So I tried reproducing your issue on a fresh install of debian 12:
root@debian12:~# cat /etc/polkit-1/rules.d/10-reproducer.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
subject.user == "lolo") {
if (action.lookup("connect_driver") == 'QEMU' &&
action.lookup("domain_name") == 'debian12') {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.network") == 0 &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
root@debian12:~# grep '^[^#]' /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]
lolo@debian12:~$ cat .config/libvirt/libvirt.conf
uri_default = "qemu:///system"
lolo@debian12:~$ virsh uri
qemu:///system
root@debian12:~# virsh list --all
Id Name State
---------------------------
- debian12 shut off
- debian13 shut off
lolo@debian12:~$ virsh list --all
Id Name State
---------------------------
- debian12 shut off
lolo@debian12:~$ virsh net-list --all
Name State Autostart Persistent
----------------------------------------------
default inactive no yes
lolo@debian12:~$ virsh undefine debian13
error: failed to get domain 'debian13'
lolo@debian12:~$ virsh undefine debian12
Domain 'debian12' has been undefined
lolo@debian12:~$ virsh net-undefine default
Network default has been undefined
So they do behave the same. There must be some other misconfiguration
on your part.
Martin
On Fri, Feb 07, 2025 at 03:18:21AM -0300, Rodrigo Prieto wrote:
Thank you for taking the time to respond. I want to mention that I don't speak English, and it's difficult for me to understand using a translator. In the file */etc/libvirt/libvirtd.conf*, I have the following: access_drivers = [ "polkit" ] The *virtqemud* and *virtnetworkd* services are not installed. I used the version from the Debian 12 repositories. systemctl status virtnetworkd.socket Unit virtnetworkd.socket could not be found. systemctl status virtqemud.socket Unit virtqemud.socket could not be found. In the file */etc/libvirt/qemu.conf*, the default configuration is present. Best regards. El jue, 6 feb 2025 a las 20:48, Rodrigo Prieto (<rodrigoprieto2019@xxxxxxxxx>) escribió:Thank you for taking the time to respond. I want to mention that I don't speak English, and it's difficult for me to understand using a translator. In the file */etc/libvirt/libvirtd.conf*, I have the following: access_drivers = [ "polkit" ] The *virtqemud* and *virtnetworkd* services are not installed. I used the version from the Debian 12 repositories. systemctl status virtnetworkd.socket Unit virtnetworkd.socket could not be found. systemctl status virtqemud.socket Unit virtqemud.socket could not be found. In the file */etc/libvirt/qemu.conf*, the default configuration is present. Best regards. El jue, 6 feb 2025 a las 12:55, Martin Kletzander (<mkletzan@xxxxxxxxxx>) escribió:On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote: >Hello, > >I am configuring Polkit using an example I found on the web. It correctly >displays the assigned domain for a given user, but when I try to start the >VM, I get the following error: > >error: Failed to start domain 'debian12' >error: access denied: 'network' denied access > >Here is my configuration: > >polkit.addRule(function(action, subject) { > if (action.id == "org.libvirt.unix.manage" && > subject.user == "lolo") { > return polkit.Result.YES; > } >}); >polkit.addRule(function(action, subject) { > if (action.id.indexOf("org.libvirt.api.domain.") == 0 && > subject.user == "lolo") { > if (action.lookup("connect_driver") == 'QEMU' && > action.lookup("domain_name") == 'debian12') { > return polkit.Result.YES; > } else { > return polkit.Result.NO; > } > } >}); > So doing this allows you to do anything with debian12 domain on the QEMU connection driver. >To grant network access, I have to configure the following: > >polkit.addRule(function(action, subject) { > if (action.id.indexOf("org.libvirt.api.network") == 0 && > subject.user == "lolo") { > return polkit.Result.YES; > } >}); > Adding this allows you to do anything with any network. This rule does omit a condition similar to the above one from the api.domain rule. >The problem with the previous configuration is that it allows full access >to the network, requiring the following configuration: > *to all the networks >polkit.addRule(function(action, subject) { > if ((action.id == "org.libvirt.api.network.stop" || > action.id == "org.libvirt.api.network.delete" || > action.id == "org.libvirt.api.network.write") && > subject.user == "lolo") { > return polkit.Result.NO; > } >}); > >By default, shouldn't network access behave like domains or pools, which >cannot be deleted? Can you not? The domain undefine API checks domain:delete ACL with the domain name and network undefine API checks network:delete ACL with the network name. I'll have to test it, but in the meantime could you try reproducing that with the same polkit rules (obviously modified to fit the domain/network difference)? >I tested it on Libvirt 9.0.0 and 10.0.0 > I did not find any difference between 9.0.0 and the current master with a quick git-fu. I tested it on current git master and it works fine, the user can undefine both the network and the domain, but only the one named as specified. >If you can help me, I would really appreciate it. Be sure to check that both virtqemud and virtnetworkd use polkit as their access driver in their respective configs. Have a nice day, Martin
Attachment:
signature.asc
Description: PGP signature
