The default policy can be overridden by creating a new policy file in the
-local override directory /etc/polkit-1/localauthority/50-local.d/.
-Policy files should have a unique name ending with .pkla. Using reverse DNS
-naming works well. Information on the options available can be found by
-reading the pklocalauthority man page. The two libvirt daemon actions
-available are named org.libvirt.unix.manage for full management
-access, and org.libvirt.unix.monitor for read-only access.
+/etc/polkit-1/rules.d directory. Information on the options
+available can be found by reading the polkit(8) man page. The
+two libvirt actions are named org.libvirt.unix.manage for full
+management access, and org.libvirt.unix.monitor for read-only
+access.
+
+As an example, creating /etc/polkit-1/rules.d/80-libvirt-manage.rules
+with the following gives the user fred full management access
+when accessing from an active local session:
polkit.addRule(function(action, subject) {
+ if (action.id == "org.libvirt.unix.manage" &&
+ subject.local && subject.active && subject.user == "fred") {
+ return polkit.Result.YES;
+ }
+});
-As an example, this gives the user fred full management access:
+Older versions of PolicyKit used policy files ending with .pkla in the
+local override directory /etc/polkit-1/localauthority/50-local.d/.
+Compatibility with this older format is provided by polkit-pkla-compat. As an
+example, this gives the user fred full management access:
[Allow fred libvirt management permissions] Identity=unix-user:fred @@ -200,10 +214,6 @@ Action=org.libvirt.unix.manage ResultAny=yes ResultInactive=yes ResultActive=yes-
-Further examples of PolicyKit setup can be found on the -wiki page. -