https://bugzilla.redhat.com/show_bug.cgi?id=1168333 Miloslav Trmač <mitr@xxxxxxxxxx> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(mitr@xxxxxxxxxx) | --- Comment #16 from Miloslav Trmač <mitr@xxxxxxxxxx> --- (In reply to Vít Ondruch from comment #15) > > > vagrant-libvirt.pkla > > > > This was replaced by 10-vagrant-libvirt.rules (although I am still not > > convinced we should ship this file, since there are security concerns such > > as bug 957300). > > Actually, lets see what is polkit's maintainer point of view. In principle, I think using groups (or even better, groups-of-groups, for “role” groups containing groups of users) to manage permissions is a good model; getting the exact role design is rather tricky (e.g. for VMs it could likely make sense to have a role that allows starting/stopping/restarting VMs and a separate one for more general administration) but that is something the various upstreams are probably best equipped to design, at least for roles that don’t span more roles. AFAICS 10-vagrant-libvirt.rules differs from the above in a significant way, though: it is in a package _different from_ libvirt that overrides rules that affect _all_ of libvirt. I strongly think that this should not be happening. * If an author of a polkit-using service designs some default rules and group membership rules, that is fine (upstream documentation currently prohibits this, but that should be changed, bug #956005). * If a site administrator wants to override defaults in their own polkit rules RPM, that is obviously fine. * Changing the system policy by installing an apparently unrelated RPM is _not_ good. It might make sense for vagrant-libvirt to install rules that apply only to vagrant VMs (I don’t know, I haven’t looked into vagraint-libvirt details at all at the moment). But if you are effectively trying to implement the libvirt-general RFE from bug #957300, that really needs to happen in the general libvirt RPM, not as a side-effect of installing (not even choosing to use?) a particular backend. -- You are receiving this mail because: You are on the CC list for the bug. You are always notified about changes to this product and component _______________________________________________ package-review mailing list package-review@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/package-review