f23 mate policykit libvirt problem

Wed Jan 20 00:42:31 UTC 2016

So for the morbidly curious, I found that at some point during the upgrade the group id for polkitd changed and some dirs had nm-openvpn as the group. After fixing those and putting those back and my user being in the libvirt group still no luck. I put the newer form of rule but with group of wheel fixed this for me. My user is in group wheel and libvirt. This doesn't seem like expected behavior but perhaps I didn't find all the cruft.

Nate Pearlstein - npearl at sgi.com - Product Support Engineer

-----Original Message-----
From: Nate Pearlstein [npearl at sgi.com<mailto:npearl at sgi.com>]
Sent: Saturday, January 16, 2016 04:11 PM Central Standard Time
To: 'Community support for Fedora users'; 'Community support for Fedora users'
Subject: RE: f23 mate policykit libvirt problem

So on a different system upgraded from f22 and not f21 the directions work so there must be some cruft hiding on the one upgraded from f21. I'll have to dig into the differences.

Nate Pearlstein - npearl at sgi.com - Product Support Engineer

-----Original Message-----
From: Nate Pearlstein [npearl at sgi.com<mailto:npearl at sgi.com>]
Sent: Saturday, January 16, 2016 03:13 PM Central Standard Time
To: Community support for Fedora users
Subject: Re: f23 mate policykit libvirt problem

Hi Cole,

Thanks for the response.  I’m still seeing problems.

I start virt-manager and it prompts me for the root password.
My user is now a member of the libvirt group

[npearl at caprica ~]$ id
uid=10000(npearl) gid=1000(npearl) groups=1000(npearl),10(wheel),982(libvirt) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

Jan 16 15:39:08 caprica polkitd[2464]: Operator of unix-session:1 FAILED to authenticate to gain authorization for action org.libvirt.unix.manage for unix-process:5732:28774 [/usr/bin/python2 -tt /usr/share/virt-manager/virt-manager] (owned by unix-user:npearl)
Jan 16 15:39:08 caprica libvirtd[3546]: libvirt version: 1.2.18.2, package: 1.fc23 (Fedora Project, 2015-12-24-00:55:42, buildhw-12.phx2.fedoraproject.org)
Jan 16 15:39:08 caprica libvirtd[3546]: authentication cancelled: user cancelled authentication process
Jan 16 15:39:08 caprica libvirtd[3546]: End of file while reading data: Input/output error

I’ve also tried playing around with various paramters in /etc/libvirt/libvirtd.conf and copied /usr/lib/systemd/system/libvirtd.socket to /etc/systemd/system/libvirtd.socket and changed the perms on the unix sockets to no avail.

Perhaps I need to open a bug.

> On Jan 16, 2016, at 10:31 AM, Cole Robinson <crobinso at redhat.com> wrote:
>
> On 01/15/2016 07:44 PM, Nate Pearlstein wrote:
>> I’ve been trying to get policykit to automatically authorize virt-manager.
>>
>> This was working fine with fedora 21, but with fedora 23 it doesn’t seem to work.  For both I’ve been using the mate desktop.
>>
>> With f21 I had the following in /etc/polkit-1/localauthority/50-local.d/caprica.libvirt.pkla
>>
>> [Allow user libvirt management permissions]
>> Identity=unix-user:user
>> Action=org.libvirt.unix.manage
>> ResultAny=yes
>> ResultInactive=yes
>> ResultActive=yes
>>
>>
>
> That format hasn't worked for quite a while, due to a polkit change.
>
>> I tried the above with f23 and no luck.  I’ve since tried
>>
>> /etc/polkit-1/rules.d/80-libvirt.rules
>>
>> polkit.addRule(function(action, subject) {
>>  if (action.id == "org.libvirt.unix.manage" && subject.local && subject.active && subject.isInGroup("wheel")) {
>>      return polkit.Result.YES;
>>  }
>> });
>>
>
> At a glance that looks like it should work, but I didn't confirm the syntax.
> However on fedora 22+ the recommended way to do this is to add yourself to the
> 'libvirt' group:
>
> http://blog.wikichoon.com/2016/01/polkit-password-less-access-for-libvirt.html
>
> - Cole
> --
> users mailing list
> users at lists.fedoraproject.org
> To unsubscribe or change subscription options:
> https://admin.fedoraproject.org/mailman/listinfo/users
> Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
> Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
> Have a question? Ask away: http://ask.fedoraproject.org

--
users mailing list
users at lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/users/attachments/20160120/61371a89/attachment.html>