diff --git a/0006-polkit-Allow-password-less-access-for-libvirt-group.patch b/0006-polkit-Allow-password-less-access-for-libvirt-group.patch new file mode 100644 index 0000000..6fbcf73 --- /dev/null +++ b/0006-polkit-Allow-password-less-access-for-libvirt-group.patch @@ -0,0 +1,126 @@ +From: Cole Robinson +Date: Tue, 28 Apr 2015 17:38:00 -0400 +Subject: [PATCH] polkit: Allow password-less access for 'libvirt' group + +Many users, who admin their own machines, want to be able to access +system libvirtd via tools like virt-manager without having to enter +a root password. Just google 'virt-manager without password' and +you'll find many hits. I've read at least 5 blog posts over the years +describing slightly different ways of achieving this goal. + +Let's finally add official support for this. + +Install a polkit-1 rules file granting password-less auth for any user +in the new 'libvirt' group. Create the group on RPM install + +https://bugzilla.redhat.com/show_bug.cgi?id=957300 +(cherry picked from commit e94979e901517af9fdde358d7b7c92cc055dd50c) +--- + daemon/Makefile.am | 13 +++++++++++++ + daemon/libvirt.rules | 9 +++++++++ + libvirt.spec.in | 15 +++++++++++++-- + 3 files changed, 35 insertions(+), 2 deletions(-) + create mode 100644 daemon/libvirt.rules + +diff --git a/daemon/Makefile.am b/daemon/Makefile.am +index b95a79d..9c5ea37 100644 +--- a/daemon/Makefile.am ++++ b/daemon/Makefile.am +@@ -53,6 +53,7 @@ EXTRA_DIST = \ + libvirtd.init.in \ + libvirtd.upstart \ + libvirtd.policy.in \ ++ libvirt.rules \ + libvirtd.sasl \ + libvirtd.service.in \ + libvirtd.socket.in \ +@@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session + else ! WITH_POLKIT0 + policydir = $(datadir)/polkit-1/actions + policyauth = auth_admin_keep ++rulesdir = $(datadir)/polkit-1/rules.d ++rulesfile = libvirt.rules + endif ! WITH_POLKIT0 + endif WITH_POLKIT + +@@ -263,9 +266,19 @@ if WITH_POLKIT + install-data-polkit:: + $(MKDIR_P) $(DESTDIR)$(policydir) + $(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy ++if ! WITH_POLKIT0 ++ $(MKDIR_P) $(DESTDIR)$(rulesdir) ++ $(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules ++endif ! WITH_POLKIT0 ++ + uninstall-data-polkit:: + rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy + rmdir $(DESTDIR)$(policydir) || : ++if ! WITH_POLKIT0 ++ rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules ++ rmdir $(DESTDIR)$(rulesdir) || : ++endif ! WITH_POLKIT0 ++ + else ! WITH_POLKIT + install-data-polkit:: + uninstall-data-polkit:: +diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules +new file mode 100644 +index 0000000..01a15fa +--- /dev/null ++++ b/daemon/libvirt.rules +@@ -0,0 +1,9 @@ ++// Allow any user in the 'libvirt' group to connect to system libvirtd ++// without entering a password. ++ ++polkit.addRule(function(action, subject) { ++ if (action.id == "org.libvirt.unix.manage" && ++ subject.isInGroup("libvirt")) { ++ return polkit.Result.YES; ++ } ++}); +diff --git a/libvirt.spec.in b/libvirt.spec.in +index a84b19d..5de085b 100644 +--- a/libvirt.spec.in ++++ b/libvirt.spec.in +@@ -1583,9 +1583,9 @@ then + fi + + %if %{with_libvirtd} ++%pre daemon + %if ! %{with_driver_modules} + %if %{with_qemu} +-%pre daemon + %if 0%{?fedora} || 0%{?rhel} >= 6 + # We want soft static allocation of well-known ids, as disk images + # are commonly shared across NFS mounts by id rather than name; see +@@ -1599,11 +1599,21 @@ if ! getent passwd qemu >/dev/null; then + useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu + fi + fi +-exit 0 + %endif + %endif + %endif + ++ %if %{with_polkit} ++ %if 0%{?fedora} || 0%{?rhel} >= 6 ++# 'libvirt' group is just to allow password-less polkit access to ++# libvirtd. The uid number is irrelevant, so we use dynamic allocation ++# described at the above link. ++getent group libvirt >/dev/null || groupadd -r libvirt ++ %endif ++ %endif ++ ++exit 0 ++ + %post daemon + + %if %{with_network} +@@ -1919,6 +1929,7 @@ exit 0 + %if 0%{?fedora} || 0%{?rhel} >= 6 + %{_datadir}/polkit-1/actions/org.libvirt.unix.policy + %{_datadir}/polkit-1/actions/org.libvirt.api.policy ++%{_datadir}/polkit-1/rules.d/50-libvirt.rules + %else + %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy + %endif