, , , , ,

From Fedora-18 there has been some noticeable changes to polkit. Policy kit helps access to certain privileged process to unprivileged applications or users in this case. I generally use systems with SELinux Enabled and also confine my users. Since most of my job requires testing various applications , I keep creating a lot of vm’s (RHEL5,RHEL6). For this virt-manager is my preferred application.

Recently i have been assigned with a new Intel Hardware which has hardware Virtualization enabled with 1TB Hard disk. So installed Fedora-18 to create VM’s. My requirement is i should be able to install vm’s using Non-root user and that too with user who’s confined.

  • Create a user
        $ useradd test  
  • Map this user to staff_u selinux user
        $ semanage login -a -s staff_u test
        Login Name           SELinux User         MLS/MCS Range        Service
        __default__          user_u               s0                   *
        ceres                sysadm_u             s0-s0:c0.c1023       *
        juno                 staff_u              s0                   *
        root                 root                 s0-s0:c0.c1023       *
        system_u             system_u             s0-s0:c0.c1023       *
        test                 staff_u              s0-s0:c0.c1023       *
  • login as test user and connect to libvirt socket using virsh
        [mniranja@mniranja mar20]$ ssh test@
        test@'s password: 
        Last login: Wed Mar 20 00:20:13 2013 from localhost
        [test@dhcp201-167 ~]$ id -Z
  • Connect to libvirt socket
        [test@dhcp201-167 ~]$ virsh -c qemu:///system
        error: authentication failed: Authorization requires authentication but no agent is available.
        error: failed to connect to the hypervisor

As you can see above it doesn’t allow to connect , In earlier versions of Fedora, you could use policy kit to create a authorization rule to connect to libvirt socket. Refer Libvirt documentation. This method is also called Policy Kit LocalAuthority. So on Fedora-16 system i had the following rule

        [root@reserved 50-local.d]# cat 50-org.example-libvirt-remote-access.pkla 
        [Remote libvirt SSH access]

The above would allow users of group “virt” to access libvirt and manage libvirt through policy kit action “org.libvirt.unix.manage” . The above rules are placed in file 50-org.example-libvirt-remote-access.pkla under directory “/etc/polkit-1/localauthority/50-local.d”.
I hoped the same would work on Fedora-18 but it doesn’t as Policy kit localAuthority has been removed totally, instead all the custom policy kit rules should be placed under /etc/polkit-1/rules.d/ directory. Syntax of writing rules has been changed and Java Script syntax need to be used. Refer DavidZ blog for more information regarding the change.

On Fedora-18 i managed to do the same by adding the following rule file 10.virt.rules created under /etc/polkit-1/rules.d directory

        [root@dhcp201-167 rules.d]# cat 10.virt.rules 
        polkit.addRule(function(action, subject) {
        polkit.log("action=" + action);
        polkit.log("subject=" + subject);
        var now = new Date();
        polkit.log("now=" + now)
        if ((action.id == "org.libvirt.unix.manage" || action.id == "org.libvirt.unix.monitor") && subject.isInGroup("virt")) {
        return polkit.Result.YES;
        return null;

Thanks To Gilbert , As you can see the above allows polkit action “libvirt.unix.manage” || “org.libvirt.unix.monitor” to all the users of group “virt”

  • Restart polkit service
        $ systemctl restart polkit.service
  • Add the user test to group virt
        $ usermod -aG virt test
  • login as test user and connect to libvirt using virsh
        [test@dhcp201-167 ~]$ id -Z
        [test@dhcp201-167 ~]$ id
        uid=1002(test) gid=1003(test) groups=1003(test),1001(virt) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
        [test@dhcp201-167 ~]$ virsh -c qemu:///system
        Welcome to virsh, the virtualization interactive terminal.
        Type:  'help' for help with commands
           'quit' to quit
  • Check the logs using journalctl
        [root@dhcp201-167 ~]# journalctl -xn
        -- Logs begin at Tue 2013-03-19 22:54:05 EDT, end at Wed 2013-03-20 00:43:25 EDT. --
        Mar 20 00:43:02 dhcp201-167.englab.pnq.redhat.com kernel: usb 1-1.3: Product: USB Optical Mouse
        Mar 20 00:43:02 dhcp201-167.englab.pnq.redhat.com kernel: usb 1-1.3: Manufacturer: PixArt
        Mar 20 00:43:02 dhcp201-167.englab.pnq.redhat.com kernel: input: PixArt USB Optical Mouse as /devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.3/1-1.3:1.0/input/in
        Mar 20 00:43:02 dhcp201-167.englab.pnq.redhat.com kernel: hid-generic 0003:0461:4E22.006D: input,hidraw0: USB HID v1.11 Mouse [PixArt USB Optical Mouse] on usb
        Mar 20 00:43:18 dhcp201-167.englab.pnq.redhat.com sshd[3722]: Accepted password for test from port 53789 ssh2
        Mar 20 00:43:18 dhcp201-167.englab.pnq.redhat.com systemd-logind[596]: New session 18 of user test.
        -- Subject: A new session 18 has been created for user test
        -- Defined-By: systemd
        -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
        -- Documentation: http://www.freedesktop.org/wiki/Software/systemd/multiseat
        -- Documentation: http://www.freedesktop.org/wiki/Software/systemd/catalog/8d45620c1a4348dbb17410da57c60c66
        -- A new session with the ID 18 has been created for the user test.
        -- The leading process of the session is 3722.
        Mar 20 00:43:18 dhcp201-167.englab.pnq.redhat.com sshd[3722]: pam_unix(sshd:session): session opened for user test by (uid=0)
        Mar 20 00:43:25 dhcp201-167.englab.pnq.redhat.com polkitd[1688]: /etc/polkit-1/rules.d/10.virt.rules:2: action=[Action id='org.libvirt.unix.manage']
        Mar 20 00:43:25 dhcp201-167.englab.pnq.redhat.com polkitd[1688]: /etc/polkit-1/rules.d/10.virt.rules:3: subject=[Subject pid=3791 user='test' groups=test,virt,
        Mar 20 00:43:25 dhcp201-167.englab.pnq.redhat.com polkitd[1688]: /etc/polkit-1/rules.d/10.virt.rules:5: now=Wed Mar 20 2013 00:43:25 GMT-0400 (EDT)