Hello,

I am configuring Polkit using an example I found on the web. It correctly
displays the assigned domain for a given user, but when I try to start the
VM, I get the following error:

error: Failed to start domain 'debian12'
error: access denied: 'network' denied access

Here is my configuration:

polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage" &&
      subject.user == "lolo") {
      return polkit.Result.YES;
  }
});
polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.libvirt.api.domain.") ==  0 &&
        subject.user == "lolo") {
          if (action.lookup("connect_driver") == 'QEMU' &&
              action.lookup("domain_name") == 'debian12') {
            return polkit.Result.YES;
          } else {
            return polkit.Result.NO;
          }
    }
});

To grant network access, I have to configure the following:

polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.libvirt.api.network") == 0 &&
        subject.user == "lolo") {
        return polkit.Result.YES;
    }
});

The problem with the previous configuration is that it allows full access
to the network, requiring the following configuration:

polkit.addRule(function(action, subject) {
    if ((action.id == "org.libvirt.api.network.stop" ||
         action.id == "org.libvirt.api.network.delete" ||
         action.id == "org.libvirt.api.network.write") &&
        subject.user == "lolo") {
        return polkit.Result.NO;
    }
});

By default, shouldn't network access behave like domains or pools, which
cannot be deleted?
I tested it on Libvirt 9.0.0 and 10.0.0

If you can help me, I would really appreciate it.

Reply via email to