+++ This bug was initially created as a clone of Bug #853393 +++ Description of problem: In libguestfs with the libvirt backend we create sockets to talk to the daemon and console like this: <serial type="unix"> <source mode="connect" path="/tmp/libguestfs3vK8dN/console.sock"/> <target port="0"/> </serial> <channel type="unix"> <source mode="connect" path="/tmp/libguestfs3vK8dN/guestfsd.sock"/> <target type="virtio" name="org.libguestfs.channel.0"/> </channel> where "/tmp/libguestfs3vK8dN" is a temporary directory created by libguestfs. Note that these socket files are created by libguestfs. Qemu has to connect to them. I have submitted a patch to libvirt so that it now correctly labels console.sock (for some reason that I don't understand none of this discussion seems to apply to guestfsd.sock, but everything still works, go figure). However SELinux policy does not allow qemu to write to console.sock even when it is correctly labelled. type=AVC msg=audit(1347628113.231:1514): avc: denied { write } for pid=4080 comm="qemu-kvm" name="console.sock" dev="dm-5" ino=834963 scontext=unconfined_u:unconfined_r:svirt_t:s0:c96,c408 tcontext=unconfined_u:object_r:svirt_image_t:s0:c96,c408 tclass=sock_file type=AVC msg=audit(1347628390.930:1544): avc: denied { connectto } for pid=5138 comm="qemu-kvm" path="/home/rjones/d/libguestfs/libguestfsnwIvd1/console.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c516,c927 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket audit2allow suggests: require { type svirt_image_t; type svirt_t; class sock_file write; } #============= svirt_t ============== allow svirt_t svirt_image_t:sock_file write; and: require { type unconfined_t; type svirt_t; class unix_stream_socket connectto; } #============= svirt_t ============== allow svirt_t unconfined_t:unix_stream_socket connectto; Adding these two rules makes everything work OK for me.
Fixed in selinux-policy-3.11.1-23.fc18.noarch
I installed the -24 policy and it does appear to be fixed.