While debugging a PolicyKit issue I noticed that libvirt would proceed
with authentication even though polkit-auth failed:
testusr@xen134:~> virsh list --all
Attempting to obtain authorization for org.libvirt.unix.manage.
polkit-grant-helper: given auth type (8 -> yes) is bogus
Failed to obtain authorization for org.libvirt.unix.manage.
Id Name State
----------------------------------
0 Domain-0 running
- sles11sp1-pv shut off
Hmm, authorization failed but domains listed anyway.
testusr@xen134:~> virsh start sles11sp1-pv
Attempting to obtain authorization for org.libvirt.unix.manage.
polkit-grant-helper: given auth type (8 -> yes) is bogus
Failed to obtain authorization for org.libvirt.unix.manage.
Domain sles11sp1-pv started
Ok, authorization failed but testusr was able to start the domain!
Checking virConnectAuthGainPolkit() in src/libvirt.c
cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL);
if (virCommandRun(cmd, &status) < 0 ||
status > 1)
goto cleanup;
Why the check for status > 1? I looked at polkit-auth source in
PolicyKit 0.9 and AFAICT it sets its default return code to 1, only
changing it to 0 in success code paths. Unfortunately, the polkit-auth
docs make no mention of return codes.
Thanks,
Jim
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list