4

I have a Fedora workstation running an Ubuntu 16.04 virtual machine (KVM hypervisor). I'd like to redirect a USB device to the VM, but when selecting "Virtual Machine | Redirect USB device" from virt-manager, I get the following error:

spice-client-error-quark: Could not redirect <USB device name> at 1-4:
Error setting USB device node ACL: 'Not authorized' (0)

The error window has a "Details" section which just reads "USB redirection error".

Here is what I've tried so far, without success:

  1. As suggested here, I created a /etc/udev/rules.d/50-spice.rules file with the following contents, then created a `spice` group and added my user to this group

    SUBSYSTEM=="usb", GROUP="spice", MODE="0660"
SUBSYSTEM=="usb_device", GROUP="spice", MODE="0660"

  2. Downgraded spice-gtk from the latest version of Fedora 33 (0.39-1) to 0.38-3.

  3. Disabled selinux

  4. sudo chmod 4755 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper

  5. Upgraded to Fedora 34 which comes with spice-gtk 0.39-2

Romain Deterre
  • 161
  • 1
  • 6

2 Answers2

2

The solution for me was to create the /etc/udev/rules.d/50-spice.rules files, then to add <allow_any>yes</allow_any> under the <defaults> section in /usr/share/polkit-1/actions/org.spice-space.lowlevelusbaccess.policy. After modification, the file looks like this on my machine:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
          "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
          "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
<policyconfig>

  <vendor>The Spice Project</vendor>
  <vendor_url>http://spice-space.org/</vendor_url>
  <icon_name>spice</icon_name>

  <action id="org.spice-space.lowlevelusbaccess">
    <description>Low level USB device access</description>
    <message>Privileges are required for low level USB device access (for usb device pass through).</message>
    <defaults>
      <allow_any>yes</allow_any>
      <allow_inactive>no</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

</policyconfig>
Romain Deterre
  • 161
  • 1
  • 6
1

More correct should be: (depends on linux distribution):

file: /etc/polkit-default-privs/local or /etc/polkit-default-privs.local

add to the file the line (or generate the file/directory): org.spice-space.lowlevelusbaccess yes:no:yes

after this run: /sbin/set_polkit_default_privs

if opensuse then in addition:

in the file /etc/permissions.local add the line: /usr/bin/spice-client-glib-usb-acl-helper root:root 4755 after this run: chkstat --system --set

simoN

simon
  • 11
  • 1