diff --git a/docs/auth.html.in b/docs/auth.html.in index ab6c3e94527277f3a0462e6b3455881489cce007..13731eb766fa331b3d23a8696af1cfc4a591e1b7 100644 --- a/docs/auth.html.in +++ b/docs/auth.html.in @@ -65,29 +65,27 @@ auth, but does not require that the client application ultimately run as root. Default policy will still allow any application to connect to the RO socket.
-The default policy can be overridden by the administrator using the PolicyKit
-master configuration file in /etc/PolicyKit/PolicyKit.conf
. The
-PolicyKit.conf(5)
manual page provides details on the syntax
-available. The two libvirt daemon actions available are named org.libvirt.unix.monitor
-for the RO socket, and org.libvirt.unix.manage
for the RW socket.
-
/etc/polkit-1/localauthority/50-local.d/
.
+Policy files should have a unique name ending with .pkla. Using reverse DNS
+naming works well. Information on the options available can be found by
+reading the pklocalauthority man page. The two libvirt daemon actions
+available are named org.libvirt.unix.manage
for full management
+access, and org.libvirt.unix.monitor
for read-only access.
+
-As an example, to allow a user fred
full access to the RW socket,
-while requiring joe
to authenticate with the admin password,
-would require adding the following snippet to PolicyKit.conf
.
-
- <match action="org.libvirt.unix.manage"> - <match user="fred"> - <return result="yes"/> - </match> - </match> - <match action="org.libvirt.unix.manage"> - <match user="joe"> - <return result="auth_admin"/> - </match> - </match> -+As an example, this gives the user
fred
full management access:
+
+[Allow fred libvirt management permissions] +Identity=unix-user:fred +Action=org.libvirt.unix.manage +ResultAny=yes +ResultInactive=yes +ResultActive=yes+
+Further examples of PolicyKit setup can be found on the +wiki page. +
The plain TCP socket of the libvirt daemon defaults to using SASL for authentication.