[Pkg-libvirt-maintainers] Bug#764826: Bug#764826: Please move policykit rules to /usr/share/polkit-1/rules.d/

Guido Günther agx at sigxcpu.org
Sun Oct 12 08:05:29 UTC 2014


On Sat, Oct 11, 2014 at 06:59:01PM +0200, Michael Biebl wrote:
> Am 11.10.2014 um 18:30 schrieb Guido Günther:
> > Hi Michael,
> > On Sat, Oct 11, 2014 at 04:26:57PM +0200, Michael Biebl wrote:
> >> Package: libvirt-daemon-system
> >> Version: 1.2.9-2
> >> Severity: normal
> >>
> >> Hi,
> >>
> >> package provided policykit rules files are supposed to go to
> >> /usr/share/polkit-1/rules.d/.
> >> /etc/polkit-1/rules.d/ is reserved for local changes by the admin.
> >>
> >> Please consider moving the file.
> > 
> > I do wonder why 40sudo and 50default is in there then? Are these bugs
> > too? 
> 
> Yeah, probably.
> 
> > The idea was to make it simple to get rid of the libvirt group having
> > access to the socket by removing the file.
> 
> Afaics, the mechanism to grant users access to the socket, is
> "adduser <user> libvirt". So it seems more natural to simply remove
> users from the group again instead of removing the policy alltogether.
> 
> That said, if the intention is to disable this rule, you can simply do a
> "touch /etc/polkit-1/rules.d/60-libvirt.rules". This will override the
> system provided rules file.

But this wouldn't get carried over e.g. renaming the file while in
/etc/ we'd have the maintscript helper but I agree that we shouldn't
do things different than other polkit using packages here.
Thanks for the explanation,
 -- Guido

> The idea behind moving default configuration data to /usr is to make
> stateless systems possible.



More information about the Pkg-libvirt-maintainers mailing list