PolicyKit Javascript rules with catchall

So the desktop is ruled by PolicyKit which is awesome. It includes sets of rules about who can run certain actions (such as mounting an internal drive).

The rules are read in lexical order from the /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d directories.

You can get a list of available actions with the command:
$ pkaction

There may come a time when you want to tweak those rules though, to make management of your system easier. For example, managing virt-manager without a password if you’re in the wheel group (the rule is org.libvirt.unix.manage). If so, you can create one with a name like “10-my-policy.rules” in either directory above.

polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;
}
});

Some related tasks have several actions, like configuring cups:
$ pkaction |grep cups
org.opensuse.cupspkhelper.mechanism.all-edit
org.opensuse.cupspkhelper.mechanism.class-edit
org.opensuse.cupspkhelper.mechanism.devices-get
org.opensuse.cupspkhelper.mechanism.job-edit
org.opensuse.cupspkhelper.mechanism.job-not-owned-edit
org.opensuse.cupspkhelper.mechanism.printer-enable
org.opensuse.cupspkhelper.mechanism.printer-local-edit
org.opensuse.cupspkhelper.mechanism.printer-remote-edit
org.opensuse.cupspkhelper.mechanism.printer-set-default
org.opensuse.cupspkhelper.mechanism.printeraddremove
org.opensuse.cupspkhelper.mechanism.server-settings

Previously, before the new javascript format, one could match all those actions with:
org.opensuse.cupspkhelper.mechanism.*

That doesn’t work with js though, so this is how you can do it:
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.opensuse.cupspkhelper.mechanism") == 0 &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;
}
});

Changes are picked up straight away, so just save the file and test!

2 Responses to “PolicyKit Javascript rules with catchall”


  • I’m a little confused about the differences between the functionality Polkit can offer and functionality SELinux or ACLs can offer, too. It seems they overlap themselves, don’t they?

  • I’m no expert but I guess polkit is like a central authentication system for managing tasks. You can have a bunch of different services, programs, whatever and you don’t need to know how to configure each one, you can just tweak the central rule.

    Take virt-manager for example. You could edit the config and set the permission type to be unix and then set what user and group has read or read/write access to the socket, set mask, then restart the service. Or you could just tweak a polkit rule.

    Also ACLs are more a file level thing if I’m not mistaken, so that won’t help in all cases about how to configure a system (it might in virt-manager as it can be set up to be based on read/write to the pipe, although you still have to set the config file to use that authentication method).

    SELinux is more about security – preventing processes or people from doing things they aren’t meant to. Like, cups can’t write to /var/www/http.

    Polkit would be nmore like, he’s an action on adding a printer, now the rule says who can run that (and whose password they need to authenticate, could be none, root, or their own).

Leave a Reply