Thank you for taking the time to respond. I want to mention that I don't
speak English, and it's difficult for me to understand using a translator.
In the file */etc/libvirt/libvirtd.conf*, I have the following:
access_drivers = [ "polkit" ]
The *virtqemud* and *virtnetworkd* services are not installed. I used the
version from the Debian 12 repositories.
systemctl status virtnetworkd.socket
Unit virtnetworkd.socket could not be found.
systemctl status virtqemud.socket
Unit virtqemud.socket could not be found.
In the file */etc/libvirt/qemu.conf*, the default configuration is present.
Best regards.
El jue, 6 feb 2025 a las 20:48, Rodrigo Prieto (<rodrigoprieto2...@gmail.com>)
escribió:
> Thank you for taking the time to respond. I want to mention that I don't
> speak English, and it's difficult for me to understand using a translator.
>
> In the file */etc/libvirt/libvirtd.conf*, I have the following:
> access_drivers = [ "polkit" ]
>
>
> The *virtqemud* and *virtnetworkd* services are not installed. I used the
> version from the Debian 12 repositories.
>
> systemctl status virtnetworkd.socket
> Unit virtnetworkd.socket could not be found.
>
> systemctl status virtqemud.socket
> Unit virtqemud.socket could not be found.
>
> In the file */etc/libvirt/qemu.conf*, the default configuration is
> present.
>
> Best regards.
>
> El jue, 6 feb 2025 a las 12:55, Martin Kletzander (<mklet...@redhat.com>)
> escribió:
>
>> On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote:
>> >Hello,
>> >
>> >I am configuring Polkit using an example I found on the web. It correctly
>> >displays the assigned domain for a given user, but when I try to start
>> the
>> >VM, I get the following error:
>> >
>> >error: Failed to start domain 'debian12'
>> >error: access denied: 'network' denied access
>> >
>> >Here is my configuration:
>> >
>> >polkit.addRule(function(action, subject) {
>> > if (action.id == "org.libvirt.unix.manage" &&
>> > subject.user == "lolo") {
>> > return polkit.Result.YES;
>> > }
>> >});
>> >polkit.addRule(function(action, subject) {
>> > if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
>> > subject.user == "lolo") {
>> > if (action.lookup("connect_driver") == 'QEMU' &&
>> > action.lookup("domain_name") == 'debian12') {
>> > return polkit.Result.YES;
>> > } else {
>> > return polkit.Result.NO;
>> > }
>> > }
>> >});
>> >
>>
>> So doing this allows you to do anything with debian12 domain on the QEMU
>> connection driver.
>>
>> >To grant network access, I have to configure the following:
>> >
>> >polkit.addRule(function(action, subject) {
>> > if (action.id.indexOf("org.libvirt.api.network") == 0 &&
>> > subject.user == "lolo") {
>> > return polkit.Result.YES;
>> > }
>> >});
>> >
>>
>> Adding this allows you to do anything with any network. This rule does
>> omit a condition similar to the above one from the api.domain rule.
>>
>> >The problem with the previous configuration is that it allows full access
>> >to the network, requiring the following configuration:
>> >
>>
>> *to all the networks
>>
>> >polkit.addRule(function(action, subject) {
>> > if ((action.id == "org.libvirt.api.network.stop" ||
>> > action.id == "org.libvirt.api.network.delete" ||
>> > action.id == "org.libvirt.api.network.write") &&
>> > subject.user == "lolo") {
>> > return polkit.Result.NO;
>> > }
>> >});
>> >
>> >By default, shouldn't network access behave like domains or pools, which
>> >cannot be deleted?
>>
>> Can you not? The domain undefine API checks domain:delete ACL with the
>> domain name and network undefine API checks network:delete ACL with the
>> network name. I'll have to test it, but in the meantime could you try
>> reproducing that with the same polkit rules (obviously modified to fit
>> the domain/network difference)?
>>
>> >I tested it on Libvirt 9.0.0 and 10.0.0
>> >
>>
>> I did not find any difference between 9.0.0 and the current master with
>> a quick git-fu.
>>
>> I tested it on current git master and it works fine, the user can
>> undefine both the network and the domain, but only the one named as
>> specified.
>>
>> >If you can help me, I would really appreciate it.
>>
>> Be sure to check that both virtqemud and virtnetworkd use polkit as
>> their access driver in their respective configs.
>>
>> Have a nice day,
>> Martin
>>
>
