Libvirt + cockpit-machines got blocked/denied permissions by SELinux

[thepragmaticmero]

At least on Fedora 41 (pre-release) I guess it will be fixed soon, IDK. SELinux works in misterious ways. I have a saying: "The best way to use SELinux is with the sudo setenforce 0 command" Now SELinux was doing this: The fix... well: sudo setenforce 0 . Bandaid fix for now. It wil get sorted out later I guess. I lost too much time trying to solve this, so no "proper" command to get libvirt to pass through SELinux

Days since enabled SELinux broke my workflow : 0 For the skeptics: I verified my users+groups, I restarted libvirtd / libvirtdbus, changed .conf files, etc. Nothing. It was SELinux.

[mac2net]

LOL cursing out the beta version is pretty funny

[jelly]

Do you still have the logs of the AVC denial? We did have some SELinux policy regressions in F41 but they all seem to be closed and our CI runs with setenforce enabled.

https://bugzilla.redhat.com/show_bug.cgi?id=2297965

@mac2net please be respectful to users filling issues even though they had a frustrating experience.

[thepragmaticmero]

I updated Fedora Silverblue 41 with rpm-ostree update. And still got the same AVC denial. Looking forward when it actually releases then. For now using setenforce 0 shouldn't hurt.

[jelly]

@thepragmaticmero which selinux-policy version do you have?

[thepragmaticmero]

$ rpm -qa | grep selinux | wl-copy
libselinux-3.7-5.fc41.x86_64
libselinux-utils-3.7-5.fc41.x86_64
python3-libselinux-3.7-5.fc41.x86_64
selinux-policy-41.16-2.fc41.noarch
selinux-policy-targeted-41.16-2.fc41.noarch
container-selinux-2.232.1-2.fc41.noarch
passt-selinux-0^20240906.g6b38f07-1.fc41.noarch
flatpak-selinux-1.15.10-1.fc41.noarch
rpm-plugin-selinux-4.19.92-6.fc41.x86_64
swtpm-selinux-0.9.0-3.fc41.noarch
nbdkit-selinux-1.40.3-1.fc41.noarch
cockpit-selinux-324-1.fc41.noarch

This version selinux-policy-41.16-2.fc41.noarch