How do I add a polikit-1 rule for a toolbox instance in Sericea? I am running virt-manager in a toolbox instance and am trying to get USB Redirection working with a Windows 11 VM. I get this error when clicking the checkbox to enable the USB Redirection for a device in the VM via virt-manager:
spice-client-error-quar: Could not redirect <thing>
[3662:0001] at 7-9: Error setting USB device node ACL: 'Error PoliciKit error: GDBuss.Error:org.feedesktop.PolicyKit1.Error.Failed: Action org.spice-spacelowlevelusbaccess is not registered' (0)
USB redirection error
From what I understand, I need to add a file (maybe called org.spice-space.policy?) somewhere, but I don’t know where. I believe the contents of that file should be this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
"-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>
<vendor>The Spice Project</vendor>
<vendor_url>http://spice-space.org/</vendor_url>
<action id="org.spice-space.spacelowlevelusbaccess">
<description>Low level USB device access</description>
<message>Privileges are required for low level USB device access (for usb device pass through).</message>
<defaults>
<allow_any>yes</allow_any>
<allow_inactive>no</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
</policyconfig>
Sorry for the seriously late reply, but that won’t work because this is an Atomic spin of Fedora and only files under /var are writable. I looked up the documentation for polkit (polkit: polkit Reference Manual) and it looks like I need to create a files called org.spice-space.policy and put it in /usr/share/polkit-1/actions. However, I don’t know how to get a file there (since it isn’t under /var) or have polkit read action policies from a different directory.
e: maybe /etc is writable (Technical Information :: Fedora Docs) but the polkit documentation seems to say that actions are only read from /usr/share. “Actions correspond to operations that clients can request the mechanism to carry out and are defined in XML files that the mechanism installs into the /usr/share/polkit-1/actions directory.”
I am open to completely misunderstanding all this.
E2: I got a response from a friend on another forum and maybe your rule idea will work:
`I think you’re confusing an actions file with a rules file, and rules files can definitely be put in /etc/polkit-1/rules
Actions are securable behaviors that a system administrator might want to grant to (some) users under (some) circumstances, there’s literally no reason to write a new actions file unless you’re writing a new application; no existing application will suddenly start using the new name that you defined.
Rules are JavaScript that gets executed to decide whether to allow or deny an action, that’s the thing that you might want to customize for a particular system.`
It looks like the solution was to install both libvirt and virt-manager through rpm-ostree. Doing that and nothing else got everything working. No need for extra configuration or anything.
Trying to do this in toolbox just would not work because it was relying on the system to be configured for usb redirection. No amount of making things configured correctly inside the toolbox mattered because that just is not what was preventing the toolbox version of virt-manager from getting access to the usb devices. It has to be done on the system level.
This is not tested or guaranteed, but as you saw only writes to /etc. /etc is a link to /ostree/deploy/…/etc or something (forgot it and am a bit confused) so it is writable too.
Yes, libvirt will be a package with many dependencies. Same with qemu-kvm which doesnt contain files but to my knowledge acts like a group.
RPM groups dont work on rpm-ostree yet I think. So these metapackages are helpful