+++ This bug was initially created as a clone of Bug #853393 +++

Description of problem:

In libguestfs with the libvirt backend we create sockets
to talk to the daemon and console like this:

    <serial type="unix">
      <source mode="connect" path="/tmp/libguestfs3vK8dN/console.sock"/>
      <target port="0"/>
    </serial>
    <channel type="unix">
      <source mode="connect" path="/tmp/libguestfs3vK8dN/guestfsd.sock"/>
      <target type="virtio" name="org.libguestfs.channel.0"/>
    </channel>

where "/tmp/libguestfs3vK8dN" is a temporary directory created
by libguestfs.

Note that these socket files are created by libguestfs.  Qemu has
to connect to them.

I have submitted a patch to libvirt so that it now correctly labels
console.sock (for some reason that I don't understand none of this
discussion seems to apply to guestfsd.sock, but everything still
works, go figure).

However SELinux policy does not allow qemu to write to console.sock
even when it is correctly labelled.

type=AVC msg=audit(1347628113.231:1514): avc:  denied  { write } for  pid=4080 comm="qemu-kvm" name="console.sock" dev="dm-5" ino=834963 scontext=unconfined_u:unconfined_r:svirt_t:s0:c96,c408 tcontext=unconfined_u:object_r:svirt_image_t:s0:c96,c408 tclass=sock_file

type=AVC msg=audit(1347628390.930:1544): avc:  denied  { connectto } for  pid=5138 comm="qemu-kvm" path="/home/rjones/d/libguestfs/libguestfsnwIvd1/console.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c516,c927 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket

audit2allow suggests:

require {
	type svirt_image_t;
	type svirt_t;
	class sock_file write;
}

#============= svirt_t ==============
allow svirt_t svirt_image_t:sock_file write;

and:

require {
	type unconfined_t;
	type svirt_t;
	class unix_stream_socket connectto;
}

#============= svirt_t ==============
allow svirt_t unconfined_t:unix_stream_socket connectto;

Adding these two rules makes everything work OK for me.