PolKit rule and API matchaccess_drivers = [ "polkit" ]

[Θεοφάνης Κοντογιάννης]

Hi All,

I am trying to implement the following use case.

User sfrag is logged on the host via ssh.
Running 'virsh list --all' should trigger PolKit authentication and present ALL domains suffixed with -SF
I have used and adapted the example from: libvirt.org Git - libvirt.git/blob - examples/polkit/libvirt-acl.rules

| 
| 
| 
|  |  |

 |

 |
| 
|  | 
libvirt.org Git - libvirt.git/blob - examples/polkit/libvirt-acl.rules


 |

 |

 |



Adapted the setup so that I included user sfrag.

Always the user was asked to authenticate via root and not via SELF but ONLY if running "virsh -c qemu:///system list --all"
Had to change /etc/libvirt/libvirtd.conf to include:


auth_unix_ro = "polkit"access_drivers = [ "polkit" ]log_filters="1:access.accessdriverpolkit"log_outputs="1:file:/var/log/libvirt/libvirtd.log"


All polkit rules for user sfrag was removed at this point.

Now the user sfrag running 'virsh list --all' gives no output to /var/log/libvirt/libvirtd.log or /var/log/secure.
Running the same as user root gives interesting results in the logs:


org.libvirt.api.connect.getattrorg.libvirt.api.connect.search-domainsorg.libvirt.api.domain.getattr (fore every defined domain)org.libvirt.api.domain.read (again for every defined domain).


Virsh is using qemu:///session as the default URI.

Why running virsh as non-root is not triggering polkit or any API calls (based on log files output) and running the same as root, gives all the interesting output? 

Which implies that running virsh as root results in different actions compaired to calling it as non root.

Thank you for Your time.

BR
Theophanis Kontogiannis



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvirt-users/attachments/20200408/4e9d8d50/attachment.htm>