Libvirt polkit rule doesnt work?

I created a polkit rule to allow all users in the libvirt group to execute org.libvirt.unix.manage. The KDE password prompt shows the exact polkit action (another area of empowering UI :wink:)

So I added this rule

cat /etc/polkit-1/rules.s/org.libvirt.unix.manage.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.libvirt.unix.manage" &&
        subject.isInGroup("libvirt")) {
        return polkit.Result.YES;
    }
});

Added my user to the group

sudo -i

groupadd libvirt
usermod -aG libvirt user

But I get this??

groups
user user user user

And no matter how often I repeat, my user doesnt seem to get added to that group, whereas flatpak and plugdev do.

Did you logout and login again after usermod command?

1 Like

I always run that command as usermod -a -G libvirt user (note that the options are separated)

You can also check very easily if the user is added to the group by running grep user /etc/group to see exactly which groups that user is a member of.

$ groups
ME wheel cdrom dialout audio vboxusers boinc libvirt pipewire
$ grep ME /etc/group
wheel:x:10:ME
cdrom:x:11:ME
dialout:x:18:ME
audio:x:63:ME
pipewire:x:992:ME
libvirt:x:985:ME
ME:x:1000:
boinc:x:975:ME
vboxusers:x:970:ME

As noted adding a user to a group does not take effect until that user logs out and back in. Opening a new terminal does not count in this respect.

1 Like

I always run it as gpasswd -a user libvirt, it doesn’t have a chance to wipe all the user’s groups in case of an accidental missing option.

2 Likes

@ersen yes of course
@computersavvy that command had the same result

>> sudo groupadd libvirt
# group already exists

>> sudo usermod -aG libvirt user
>> sudo usermod -a -G libvirt user
>> sudo usermod -aG libvirt $USER

# reboot

>> id
uid=1001(user) gid=1001(user) Gruppen=1001(user),10(wheel),1000(admin),1002(plugdev) Kontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

>> groups
user wheel admin plugdev
>> gpasswd -a user libvirt
gpasswd: Group »libvirt« does not exist in /etc/group.

Fedora Silverblue > Troubleshooting > Unable to add user to group

2 Likes

damn didnt know that, because all the other groups worked?

But now I am also more interested in using libvirt in user mode as @siosm suggested. I could not find much about this, not yet digging in the docs.

This would be my wished solution and a change for Fedora to use that by default sounds like a good idea for security, as access to the libvirt daemon allows root on the host OS.

I mostly use session mode as it is suitable for workstation related tasks, but keep in mind that it does not support all features.

Using system mode is still necessary to manage virtual networks, utilize VM autostart, access guests over SSH by their VM name with NSS, etc.

See also:

2 Likes