On Fedora I can use gnome-boxes to create VM's as a non-root user. What makes this possible?

I’ve noticed that if I create and start a VM with Gnome Boxes the /usr/bin/qemu-system-x86_64 process started by Gnome Boxes runs as “me” the user. Equally I can just type /usr/bin/qemu-system-x86_64 in a shell and it runs without any permission errors. But how? I thought that some requirement for sudo or membership of the group libvirt would be required to start a virtual machine. I thought maybe it’s a polkit thing and took a look inside /etc/polkit-1 but didn’t see anything. What feature/configuration make running a VM as a normal user possible in Fedora?

QEMU relies on /dev/kvm for hardware virtualization:

> lsof /dev/kvm
qemu-syst 7691 vgaetera   14u   CHR 10,232      0t0  792 /dev/kvm

> ls -l /dev/kvm
crw-rw-rw-. 1 root kvm 10, 232 Jan 25 21:31 /dev/kvm

The necessary permissions are provided by systemd:

The libvirt group membership allows to access qemu:///system:

See also: qemu:///system vs qemu:///session | Cole Robinson

Thanks @vgaetera , for this very helpful information. The key information (for me at least) was in the post you shared, that was a real eye opener.

This means each user has their own qemu:///session VMs, separate from all other users. gnome-boxes and libguestfs use this by default.

So it’s because gnome-boxes chose to use qemu:///session that the VMs run as an unprivileged user.