Machines: polkit rules not called by cockpit/libvirt

[guerby]

Fedora 32 cockpit 223-1 cockpit-machines 223-1

• Using cockpit https web interface on port 9090
• There is a virtual machine "vmtest" created using cockpit and running, visible and manageable by root.
• I created a login with no particular priviledge and want to give it access to some management function over the VM in cockpit web interface
• As suggested on IRC I tried polkit https://libvirt.org/acl.html https://libvirt.org/aclpolkit.html

Here is what I did:

# id test1
uid=1010(test1) gid=1010(test1) groupes=1010(test1)
# cat /etc/polkit-1/rules.d/100-libvirt-acl.rules 
polkit.addRule(function(action, subject) {
    if (subject.user == "test1") {
       polkit.log("action=" + action);
       polkit.log("subject=" + subject);
       if (action.id == "org.libvirt.api.domain.getattr") {
          if (action.lookup("domain_name") == 'vmtest') {
            return polkit.Result.YES;
          } else {
            return polkit.Result.NO;
          }
       }
   }
});

## edit libvirtd.conf to add polkit as access_driver
# grep access_driver /etc/libvirt/libvirtd.conf
access_drivers = [ "polkit" ]

## restart both 
# systemctl restart polkit
# systemctl restart libvirtd

login as test1 on https://localhost:9090 I see "Limited Access" on the top right of the web page When I click on "machine" I see no machine at all and the polkit.log don't appear in journalctl -u polkit

After I while I see only:

# journalctl -u polkit|grep 100-libvirt
 polkitd[176528]: /etc/polkit-1/rules.d/100-libvirt-acl.rules:3: action=[Action id='org.freedesktop.login1.inhibit-delay-shutdown']
 polkitd[176528]: /etc/polkit-1/rules.d/100-libvirt-acl.rules:4: subject=[Subject pid=179294 user='test1' groups=test1 seat=null session=null local=false active=true]

The issue seem that with my setup polkit rules don't seem to be called by cockpit/libvirt.

[guerby]

Note: to test I added test1 in wheel group usermod -a -G wheel test1 then I was able to gain administrative access to all features of cockpit including managing the VM, but still no call to my polkit rule.

[guerby]

From IRC : https://bugzilla.redhat.com/show_bug.cgi?id=1780400

I added test1 user to libvirt and libvirt-dbus groups

# id test1
uid=1010(test1) gid=1010(test1) groups=1010(test1),981(libvirt),972(libvirtdbus)

When logged into cockpit the user gain access to the VM listing, I cannot do anything (error "access denied" when I try to shut down for example) but it has for some reason access to the VNC console of the VMs but I still do not get my polkit rule called.

May be a difference between RHEL7 and FC32 on some default?