Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1011404

Summary: Fail to connect the libvirtd server with the tls while enable the access_driver
Product: Red Hat Enterprise Linux 7 Reporter: zhenfeng wang <zhwang>
Component: libvirtAssignee: Daniel Berrangé <berrange>
Status: CLOSED NOTABUG QA Contact: Virtualization Bugs <virt-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: acathrow, berrange, dyuan, gsun, jdenemar, lsu, mzhan, ydu
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-09-27 14:34:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description zhenfeng wang 2013-09-24 08:21:10 UTC 
Description of problem:
Fail to connect the libvirtd server with the tls while enable the access_driver in libvirtd.conf

Version-Release number of selected component (if applicable):
qemu-kvm-1.5.3-4.el7.x86_64
kernel-3.10.0-14.el7.x86_64
libvirt-1.1.1-6.el7.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepare the tls evironment
you can see the attachment which named tls_configuration.txt

2.connect the libvirtd service with the tls while didn't enable the access_driver in libvirtd.conf

# virsh -c qemu+tls://zhwang7/system
Welcome to virsh, the virtualization interactive terminal.

Type:  'help' for help with commands
       'quit' to quit

virsh # list --all
 Id    Name                           State
----------------------------------------------------
 -     rhel7                          shut off
 -     rhel73                         shut off
 -     rhel7qcow2                     shut off

3.connect the libvirtd service with the tls while enable the access_driver in libvirtd.conf
cat /etc/libvirt/libvirtd.conf
#access_drivers = [ "polkit" ]
access_drivers = [ "polkit" ]

# virsh -c qemu+tls://zhwang7/system
error: failed to connect to the hypervisor
error: access denied

Check the log info in libvirtd.log
2013-09-23 07:29:55.659+0000: 5752: error : virAccessDriverPolkitFormatProcess:97 : internal error: No UNIX process ID available
2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied
2013-09-23 07:29:55.659+0000: 5752: error : virAccessManagerSanitizeError:203 : access denied
2013-09-23 07:29:55.659+0000: 5744: error : virNetSocketReadWire:1369 : Cannot recv data: Input/output error

Actual results:
Fail to connect the libvirtd server with the tls 

Expected results:
should connect the libvirt with the tls successfully while enalbe the access_driver in libvirtd.conf

Additional info:
Comment 2 Jiri Denemark 2013-09-27 14:14:51 UTC 
Hmm, looks like a result of fixing the pkcheck CVE. Daniel, how do we handle this with tls or tcp transports?
Comment 3 Daniel Berrangé 2013-09-27 14:20:27 UTC 
The polkit access control driver will only work for UNIX domain sockets. If you wish to use TCP sockets, then you must disable the access control driver.
Comment 4 zhenfeng wang 2014-03-31 07:39:49 UTC 
Hi DB
I just re-check this bug and have new doubt about this bug. As we know, the polkit access control driver was designed for the nonprivileged user, and it shouldn't affect the root user's function. so i think the root user should connnect the libvirt with tls successfully while we enable the access control driver as comment0's description. I saw your comment3's explanation, i think this explanation should only work for the nonprivileged user, shouldn't limite the root user. Maybe we have necessary to re-open this bug, what's your opinion ? can you help me have a look? thanks
Comment 5 Daniel Berrangé 2014-04-24 09:00:44 UTC 
When a client connects over TCP sockets, there is no way of knowing that the user at the other end of the socket is "root". This is precisely why the access control mechanism only works for UNIX sockets.