A F-9 KVM guest using virtio drivers currently fails to mount /boot during rc.sysinit with this: avc: denied { read } for pid=1081 comm="mount" name="vda1" dev=tmpfs ino=261 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file avc: denied { getattr } for pid=1081 comm="mount" path="/dev/vda1" dev=tmpfs ino=261 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=blk_file Turns out to simply be that we need to set the file contexts on /dev/vda* correctly. Patch below. Adding to F9Blocker because if mounting /boot fails and the user tries to update the kernel, things are going to get mightily screwed up.
Created attachment 303991 [details] serefpolicy-3.3.1-virtio-fixed-disk.patch
Fixed in selinux-policy-3.3.1-43.fc9.noarch