Debian libvirt-qemu pulseaudio user permissions

Hi all,

I’m struggling to allow the libvirt-qemu user permission to use my user’s pulseaudio server located at /run/user/1000/pulse/native/.

I’ve configured the ACLs to allow the user write permission on the socket, with the help of chatgtp but it is still getting connection refused if I attempt to test the user’s access with the following command:

sudo -u libvirt-qemu pactl info
Connection failure: Connection refused
pa_context_connect() failed: Connection refused

If I try to run the vm via virtual machine manager, I get a similar log output in the qemu log

pulseaudio: pa_context_connect() failed
pulseaudio: Reason: Connection refused
pulseaudio: Failed to initialize PA contextaudio: Could not init `pa' audio driver

Does pulseaudio have another kind of authentication enabled by default which I need to add the libvirt-qemu user to?

I’m hitting up against the limit of chat-gpt abilities now.

One other thing to mention is I’m getting the following log line from AppArmor when I start the VM but I’m not sure if it’s relevant or not.

Jan 10 00:34:58 office-pc kernel: audit: type=1400 audit(1736469298.569:88): apparmor="DENIED" operation="open" profile="libvirt-cde61902-6566-4787-ac4d-290adfde5a92" name="/etc/pulse/client.conf.d/" pid=10268 comm="qemu-system-x86" requested_mask="r" denied_mask="r" fsuid=64055 ouid=0

I added a read permission into the AppArmor abstractions file for libvirt-qemu but it doesn’t appear to make any difference.

Any advice is much appreciated.

1 Like

Well that’s been a lot of pain

I tried changing the pulseaudio config to put a unix socket into the /tmp/blah path but whenever I did that, I appeared to lock my own user out of the pulseaudio system - aka pactl inffo would no longer connect, plus I didn’t see the socket being created in the filesystem so who knows.

This meant that neither of these solutions worked in my case:

https://wiki.archlinux.org/title/PulseAudio/Examples#Allowing_multiple_users_to_share_a_PulseAudio_daemon

https://dhole.github.io/post/pulseaudio_multiple_users/

In the end, I used this solution:

https://billauer.co.il/blog/2014/01/pa-multiple-users/

As far as security, its not the most ideal but it “feels” better to me than changing the libvirt system to run under my user instead, plus I have no idea how that would interact with AppArmor and the magic it appears to do for libvirt.

Hopefully my next distro will be using pipewire and I can see if the QEMU jack driver or the native pipewire driver if qemu is new enough… but maybe those also have single user restrictions.

Bring on virtio audio…