SELinux problems with libvirt provisioning instructions

[Aetylus]

The example commands for provisioning via libvirt don't work with the parameter --connect="qemu:///system" on virt-install, instead returning back a permission denied error on accessing the backing_store (${IMAGE}) and the Ignition file (${IGNITION_CONFIG}). From what I gather, this is because running the VM as system will fail to have access to the files even if configured with svirt_home_t and placed in the default svirt_home_t directories.

The alternatives should either be:

• If running as a system VM, then the image and ignition file need to be placed in a system accessible directory. I've tested and used /var/lib/libvirt/boot (which is tagged as virt_content_t) but unsure what the best practice is here.
• The VM can be run under the user session, which can be set via the argument --connect="qemu:///session" instead or by removing the argument all together, as session is the default.

[dustymabe]

I feel like this is addressed by the already existing TIP in the docs. Did you see the TIP? Did you skip that step?

[jlebon]

I think they're saying that even with the svirt_home_t label, it wasn't working. It'd be helpful to see the exact AVC denial you're hitting if you can still reproduce this.

[Aetylus]

This is correct, the label doesn't work if you attempt to run a VM under system as described in the docs, as system session VMs don't appear to have access to svirt_home_t labeled directories (only user session VMs).

I'll see if I can get the error exactly next chance I get to try this and detail the steps I used.

[jlebon]

Hmm, we might just need to clarify that if you're using the session libvirt, then it goes in ~/.local/share/libvirt/images/ and if the system one, /var/lib/libvirt/images. Or just rework it so that we use e.g. virsh vol-upload?