selinux-policy update breaks libvirt migration (access to ssh_t)

[cockpituous]

The job fedora-40/updates-testing failed on commit 2f2e3a613444872beb4412130cff852de1a97b9e.

Log: https://cockpit-logs.us-east-1.linodeobjects.com/pull-0-2f2e3a61-20240725-020123-fedora-40-updates-testing/log.html

[martinpitt]

Yes, this is real:

Jul 25 02:19:49 fedora-40-127-0-0-2-2201 audit: SELINUX_ERR op=security_compute_sid invalid_context="system_u:system_r:ssh_t:s0" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=process
Jul 25 02:19:49 fedora-40-127-0-0-2-2201 virtqemud[1036]: Cannot recv data: libvirt:  error : cannot execute binary ssh: Permission denied: Connection reset by peer

That smells like selinux-policy 40.25-1.fc40 ? There's no new libvirt or ssh. This needs confirmation and -1'ing https://bodhi.fedoraproject.org/updates/FEDORA-2024-391cfa58c2. This is urgent as the update already has +4 karma, and will auto-land at +5.

[martinpitt]

Latest selinux-policy update seems to fix this. Not 100% sure as something else also broke migration #1743, but I think it happens later on.