Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-61727

domainAttachHostDevices doesn't use DBus, preventing the use of Access Control policies.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-9.4.z
    • cockpit-machines
    • None
    • No
    • Important
    • rhel-sst-cockpit
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      The implementation of domainDetachHostDevice uses DBus, but domainAttachHostDevices uses virt-xml. This situation prevents the use of DBus policies for Access Control (for example, preventing unprivileged users from adding devices using cockpit).

      Restricting access when virt-xml is used requires polkit, which in turn is incompatible with libvirt-dbus.

      This conflicts with what we advise customers to do in our documentation:

      Troubleshooting

    Currently, configuring libvirt to use polkit makes it impossible to connect to VMs using the RHEL 9 web console, due to an incompatibility with the libvirt-dbus service.

    If you require fine-grained access control of VMs in the web console, create a custom D-Bus policy. For instructions, see How to configure fine-grained control of Virtual Machines in Cockpit in the Red Hat Knowledgebase.

      Package version: cockpit-machines-308.3-1.el9_4

              jira-bugzilla-migration RH Bugzilla Integration
              rhn-support-jeperez Jesus Perez
              RH Bugzilla Integration RH Bugzilla Integration
              Yunming Yang Yunming Yang
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: