Bugzilla – Bug 1221094
AUDIT-WHITELIST: libvirt: Review new polkit permissions for node device save
Last modified: 2024-03-15 11:50:06 UTC
libvifrt commit 6e36f266514 introduced a new polkit rule for node-device.save operation that has been flagged by rpmlint [ 264s] libvirt-daemon-common.x86_64: E: polkit-untracked-privilege (Badness: 10000) org.libvirt.api.node-device.save (no:no:no) I suppose it needs reviewed and whitelisted, similar to past occurrences such as bug#1186270.
This libvirt authentication layer is strange, a lot of these no:no:no actions. I wonder if anybody uses this stuff. We will have a look though and adjust our polkit-default-privs.
The change was introduced in version 10.1.0 via upstream commit 69f9e7dbc24657e85761f03574779540d0f18315. It is just an incremental addition, a save method for node device objects that hasn't been implemented before. Nothing in the underlying authentication framework changes due to this. The no:no:no setting is as safe as it can get so I'll whitelist it.
The whitelisting process started.
This is an autogenerated message for OBS integration: This bug (1221094) was mentioned in https://build.opensuse.org/request/show/1156045 Factory / polkit-default-privs
(In reply to Matthias Gerstner from comment #3) > The whitelisting process started. Thanks a lot! As for your question about anybody using this stuff: I'm not aware of anyone using polkit to restrict access to individual objects or their operations. Maybe it's better said that I haven't seen any related bug reports :-). I suspect polkit is primarily used to authenticate the initial connection.
the whitelisting is in Factory now