policykit

security → policykit

If you have found this page you may already have trouble with this policykit. Afaik the major issue is, that policykit by itself does not log what it prohibits. To activate logging and debug successfully you need a special policykit rule file under /etc/polkit-1/rules.d/, which was written in javascript for some evil reason:

// /etc/polkit-1/rules.d/99-logall.rules
polkit.addRule(function(action, subject) {
                polkit.log("action=" + action);
                polkit.log("subject=" + subject);
});

The number 99 is believed to be the last rule file in that directory, so that when it gets called it will log to syslog. Check journalctl -xef while running the command that previously failed to get an understanding what wents wrong. Note, that policykit is smart enough to recognize rule changes by itself so that changing or adding files to that directory is enough. Just in case systemctl restart polkit restarts polkit.

Some examples #

Fix mount failed issues caused by udisk (make sure you are in the storage user group):

// 50-udisks.rules
polkit.addRule(function(action, subject) {
   if (action.id.indexOf("org.freedesktop.udisks") == 0) {
     if (subject.isInGroup("storage")) {
           return polkit.Result.YES;
     }
  }
});

Fix NetworkManager not being able to connect due to a permission denied-issue (make sure you are in the network user group):

// 50-org.freedesktop.NetworkManager.rules
polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {
    return polkit.Result.YES;
  }
});

Fix permission issue with pcsc-tools (used for hbci online banking):

// 10-pcsc.rules
polkit.addRule(function(action, subject) {
    if (action.id == "access_card" &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
        }
});

Fix permissions so that tools like virt-manager with libvirt work:

// 98-libvirt-user.rules
polkit.addRule(function(action, subject) {
        if ( subject.isInGroup("kvm") )
        {
                if (action.id == "org.libvirt.unix.manage")
                { return polkit.Result.YES; }
        }
        return polkit.Result.NO;
});

Fix permissions for pamac update tray icon and installation manager (user has to be member of the wheel group):

// 40-pamac.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.manjaro.pamac.commit" &&
        subject.isInGroup("wheel")) {
            return polkit.Result.YES;
        }
});