libvirt/0011-polkit-Allow-password-...

From: Cole Robinson <crobinso@redhat.com>
Date: Tue, 28 Apr 2015 17:38:00 -0400
Subject: [PATCH] polkit: Allow password-less access for 'libvirt' group

Many users, who admin their own machines, want to be able to access
system libvirtd via tools like virt-manager without having to enter
a root password. Just google 'virt-manager without password' and
you'll find many hits. I've read at least 5 blog posts over the years
describing slightly different ways of achieving this goal.

Let's finally add official support for this.

Install a polkit-1 rules file granting password-less auth for any user
in the new 'libvirt' group. Create the group on RPM install

https://bugzilla.redhat.com/show_bug.cgi?id=957300
(cherry picked from commit e94979e901517af9fdde358d7b7c92cc055dd50c)
---
 daemon/Makefile.am   | 13 +++++++++++++
 daemon/libvirt.rules |  9 +++++++++
 libvirt.spec.in      | 15 +++++++++++++--
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 daemon/libvirt.rules

diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index b95a79d..9c5ea37 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -53,6 +53,7 @@ EXTRA_DIST =						\
 	libvirtd.init.in				\
 	libvirtd.upstart				\
 	libvirtd.policy.in				\
+	libvirt.rules					\
 	libvirtd.sasl					\
 	libvirtd.service.in				\
 	libvirtd.socket.in				\
@@ -233,6 +234,8 @@ policyauth = auth_admin_keep_session
 else ! WITH_POLKIT0
 policydir = $(datadir)/polkit-1/actions
 policyauth = auth_admin_keep
+rulesdir = $(datadir)/polkit-1/rules.d
+rulesfile = libvirt.rules
 endif ! WITH_POLKIT0
 endif WITH_POLKIT

@@ -263,9 +266,19 @@ if WITH_POLKIT
 install-data-polkit::
 	$(MKDIR_P) $(DESTDIR)$(policydir)
 	$(INSTALL_DATA) libvirtd.policy $(DESTDIR)$(policydir)/org.libvirt.unix.policy
+if ! WITH_POLKIT0
+	$(MKDIR_P) $(DESTDIR)$(rulesdir)
+	$(INSTALL_DATA) $(srcdir)/$(rulesfile) $(DESTDIR)$(rulesdir)/50-libvirt.rules
+endif ! WITH_POLKIT0
+
 uninstall-data-polkit::
 	rm -f $(DESTDIR)$(policydir)/org.libvirt.unix.policy
 	rmdir $(DESTDIR)$(policydir) || :
+if ! WITH_POLKIT0
+	rm -f $(DESTDIR)$(rulesdir)/50-libvirt.rules
+	rmdir $(DESTDIR)$(rulesdir) || :
+endif ! WITH_POLKIT0
+
 else ! WITH_POLKIT
 install-data-polkit::
 uninstall-data-polkit::
diff --git a/daemon/libvirt.rules b/daemon/libvirt.rules
new file mode 100644
index 0000000..01a15fa
--- /dev/null
+++ b/daemon/libvirt.rules
@@ -0,0 +1,9 @@
+// Allow any user in the 'libvirt' group to connect to system libvirtd
+// without entering a password.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.libvirt.unix.manage" &&
+        subject.isInGroup("libvirt")) {
+        return polkit.Result.YES;
+    }
+});
diff --git a/libvirt.spec.in b/libvirt.spec.in
index dc327a2..a23629d 100644
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -1631,9 +1631,9 @@ then
 fi

 %if %{with_libvirtd}
+%pre daemon
     %if ! %{with_driver_modules}
         %if %{with_qemu}
-%pre daemon
             %if 0%{?fedora} || 0%{?rhel} >= 6
 # We want soft static allocation of well-known ids, as disk images
 # are commonly shared across NFS mounts by id rather than name; see
@@ -1647,11 +1647,21 @@ if ! getent passwd qemu >/dev/null; then
     useradd -r -g qemu -G kvm -d / -s /sbin/nologin -c "qemu user" qemu
   fi
 fi
-exit 0
             %endif
         %endif
     %endif

+    %if %{with_polkit}
+        %if 0%{?fedora} || 0%{?rhel} >= 6
+# 'libvirt' group is just to allow password-less polkit access to
+# libvirtd. The uid number is irrelevant, so we use dynamic allocation
+# described at the above link.
+getent group libvirt >/dev/null || groupadd -r libvirt
+        %endif
+    %endif
+
+exit 0
+
 %post daemon

     %if %{with_systemd}
@@ -1925,6 +1935,7 @@ exit 0
         %if 0%{?fedora} || 0%{?rhel} >= 6
 %{_datadir}/polkit-1/actions/org.libvirt.unix.policy
 %{_datadir}/polkit-1/actions/org.libvirt.api.policy
+%{_datadir}/polkit-1/rules.d/50-libvirt.rules
         %else
 %{_datadir}/PolicyKit/policy/org.libvirt.unix.policy
         %endif