Open cgwalters opened 1 month ago
Trying to enable a virtiofs mount for a domain with unprivileged libvirt gives:
May 17 10:09:38 xenon audit[1556282]: AVC avc: denied { connectto } for pid=1556282 comm="qemu-system-x86" path="/var/home/walters/.config/libvirt/qemu/lib/domain-12-podman-bootc-8cb7ffb/fs0-fs.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c156,c869 tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c156,c869 tclass=unix_stream_socket permissive=1
I think to fix this, we'd need to also have libvirt fork virtiofsd under svirt_t? Or ensure that the target socket is labeled.
svirt_t
A workaround here is to turn off "svirt" by adding e.g. <seclabel type='none'/> to the domain XML.
<seclabel type='none'/>
Trying to enable a virtiofs mount for a domain with unprivileged libvirt gives:
I think to fix this, we'd need to also have libvirt fork virtiofsd under
svirt_t
? Or ensure that the target socket is labeled.A workaround here is to turn off "svirt" by adding e.g.
<seclabel type='none'/>
to the domain XML.