f23 mate policykit libvirt problem

Nate Pearlstein npearl at sgi.com
Sat Jan 16 21:12:54 UTC 2016


Hi Cole,

Thanks for the response.  I’m still seeing problems.

I start virt-manager and it prompts me for the root password.
My user is now a member of the libvirt group

[npearl at caprica ~]$ id
uid=10000(npearl) gid=1000(npearl) groups=1000(npearl),10(wheel),982(libvirt) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Jan 16 15:39:08 caprica polkitd[2464]: Operator of unix-session:1 FAILED to authenticate to gain authorization for action org.libvirt.unix.manage for unix-process:5732:28774 [/usr/bin/python2 -tt /usr/share/virt-manager/virt-manager] (owned by unix-user:npearl)
Jan 16 15:39:08 caprica libvirtd[3546]: libvirt version: 1.2.18.2, package: 1.fc23 (Fedora Project, 2015-12-24-00:55:42, buildhw-12.phx2.fedoraproject.org)
Jan 16 15:39:08 caprica libvirtd[3546]: authentication cancelled: user cancelled authentication process
Jan 16 15:39:08 caprica libvirtd[3546]: End of file while reading data: Input/output error


I’ve also tried playing around with various paramters in /etc/libvirt/libvirtd.conf and copied /usr/lib/systemd/system/libvirtd.socket to /etc/systemd/system/libvirtd.socket and changed the perms on the unix sockets to no avail.

Perhaps I need to open a bug.

> On Jan 16, 2016, at 10:31 AM, Cole Robinson <crobinso at redhat.com> wrote:
> 
> On 01/15/2016 07:44 PM, Nate Pearlstein wrote:
>> I’ve been trying to get policykit to automatically authorize virt-manager.
>> 
>> This was working fine with fedora 21, but with fedora 23 it doesn’t seem to work.  For both I’ve been using the mate desktop.
>> 
>> With f21 I had the following in /etc/polkit-1/localauthority/50-local.d/caprica.libvirt.pkla
>> 
>> [Allow user libvirt management permissions]
>> Identity=unix-user:user
>> Action=org.libvirt.unix.manage
>> ResultAny=yes
>> ResultInactive=yes
>> ResultActive=yes
>> 
>> 
> 
> That format hasn't worked for quite a while, due to a polkit change.
> 
>> I tried the above with f23 and no luck.  I’ve since tried
>> 
>> /etc/polkit-1/rules.d/80-libvirt.rules
>> 
>> polkit.addRule(function(action, subject) {
>>  if (action.id == "org.libvirt.unix.manage" && subject.local && subject.active && subject.isInGroup("wheel")) {
>>      return polkit.Result.YES;
>>  }
>> });
>> 
> 
> At a glance that looks like it should work, but I didn't confirm the syntax.
> However on fedora 22+ the recommended way to do this is to add yourself to the
> 'libvirt' group:
> 
> http://blog.wikichoon.com/2016/01/polkit-password-less-access-for-libvirt.html
> 
> - Cole
> -- 
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org



More information about the users mailing list