Hi All,
I am trying to implement the following use case.
User sfrag is logged on the host via ssh.
Running 'virsh list --all' should trigger PolKit authentication and present ALL
domains suffixed with -SF
I have used and adapted the example
from: libvirt.org Git - libvirt.git/blob -
examples/polkit/libvirt-acl.rules
|
|
|
| | |
|
|
|
| |
libvirt.org Git - libvirt.git/blob - examples/polkit/libvirt-acl.rules
|
|
|
Adapted the setup so that I included user sfrag.
Always the user was asked to authenticate via root and not via SELF but ONLY if running
"virsh -c qemu:///system list --all"
Had to change /etc/libvirt/libvirtd.conf to include:
auth_unix_ro = "polkit"access_drivers = [ "polkit"
]log_filters="1:access.accessdriverpolkit"log_outputs="1:file:/var/log/libvirt/libvirtd.log"
All polkit rules for user sfrag was removed at this point.
Now the user sfrag running 'virsh list --all' gives no output to
/var/log/libvirt/libvirtd.log or /var/log/secure.
Running the same as user root gives interesting results in the logs:
org.libvirt.api.connect.getattrorg.libvirt.api.connect.search-domainsorg.libvirt.api.domain.getattr
(fore every defined domain)org.libvirt.api.domain.read (again for every defined domain).
Virsh is using qemu:///session as the default URI.
Why running virsh as non-root is not triggering polkit or any API calls (based on log
files output) and running the same as root, gives all the interesting output?
Which implies that running virsh as root results in different actions compaired to calling
it as non root.
Thank you for Your time.
BR
Theophanis Kontogiannis