12:18 a.m.
Thank you for taking the time to respond. I want to mention that I don't
speak English, and it's difficult for me to understand using a translator.
In the file */etc/libvirt/libvirtd.conf*, I have the following:
access_drivers = [ "polkit" ]
The *virtqemud* and *virtnetworkd* services are not installed. I used the
version from the Debian 12 repositories.
systemctl status virtnetworkd.socket
Unit virtnetworkd.socket could not be found.
systemctl status virtqemud.socket
Unit virtqemud.socket could not be found.
In the file */etc/libvirt/qemu.conf*, the default configuration is present.
Best regards.
El jue, 6 feb 2025 a las 20:48, Rodrigo Prieto (<rodrigoprieto2019(a)gmail.com>)
escribió:
Thank you for taking the time to respond. I want to mention that I
don't
speak English, and it's difficult for me to understand using a translator.
In the file */etc/libvirt/libvirtd.conf*, I have the following:
access_drivers = [ "polkit" ]
The *virtqemud* and *virtnetworkd* services are not installed. I used the
version from the Debian 12 repositories.
systemctl status virtnetworkd.socket
Unit virtnetworkd.socket could not be found.
systemctl status virtqemud.socket
Unit virtqemud.socket could not be found.
In the file */etc/libvirt/qemu.conf*, the default configuration is
present.
Best regards.
El jue, 6 feb 2025 a las 12:55, Martin Kletzander (<mkletzan(a)redhat.com>)
escribió:
> On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote:
> >Hello,
> >
> >I am configuring Polkit using an example I found on the web. It correctly
> >displays the assigned domain for a given user, but when I try to start
> the
> >VM, I get the following error:
> >
> >error: Failed to start domain 'debian12'
> >error: access denied: 'network' denied access
> >
> >Here is my configuration:
> >
> >polkit.addRule(function(action, subject) {
> > if (action.id == "org.libvirt.unix.manage" &&
> > subject.user == "lolo") {
> > return polkit.Result.YES;
> > }
> >});
> >polkit.addRule(function(action, subject) {
> > if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
> > subject.user == "lolo") {
> > if (action.lookup("connect_driver") == 'QEMU'
&&
> > action.lookup("domain_name") == 'debian12') {
> > return polkit.Result.YES;
> > } else {
> > return polkit.Result.NO;
> > }
> > }
> >});
> >
>
> So doing this allows you to do anything with debian12 domain on the QEMU
> connection driver.
>
> >To grant network access, I have to configure the following:
> >
> >polkit.addRule(function(action, subject) {
> > if (action.id.indexOf("org.libvirt.api.network") == 0 &&
> > subject.user == "lolo") {
> > return polkit.Result.YES;
> > }
> >});
> >
>
> Adding this allows you to do anything with any network. This rule does
> omit a condition similar to the above one from the api.domain rule.
>
> >The problem with the previous configuration is that it allows full access
> >to the network, requiring the following configuration:
> >
>
> *to all the networks
>
> >polkit.addRule(function(action, subject) {
> > if ((action.id == "org.libvirt.api.network.stop" ||
> > action.id == "org.libvirt.api.network.delete" ||
> > action.id == "org.libvirt.api.network.write") &&
> > subject.user == "lolo") {
> > return polkit.Result.NO;
> > }
> >});
> >
> >By default, shouldn't network access behave like domains or pools, which
> >cannot be deleted?
>
> Can you not? The domain undefine API checks domain:delete ACL with the
> domain name and network undefine API checks network:delete ACL with the
> network name. I'll have to test it, but in the meantime could you try
> reproducing that with the same polkit rules (obviously modified to fit
> the domain/network difference)?
>
> >I tested it on Libvirt 9.0.0 and 10.0.0
> >
>
> I did not find any difference between 9.0.0 and the current master with
> a quick git-fu.
>
> I tested it on current git master and it works fine, the user can
> undefine both the network and the domain, but only the one named as
> specified.
>
> >If you can help me, I would really appreciate it.
>
> Be sure to check that both virtqemud and virtnetworkd use polkit as
> their access driver in their respective configs.
>
> Have a nice day,
> Martin
>
7:35 a.m.
New subject: Network denied access
So I tried reproducing your issue on a fresh install of debian 12:
root@debian12:~# cat /etc/polkit-1/rules.d/10-reproducer.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
subject.user == "lolo") {
if (action.lookup("connect_driver") == 'QEMU' &&
action.lookup("domain_name") == 'debian12') {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.network") == 0 &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
root@debian12:~# grep '^[^#]' /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]
lolo@debian12:~$ cat .config/libvirt/libvirt.conf
uri_default = "qemu:///system"
lolo@debian12:~$ virsh uri
qemu:///system
root@debian12:~# virsh list --all
Id Name State
---------------------------
- debian12 shut off
- debian13 shut off
lolo@debian12:~$ virsh list --all
Id Name State
---------------------------
- debian12 shut off
lolo@debian12:~$ virsh net-list --all
Name State Autostart Persistent
----------------------------------------------
default inactive no yes
lolo@debian12:~$ virsh undefine debian13
error: failed to get domain 'debian13'
lolo@debian12:~$ virsh undefine debian12
Domain 'debian12' has been undefined
lolo@debian12:~$ virsh net-undefine default
Network default has been undefined
So they do behave the same. There must be some other misconfiguration
on your part.
Martin
On Fri, Feb 07, 2025 at 03:18:21AM -0300, Rodrigo Prieto wrote:
Thank you for taking the time to respond. I want to mention that I
don't
speak English, and it's difficult for me to understand using a translator.
In the file */etc/libvirt/libvirtd.conf*, I have the following:
access_drivers = [ "polkit" ]
The *virtqemud* and *virtnetworkd* services are not installed. I used the
version from the Debian 12 repositories.
systemctl status virtnetworkd.socket
Unit virtnetworkd.socket could not be found.
systemctl status virtqemud.socket
Unit virtqemud.socket could not be found.
In the file */etc/libvirt/qemu.conf*, the default configuration is present.
Best regards.
El jue, 6 feb 2025 a las 20:48, Rodrigo Prieto (<rodrigoprieto2019(a)gmail.com>)
escribió:
> Thank you for taking the time to respond. I want to mention that I don't
> speak English, and it's difficult for me to understand using a translator.
>
> In the file */etc/libvirt/libvirtd.conf*, I have the following:
> access_drivers = [ "polkit" ]
>
>
> The *virtqemud* and *virtnetworkd* services are not installed. I used the
> version from the Debian 12 repositories.
>
> systemctl status virtnetworkd.socket
> Unit virtnetworkd.socket could not be found.
>
> systemctl status virtqemud.socket
> Unit virtqemud.socket could not be found.
>
> In the file */etc/libvirt/qemu.conf*, the default configuration is
> present.
>
> Best regards.
>
> El jue, 6 feb 2025 a las 12:55, Martin Kletzander (<mkletzan(a)redhat.com>)
> escribió:
>
>> On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote:
>> >Hello,
>> >
>> >I am configuring Polkit using an example I found on the web. It correctly
>> >displays the assigned domain for a given user, but when I try to start
>> the
>> >VM, I get the following error:
>> >
>> >error: Failed to start domain 'debian12'
>> >error: access denied: 'network' denied access
>> >
>> >Here is my configuration:
>> >
>> >polkit.addRule(function(action, subject) {
>> > if (action.id == "org.libvirt.unix.manage" &&
>> > subject.user == "lolo") {
>> > return polkit.Result.YES;
>> > }
>> >});
>> >polkit.addRule(function(action, subject) {
>> > if (action.id.indexOf("org.libvirt.api.domain.") == 0
&&
>> > subject.user == "lolo") {
>> > if (action.lookup("connect_driver") == 'QEMU'
&&
>> > action.lookup("domain_name") == 'debian12')
{
>> > return polkit.Result.YES;
>> > } else {
>> > return polkit.Result.NO;
>> > }
>> > }
>> >});
>> >
>>
>> So doing this allows you to do anything with debian12 domain on the QEMU
>> connection driver.
>>
>> >To grant network access, I have to configure the following:
>> >
>> >polkit.addRule(function(action, subject) {
>> > if (action.id.indexOf("org.libvirt.api.network") == 0
&&
>> > subject.user == "lolo") {
>> > return polkit.Result.YES;
>> > }
>> >});
>> >
>>
>> Adding this allows you to do anything with any network. This rule does
>> omit a condition similar to the above one from the api.domain rule.
>>
>> >The problem with the previous configuration is that it allows full access
>> >to the network, requiring the following configuration:
>> >
>>
>> *to all the networks
>>
>> >polkit.addRule(function(action, subject) {
>> > if ((action.id == "org.libvirt.api.network.stop" ||
>> > action.id == "org.libvirt.api.network.delete" ||
>> > action.id == "org.libvirt.api.network.write") &&
>> > subject.user == "lolo") {
>> > return polkit.Result.NO;
>> > }
>> >});
>> >
>> >By default, shouldn't network access behave like domains or pools, which
>> >cannot be deleted?
>>
>> Can you not? The domain undefine API checks domain:delete ACL with the
>> domain name and network undefine API checks network:delete ACL with the
>> network name. I'll have to test it, but in the meantime could you try
>> reproducing that with the same polkit rules (obviously modified to fit
>> the domain/network difference)?
>>
>> >I tested it on Libvirt 9.0.0 and 10.0.0
>> >
>>
>> I did not find any difference between 9.0.0 and the current master with
>> a quick git-fu.
>>
>> I tested it on current git master and it works fine, the user can
>> undefine both the network and the domain, but only the one named as
>> specified.
>>
>> >If you can help me, I would really appreciate it.
>>
>> Be sure to check that both virtqemud and virtnetworkd use polkit as
>> their access driver in their respective configs.
>>
>> Have a nice day,
>> Martin
>>
>
20
days inactive
25
days old
1 comments
2 participants
participants (2)
-
Martin Kletzander -
Rodrigo Prieto