Home / server / Questions / 809378
Accepted
Dravigon
Asked: 2016-10-17 10:03:31 +0800 CST

How to use libvirt's polkit?

  • 772

I just saw the polkit reference page for libvirt and created the following rule

//content of /etc/polkit-1/rules.d/50-libvirt.rules
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.api.domain.getattr" &&
    subject.user == "dravigon") {
      if (action.lookup("connect_driver") == 'QEMU' &&
          action.lookup("domain_name") == 'debian8') {
        return polkit.Result.YES;
      } else {
        return polkit.Result.NO;
      }
}

});

in hopes of limiting the user dravigon only to access the domain debian8 from qemu/kvm driver
but it is not working at all can anyone say where i went wrong

virtualization linux kvm-virtualization libvirt

1 Answers

  1. Best Answer

    Just followed the instrucions in fedora polkit page and found he answer
    i must add another block it seems only the second block is useless without the first one

    // Allow passwordless connection to qemu:///system
polkit.addRule(function(action, subject) {
  if (action.id == "org.libvirt.unix.manage" &&
      subject.user == "MY-USER") {
      return polkit.Result.YES;
  }
});
// Give full access to 'test-day-vm'
polkit.addRule(function(action, subject) {
    if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
        subject.user == "MY_USER") {
          if (action.lookup("connect_driver") == 'QEMU' &&
              action.lookup("domain_name") == 'test-day-vm') {
            return polkit.Result.YES;
          } else {
            return polkit.Result.NO;
          }
    }
});

    REFERENCE:https://fedoraproject.org/wiki/QA:Testcase_Virt_ACLs

    • 0