|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-WHITELIST: libvirt: Review new polkit permissions for node device save | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | James Fehlig <jfehlig> |
| Component: | Security | Assignee: | Matthias Gerstner <matthias.gerstner> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | ||
| Version: | Current | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
James Fehlig
2024-03-06 22:35:21 UTC
This libvirt authentication layer is strange, a lot of these no:no:no actions. I wonder if anybody uses this stuff. We will have a look though and adjust our polkit-default-privs. The change was introduced in version 10.1.0 via upstream commit 69f9e7dbc24657e85761f03574779540d0f18315. It is just an incremental addition, a save method for node device objects that hasn't been implemented before. Nothing in the underlying authentication framework changes due to this. The no:no:no setting is as safe as it can get so I'll whitelist it. The whitelisting process started. This is an autogenerated message for OBS integration: This bug (1221094) was mentioned in https://build.opensuse.org/request/show/1156045 Factory / polkit-default-privs (In reply to Matthias Gerstner from comment #3) > The whitelisting process started. Thanks a lot! As for your question about anybody using this stuff: I'm not aware of anyone using polkit to restrict access to individual objects or their operations. Maybe it's better said that I haven't seen any related bug reports :-). I suspect polkit is primarily used to authenticate the initial connection. the whitelisting is in Factory now |