Re: Network denied access

Thank you for taking the time to respond. I want to mention that I don't speak English, and it's difficult for me to understand using a translator. In the file */etc/libvirt/libvirtd.conf*, I have the following: access_drivers = [ "polkit" ] The *virtqemud* and *virtnetworkd* services are not installed. I used the version from the Debian 12 repositories. systemctl status virtnetworkd.socket Unit virtnetworkd.socket could not be found. systemctl status virtqemud.socket Unit virtqemud.socket could not be found. In the file */etc/libvirt/qemu.conf*, the default configuration is present. Best regards. El jue, 6 feb 2025 a las 12:55, Martin Kletzander (<mkletzan(a)redhat.com>) escribió: > On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote: > >Hello, > > > >I am configuring Polkit using an example I found on the web. It correctly > >displays the assigned domain for a given user, but when I try to start > the > >VM, I get the following error: > > > >error: Failed to start domain 'debian12' > >error: access denied: 'network' denied access > > > >Here is my configuration: > > > >polkit.addRule(function(action, subject) { > > if (action.id == "org.libvirt.unix.manage" && > > subject.user == "lolo") { > > return polkit.Result.YES; > > } > >}); > >polkit.addRule(function(action, subject) { > > if (action.id.indexOf("org.libvirt.api.domain.") == 0 && > > subject.user == "lolo") { > > if (action.lookup("connect_driver") == 'QEMU' && > > action.lookup("domain_name") == 'debian12') { > > return polkit.Result.YES; > > } else { > > return polkit.Result.NO; > > } > > } > >}); > > > > So doing this allows you to do anything with debian12 domain on the QEMU > connection driver. > > >To grant network access, I have to configure the following: > > > >polkit.addRule(function(action, subject) { > > if (action.id.indexOf("org.libvirt.api.network") == 0 && > > subject.user == "lolo") { > > return polkit.Result.YES; > > } > >}); > > > > Adding this allows you to do anything with any network. This rule does > omit a condition similar to the above one from the api.domain rule. > > >The problem with the previous configuration is that it allows full access > >to the network, requiring the following configuration: > > > > *to all the networks > > >polkit.addRule(function(action, subject) { > > if ((action.id == "org.libvirt.api.network.stop" || > > action.id == "org.libvirt.api.network.delete" || > > action.id == "org.libvirt.api.network.write") && > > subject.user == "lolo") { > > return polkit.Result.NO; > > } > >}); > > > >By default, shouldn't network access behave like domains or pools, which > >cannot be deleted? > > Can you not? The domain undefine API checks domain:delete ACL with the > domain name and network undefine API checks network:delete ACL with the > network name. I'll have to test it, but in the meantime could you try > reproducing that with the same polkit rules (obviously modified to fit > the domain/network difference)? > > >I tested it on Libvirt 9.0.0 and 10.0.0 > > > > I did not find any difference between 9.0.0 and the current master with > a quick git-fu. > > I tested it on current git master and it works fine, the user can > undefine both the network and the domain, but only the one named as > specified. > > >If you can help me, I would really appreciate it. > > Be sure to check that both virtqemud and virtnetworkd use polkit as > their access driver in their respective configs. > > Have a nice day, > Martin >