Today I learned the difference between qemu:///system and qemu:///session.

qemu:///system

  • The system libvirtd instance qemu:///system launches the vms using the unpriviliges use qemu. And can grant the vm selective access to root owned resources.
  • Access to qemu:///system is mediated using polkit and any user wanting to access it should provite the root password.
  • By default users in the libvirt group have access to libvirtd (the group can be changed in polkit config)
  • VMs are run as the default user qemu, and cannot access user files if the frontend application (virt-manager) is running another user.

qemu:///session

  • The user daemon qemu:///session is auto-launched if it’s not already running. each user has his own qemu:///session seperated.
  • Most priviliges problems are related to networking use cases.
  • The default networking mode is the usermode networking (SLIRP) (ip stack in the user space).
  • Another option is to access bridged networking mode, through setuid script qemu-bridge-helper.

More information