644 --- a/daemon/libvirtd.policy-1 +++ b/daemon/libvirtd.policy-1 @@ -34,8 +34,8 @@ file are instantly applied. <defaults> <!-- Only a program in the active host session can use libvirt in read-write mode for management, and we require user password --> - <allow_any>no</allow_any> - <allow_inactive>no</allow_inactive> + <allow_any>auth_admin</allow_any> + <allow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </defaults> </action> |