I updated my f24 machine to selinux-policy-targeted-3.13.1-191.12.fc24.noarch last night and was unable to start KVM guests afterward: $ virsh start rawhide error: Failed to start domain rawhide error: SELinux policy denies access. Downgrading the selinux-policy* packages to 3.13.1-190.fc24 corrected the problem. I currently have: # rpm -qa selinux-policy\* selinux-policy-targeted-3.13.1-190.fc24.noarch selinux-policy-3.13.1-190.fc24.noarch selinux-policy-devel-3.13.1-190.fc24.noarch selinux-policy-doc-3.13.1-190.fc24.noarch ...and all four packages were updated to the new version.
Erm, downgrading corrected that problem, but totally broke firewalld. Unfortunately, I don't get an AVC denial in the audit log here so I can't use audit2allow to enable this.
Could you search for user_avc? re-test it and run # ausearch -m user_avc -ts recent Thank you.
$ sudo ausearch -m user_avc -ts recent ---- time->Mon Aug 22 12:15:25 2016 type=USER_AVC msg=audit(1471882525.271:937): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 cmdline="/usr/lib/systemd/systemd-machined" scontext=system_u:system_r:systemd_machined_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
The line below from /var/log/audit/audit.log seems related as well. type=VIRT_CONTROL msg=audit(1472038484.578:364): pid=1222 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtd_t:s0-s0:c0.c1023 msg='virt=kvm op=start reason=booted vm="test_default" uuid=8263c965-612a-49c9-8000-877e17ce48a6 vm-pid=-1 exe="/usr/sbin/libvirtd" hostname=? addr=? terminal=? res=failed'
*** This bug has been marked as a duplicate of bug 1368745 ***