[libvirt] PATCH: Misc changes to policykit policy file

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



After discussions with policykit maintainers I've come to the conclusion
that it is better for security if we default to 'auth_admin_keep_sesion'
instead of 'auth_self_keep_session'. ie prompt for the root password (ala
'su') instead of the user's password (ala 'sudo'). This is because having
access to libvirtd gives you very significant power over the host machine.

Secondly, newer versions of policykit have imposed a naming constraint on
policy files, so when we install our policy it needs to be in a file called
org.libvirt.unix.policy, instead of just libvirt.policy. So there's a change
to the Makefile to support this.


Daniel

diff -r e17c1bd119fc libvirt.spec.in
--- a/libvirt.spec.in	Wed Jul 09 09:26:26 2008 +0100
+++ b/libvirt.spec.in	Wed Jul 09 10:32:24 2008 +0100
@@ -240,7 +240,7 @@
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/images/
 %dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/boot/
 %if %{with_polkit}
-%{_datadir}/PolicyKit/policy/libvirtd.policy
+%{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
 %endif
 %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/
 %if %{with_xen_proxy}
diff -r e17c1bd119fc qemud/Makefile.am
--- a/qemud/Makefile.am	Wed Jul 09 09:26:26 2008 +0100
+++ b/qemud/Makefile.am	Wed Jul 09 10:32:24 2008 +0100
@@ -13,7 +13,8 @@
 	remote_dispatch_proc_switch.h \
 	mdns.c mdns.h \
         libvirtd.sasl \
-        libvirtd.conf
+        libvirtd.conf \
+        libvirtd.policy
 
 if RPCGEN
 SUFFIXES = .x
@@ -75,9 +76,7 @@
 
 if HAVE_POLKIT
 policydir = $(datadir)/PolicyKit/policy
-policy_DATA = libvirtd.policy
 endif
-EXTRA_DIST += libvirtd.policy
 
 if HAVE_AVAHI
 libvirtd_SOURCES += mdns.c mdns.h
@@ -86,7 +85,7 @@
 endif
 
 default_xml_dest = libvirt/qemu/networks/default.xml
-install-data-local: install-init install-data-sasl
+install-data-local: install-init install-data-sasl install-data-polkit
 	mkdir -p $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart
 	$(INSTALL_DATA) $(srcdir)/default-network.xml \
 	  $(DESTDIR)$(sysconfdir)/$(default_xml_dest)
@@ -99,7 +98,7 @@
 	mkdir -p $(DESTDIR)$(localstatedir)/run/libvirt
 	mkdir -p $(DESTDIR)$(localstatedir)/lib/libvirt
 
-uninstall-local:: uninstall-init uninstall-data-sasl
+uninstall-local:: uninstall-init uninstall-data-sasl install-data-polkit
 	rm -f $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart/default.xml
 	rm -f $(DESTDIR)$(sysconfdir)/$(default_xml_dest)
 	rmdir $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart || :
@@ -119,6 +118,18 @@
 install-data-sasl:
 uninstall-data-sasl:
 endif
+
+if HAVE_POLKIT
+install-data-polkit:: install-init
+	mkdir -p $(DESTDIR)$(policydir)
+	$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+uninstall-data-polkit:: install-init
+	rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+else
+install-data-polkit::
+uninstall-data-polkit::
+endif
+
 
 remote.c: remote_dispatch_prototypes.h \
 	  remote_dispatch_localvars.h \
diff -r e17c1bd119fc qemud/libvirtd.policy
--- a/qemud/libvirtd.policy	Wed Jul 09 09:26:26 2008 +0100
+++ b/qemud/libvirtd.policy	Wed Jul 09 10:32:24 2008 +0100
@@ -36,7 +36,7 @@
              read-write mode for management, and we require user password -->
         <allow_any>no</allow_any>
         <allow_inactive>no</allow_inactive>
-        <allow_active>auth_self_keep_session</allow_active>
+        <allow_active>auth_admin_keep_session</allow_active>
       </defaults>
     </action>
-</policyconfig>
\ No newline at end of file
+</policyconfig>


-- 
|: Red Hat, Engineering, London   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]