Thank you for taking the time to respond. I want to mention that I don't speak English, and it's difficult for me to understand using a translator.
In the file /etc/libvirt/libvirtd.conf, I have the following:
access_drivers = [ "polkit" ]
The virtqemud and virtnetworkd services are not installed. I used the version from the Debian 12 repositories.
systemctl status virtnetworkd.socket
Unit virtnetworkd.socket could not be found.
systemctl status virtqemud.socket
Unit virtqemud.socket could not be found.
In the file /etc/libvirt/qemu.conf, the default configuration is present.
Best regards.
Thank you for taking the time to respond. I want to mention that I don't speak English, and it's difficult for me to understand using a translator.
In the file /etc/libvirt/libvirtd.conf, I have the following:
access_drivers = [ "polkit" ]
The virtqemud and virtnetworkd services are not installed. I used the version from the Debian 12 repositories.systemctl status virtnetworkd.socket
Unit virtnetworkd.socket could not be found.
systemctl status virtqemud.socket
Unit virtqemud.socket could not be found.In the file /etc/libvirt/qemu.conf, the default configuration is present.
Best regards.
El jue, 6 feb 2025 a las 12:55, Martin Kletzander (<mkletzan@xxxxxxxxxx>) escribió:On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote:
>Hello,
>
>I am configuring Polkit using an example I found on the web. It correctly
>displays the assigned domain for a given user, but when I try to start the
>VM, I get the following error:
>
>error: Failed to start domain 'debian12'
>error: access denied: 'network' denied access
>
>Here is my configuration:
>
>polkit.addRule(function(action, subject) {
> if (action.id == "org.libvirt.unix.manage" &&
> subject.user == "lolo") {
> return polkit.Result.YES;
> }
>});
>polkit.addRule(function(action, subject) {
> if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
> subject.user == "lolo") {
> if (action.lookup("connect_driver") == 'QEMU' &&
> action.lookup("domain_name") == 'debian12') {
> return polkit.Result.YES;
> } else {
> return polkit.Result.NO;
> }
> }
>});
>
So doing this allows you to do anything with debian12 domain on the QEMU
connection driver.
>To grant network access, I have to configure the following:
>
>polkit.addRule(function(action, subject) {
> if (action.id.indexOf("org.libvirt.api.network") == 0 &&
> subject.user == "lolo") {
> return polkit.Result.YES;
> }
>});
>
Adding this allows you to do anything with any network. This rule does
omit a condition similar to the above one from the api.domain rule.
>The problem with the previous configuration is that it allows full access
>to the network, requiring the following configuration:
>
*to all the networks
>polkit.addRule(function(action, subject) {
> if ((action.id == "org.libvirt.api.network.stop" ||
> action.id == "org.libvirt.api.network.delete" ||
> action.id == "org.libvirt.api.network.write") &&
> subject.user == "lolo") {
> return polkit.Result.NO;
> }
>});
>
>By default, shouldn't network access behave like domains or pools, which
>cannot be deleted?
Can you not? The domain undefine API checks domain:delete ACL with the
domain name and network undefine API checks network:delete ACL with the
network name. I'll have to test it, but in the meantime could you try
reproducing that with the same polkit rules (obviously modified to fit
the domain/network difference)?
>I tested it on Libvirt 9.0.0 and 10.0.0
>
I did not find any difference between 9.0.0 and the current master with
a quick git-fu.
I tested it on current git master and it works fine, the user can
undefine both the network and the domain, but only the one named as
specified.
>If you can help me, I would really appreciate it.
Be sure to check that both virtqemud and virtnetworkd use polkit as
their access driver in their respective configs.
Have a nice day,
Martin
