On Thu, Jan 05, 2012 at 01:12:37PM -0700, Eric Blake wrote: > On 01/03/2012 03:35 PM, Jim Fehlig wrote: > > I previously mentioned [1] a PolicyKit issue where libvirt would > > proceed with authentication even though polkit-auth failed: > > > > testusr xen134:~> virsh list --all > > Attempting to obtain authorization for org.libvirt.unix.manage. > > polkit-grant-helper: given auth type (8 -> yes) is bogus > > Failed to obtain authorization for org.libvirt.unix.manage. > > Id Name State > > ---------------------------------- > > 0 Domain-0 running > > - sles11sp1-pv shut off > > > > AFAICT, libvirt attempts to obtain a privilege it already has, > > causing polkit-auth to fail with above message. Instead of calling > > obtain and then checking auth, IMO the workflow should be for the > > server to check auth first, and if that fails ask the client to > > obtain it and check again. This workflow also allows for checking > > only successful exit of polkit-auth in virConnectAuthGainPolkit(). > > > > [1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html > > --- > > src/libvirt.c | 2 +- > > src/remote/remote_driver.c | 11 +++++++++++ > > 2 files changed, 12 insertions(+), 1 deletions(-) > > This looks reasonable to me, but I'd like a second opinion from someone > more familiar with the PolicyKit code before you push anything (that > would probably be DV or danpb). If they agree, then I think it can go > in 0.9.9. ACK Out of interest, what Suse distro releases are still relying on the old policy kit code, as opposed to the new style ? Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list