Created attachment 860298 [details]
patch to add necessary permissions to qemu-guest-agent

From the private comment:

Steps to Reproduce:
1. virsh qemu-agent-command DOMAIN '{ "execute": "guest-set-time", "arguments":{"time":1}} 

Actual results:

SELinux is preventing /usr/bin/qemu-ga from using the sys_time capability.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that qemu-ga should have the sys_time capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep qemu-ga /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:virt_qemu_ga_t:s0
Target Context                system_u:system_r:virt_qemu_ga_t:s0
Target Objects                 [ capability ]
Source                        qemu-ga
Source Path                   /usr/bin/qemu-ga
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           qemu-guest-agent-1.6.1-3.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain

Cole,
could you attach raw AVC msgs which are needed for this policy.

There's a RHEL bug with the info over here, but looks like you commented there already:

https://bugzilla.redhat.com/show_bug.cgi?id=1061936