SELinux Errors when starting a VM

digitalman · February 7, 2026, 2:45pm

I have been getting SE Linux errors (AVCs?) for a while and putting off resolving them since I don’t understand them. I’d like to try to deal with them now. Most of the time they happen when I fire up a VM using KVM/QEMU/Virt-Manager. When I set this system up, I thought it would be a good idea to create a top level subvolume at /VMs to give me flexibility on backing them up, but in retrospect that probably wasn’t necessary and may very well be causing the AVCs.

I installed SELinux Troubleshooter and here is one of its alerts:

SELinux is preventing udev-event from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that udev-event should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'udev-event' --raw | audit2allow -M my-udevevent
# semodule -X 300 -i my-udevevent.pp

Additional Information:
Source Context                system_u:system_r:virtnodedevd_t:s0
Target Context                system_u:system_r:virtnodedevd_t:s0
Target Objects                Unknown [ capability ]
Source                        udev-event
Source Path                   udev-event
Port                          <Unknown>
Host                          overkill
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.22-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-42.22-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overkill
Platform                      Linux overkill 6.18.8-200.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Jan 30 20:23:28 UTC 2026
                              x86_64
Alert Count                   112
First Seen                    2025-11-22 08:36:07 MST
Last Seen                     2026-02-07 07:20:43 MST
Local ID                      1c660479-3724-4c8d-a2e3-758f78b90f92

Raw Audit Messages
type=AVC msg=audit(1770474043.847:228): avc:  denied  { dac_override } for  pid=12522 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0


Hash: udev-event,virtnodedevd_t,virtnodedevd_t,capability,dac_override

So I typed “sudo auditctl -w /etc/shadow -p w” as it suggested and loaded a VM again and here is the output:

sudo ausearch -m avc -ts recent
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.841:218): avc:  denied  { dac_read_search } for  pid=12522 comm="udev-event" capability=2  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.841:219): avc:  denied  { dac_override } for  pid=12522 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.842:220): avc:  denied  { dac_read_search } for  pid=12522 comm="udev-event" capability=2  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.842:221): avc:  denied  { dac_override } for  pid=12522 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.842:222): avc:  denied  { dac_read_search } for  pid=12522 comm="udev-event" capability=2  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.842:223): avc:  denied  { dac_override } for  pid=12522 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.843:224): avc:  denied  { dac_read_search } for  pid=12522 comm="udev-event" capability=2  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.843:225): avc:  denied  { dac_override } for  pid=12522 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.847:227): avc:  denied  { dac_read_search } for  pid=12522 comm="udev-event" capability=2  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:20:43 2026
type=AVC msg=audit(1770474043.847:228): avc:  denied  { dac_override } for  pid=12522 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:26:20 2026
type=AVC msg=audit(1770474380.584:266): avc:  denied  { dac_read_search } for  pid=12522 comm="udev-event" capability=2  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0
----
time->Sat Feb  7 07:26:20 2026
type=AVC msg=audit(1770474380.584:267): avc:  denied  { dac_override } for  pid=12522 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0

Can someone advise me what this means and what I should do about it? Should I do as the alert suggests and generate a local policy module to allow this access? This is with F43 Workstation, just updated.

Thanks.

pg-tips · February 7, 2026, 2:56pm

I did something similar recently, so my notes are fresh at hand

I created storage for rootless QEMU/libvirt VMs is at /mnt/vm/libvirt-images-user, and for rootful at /mnt/vm/libvirt-images.

So I needed to make those SELinux-equivalent to the “default” locations that the images would otherwise have been stored at, and relabel:

sudo semanage fcontext -a -e ~/.local/share/libvirt/images /mnt/vm/libvirt-images-user
restorecon -vvRF /mnt/vm/libvirt-images-user

sudo semanage fcontext -a -e /var/lib/libvirt/images /mnt/vm/libvirt-images
sudo restorecon -vvRF /mnt/vm/libvirt-images

Maybe something like that would clean things up for you?

digitalman · February 7, 2026, 3:49pm

This does seem to be on the right track. As shown below, it looks like the /VMs directory has no SELinux label at all (the ?):

ls -ldZ /VMs
drwxrwxrwx 1 root root ? 506 Mar 15  2025 /VMs

So I’m trying to figure out how to translate your commands into my setup. I am not aware of rootless vs. rootful VMs.

I think this is the default location for storing VMs, so here are its properties:

ls -ldZ /var/lib/libvirt/images
drwx--x--x. 1 root root system_u:object_r:virt_image_t:s0 0 Oct 30 18:00 /var/lib/libvirt/images

My system doesn’t have a ~/.local/share/libvirt/images directory.

So it looks like your semanage fcontext command line options are -a, which means Add record of the specified object type, and -e tells it to copy the context labeling from the source to the destination path.

Your command line options for restorcon are -v, to increase verbosity of the output, -R for recursive and -F to Force reset of context to match file_context for customizable files, and the default file context, changing the user, role, range portion as well as the type.

So, for my situation does this look correct?

sudo semanage fcontext -a -e /var/lib/libvirt/images /VMs
restorecon -vvRF /VMs

Thanks.

pg-tips · February 7, 2026, 3:55pm

Yes that looks good.

That sounds ok for “normal” VM usage. My ‘rootless’ directory only came into play when I started using vagrant, which is a bit more niche.

digitalman · February 7, 2026, 5:02pm

OK, here is the output of the commands. I’ll reboot and see if the errors are gone. Thanks for the help.

sudo semanage fcontext -a -e /var/lib/libvirt/images /VMs
sudo restorecon -vvRF /VMs
Relabeled /VMs from system_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/Arch.xml from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/Windows11.xml from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/opensusetumbleweed.qcow2 from system_u:object_r:svirt_image_t:s0:c663,c822 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/branches from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/applypatch-msg.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/commit-msg.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/post-update.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/pre-applypatch.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/pre-commit.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/pre-merge-commit.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/pre-push.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/pre-receive.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/push-to-checkout.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/update.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/fsmonitor-watchman.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/pre-rebase.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/hooks/prepare-commit-msg.sample from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/info from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/info/exclude from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/description from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/refs from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/refs/heads from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/refs/heads/master from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/refs/tags from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/refs/remotes from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/refs/remotes/origin from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/refs/remotes/origin/HEAD from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/objects from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/objects/pack from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/objects/pack/pack-ab7600fbc801896d8d7c5ca0f1070cde8ae11bc8.pack from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/objects/pack/pack-ab7600fbc801896d8d7c5ca0f1070cde8ae11bc8.idx from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/objects/info from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/packed-refs from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs/refs from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs/refs/remotes from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs/refs/remotes/origin from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs/refs/remotes/origin/HEAD from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs/refs/heads from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs/refs/heads/master from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/logs/HEAD from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/HEAD from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/config from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/index from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/FETCH_HEAD from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.git/ORIG_HEAD from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.github from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.github/FUNDING.yml from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.github/ISSUE_TEMPLATE from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.github/ISSUE_TEMPLATE/bug_report.md from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.github/ISSUE_TEMPLATE/feature_request.md from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.gitignore from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/.gitmodules from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/LICENSE from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/OpenCore.qcow2 from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/README.md from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/basic.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/fetch-macOS-v2.py from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/firmware from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/firmware/OVMF_CODE.fd from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/firmware/OVMF_VARS-1024x768.fd from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/firmware/OVMF_VARS.fd from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/make.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/setup.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/setupArch.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/setupFedora.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/setupMageia.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/setupSUSE.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/tools from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/tools/debug.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/tools/dmg2img-src from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/tools/template.xml.in from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/virtio.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OneClick-macOS-Simple-KVM/windows-install.sh from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/OpenCore.qcow2 from system_u:object_r:svirt_image_t:s0:c271,c872 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/macOS.qcow2 from system_u:object_r:svirt_image_t:s0:c271,c872 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/BaseSystem.dmg from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/BaseSystem.chunklist from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/BaseSystem.img from system_u:object_r:svirt_image_t:s0:c271,c872 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/template.xml from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/firmware_macosvm from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/firmware_macosvm/OVMF_CODE.fd from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/firmware_macosvm/OVMF_VARS-1024x768.fd from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/firmware_macosvm/OVMF_VARS.fd from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/macOS.xml from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/temp from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/Arch.qcow2 from system_u:object_r:svirt_image_t:s0:c149,c282 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/Windows11.qcow2 from system_u:object_r:svirt_image_t:s0:c247,c428 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/bu from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/bu/macOs_Simple.xml from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/bu/macOS.qcow2 from unconfined_u:object_r:unlabeled_t:s0 to system_u:object_r:virt_image_t:s0
Relabeled /VMs/FedoraKinoite.qcow2 from system_u:object_r:svirt_image_t:s0:c601,c888 to system_u:object_r:virt_image_t:s0

digitalman · February 7, 2026, 5:39pm

OK, it looks like the re-labeling worked, but now I’m getting what looks like a different error.

sudo ls -ldZ /VMs
drwxrwxrwx. 1 root root system_u:object_r:virt_image_t:s0 506 Mar 15  2025 /VMs

sudo ls -ldZ /VMs/opensusetumbleweed.qcow2
-rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c476,c573 107390828544 Feb  7 10:31 /VMs/opensusetumbleweed.qcow2

SELinux is preventing worker from write access on the file /VMs/opensusetumbleweed.qcow2.

*****  Plugin qemu_file_image (98.8 confidence) suggests   *******************

If opensusetumbleweed.qcow2 is a virtualization target
Then you need to change the label on opensusetumbleweed.qcow2'
Do
# semanage fcontext -a -t virt_image_t '/VMs/opensusetumbleweed.qcow2'
# restorecon -v '/VMs/opensusetumbleweed.qcow2'

*****  Plugin catchall (2.13 confidence) suggests   **************************

If you believe that worker should be allowed write access on the opensusetumbleweed.qcow2 file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'worker' --raw | audit2allow -M my-worker
# semodule -X 300 -i my-worker.pp

Additional Information:
Source Context                system_u:system_r:svirt_t:s0:c663,c822
Target Context                system_u:object_r:virt_image_t:s0
Target Objects                /VMs/opensusetumbleweed.qcow2 [ file ]
Source                        worker
Source Path                   worker
Port                          <Unknown>
Host                          overkill
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.22-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-42.22-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overkill
Platform                      Linux overkill 6.18.8-200.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Jan 30 20:23:28 UTC 2026
                              x86_64
Alert Count                   9
First Seen                    2026-02-07 09:59:21 MST
Last Seen                     2026-02-07 10:04:06 MST
Local ID                      43e65d09-3b7b-4555-b836-545fa76d3e87

Raw Audit Messages
type=AVC msg=audit(1770483846.266:969): avc:  denied  { write } for  pid=174814 comm="worker" path="/VMs/opensusetumbleweed.qcow2" dev="nvme0n1p3" ino=278 scontext=system_u:system_r:svirt_t:s0:c663,c822 tcontext=system_u:object_r:virt_image_t:s0 tclass=file permissive=0


Hash: worker,svirt_t,virt_image_t,file,write

pg-tips · February 7, 2026, 5:53pm

Hmm, I don’t know what’s happening there, I’m sorry.

FWIW I checked my own .qcow2 files and they have the same system_u:object_r:virt_image_t:s0 label as yours shows in the “Additional Information” in your output.

Edit but interestingly, your ls -ldZ shows a different label, system_u:object_r:svirt_image_t:s0:c476,c573. Note svirt_image_t rather than virt_image_t. I’m out of my depth here I’m afraid!

Edit 2: when I start up one of my VMs, I can see that the label changes to look like yours:

-rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c456,c947 21478375424 2026-02-07 18:02 'Fedora Rawhide KDE.qcow2'

Then when I stop the VM, it reverts to system_u:object_r:virt_image_t:s0. But in my case, this isn’t manifesting in SELinux denials, so I’m not sure what the issue is.

pg-tips · February 7, 2026, 6:09pm

Was the VM running when you executed the relabelling? That might cause an issue, since it could have given the file the label expected for a stopped VM rather than a running VM.

If so, perhaps stop all VMs and do the restorecon once again?

digitalman · February 7, 2026, 6:19pm

Now I’m not entirely sure if I had that VM running or not at the time. I just re-ran the commands and made sure it wasn’t running at the time.

sudo semanage fcontext -a -e /var/lib/libvirt/images /VMs
Equivalence class for /VMs already exists, modifying instead

sudo restorecon -vvRF /VMs
Relabeled /VMs/opensusetumbleweed.qcow2 from system_u:object_r:svirt_image_t:s0:c212,c758 to system_u:object_r:virt_image_t:s0

digitalman · February 7, 2026, 6:34pm

OK, I ran the commands again making sure no VMs were loaded and now it looks closer to the original error:

SELinux is preventing udev-event from using the dac_override capability.

*****  Plugin dac_override (91.4 confidence) suggests   **********************

If you want to help identify if domain needs this access or you have a file with the wrong permissions on your system
Then turn on full auditing to get path information about the offending file and generate the error again.
Do

Turn on full auditing
# auditctl -w /etc/shadow -p w
Try to recreate AVC. Then execute
# ausearch -m avc -ts recent
If you see PATH record check ownership/permissions on file, and fix it,
otherwise report as a bugzilla.

*****  Plugin catchall (9.59 confidence) suggests   **************************

If you believe that udev-event should have the dac_override capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'udev-event' --raw | audit2allow -M my-udevevent
# semodule -X 300 -i my-udevevent.pp

Additional Information:
Source Context                system_u:system_r:virtnodedevd_t:s0
Target Context                system_u:system_r:virtnodedevd_t:s0
Target Objects                Unknown [ capability ]
Source                        udev-event
Source Path                   udev-event
Port                          <Unknown>
Host                          overkill
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-42.22-1.fc43.noarch
Local Policy RPM              selinux-policy-targeted-42.22-1.fc43.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     overkill
Platform                      Linux overkill 6.18.8-200.fc43.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Fri Jan 30 20:23:28 UTC 2026
                              x86_64
Alert Count                   124
First Seen                    2025-11-22 08:36:07 MST
Last Seen                     2026-02-07 11:23:19 MST
Local ID                      1c660479-3724-4c8d-a2e3-758f78b90f92

Raw Audit Messages
type=AVC msg=audit(1770488599.378:226): avc:  denied  { dac_override } for  pid=11799 comm="udev-event" capability=1  scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0


Hash: udev-event,virtnodedevd_t,virtnodedevd_t,capability,dac_override

I do notice that this command returns different info depending on if the VM is running or not. The first is with it running and the second is with it shutdown:

sudo ls -ldZ /VMs/opensusetumbleweed.qcow2
-rw-------. 1 qemu qemu system_u:object_r:svirt_image_t:s0:c316,c695 107390828544 Feb  7 11:24 /VMs/opensusetumbleweed.qcow2

udo ls -ldZ /VMs/opensusetumbleweed.qcow2
-rw-------. 1 qemu qemu system_u:object_r:virt_image_t:s0 107390828544 Feb  7 11:25 /VMs/opensusetumbleweed.qcow2

pg-tips · February 7, 2026, 7:19pm

You know, looking at my logs, I actually get these ‘virtnodedevd_t’ denials too - they just don’t seem to be causing me concrete problems.

I’ll dig in a bit more and feed back if I find anything illuminating.

pg-tips · February 7, 2026, 7:41pm

This looks like the same issue, though I’m not sure from this what the underlying problem and the proper solution is.

digitalman · February 8, 2026, 12:44pm

Interesting, yes that bug does sound like what I’m seeing now. I’ll keep an eye on it. Thanks!

pg-tips · February 11, 2026, 2:47pm

Looks like the issue has been identified and a fix is in progress:

github.com/fedora-selinux/selinux-policy

Allow virtnodedevd the dac_read_search capability (#3063)

rawhide ← zpytela:virtnodedev-dacreadsearch

opened 02:29PM - 11 Feb 26 UTC

zpytela

+1 -1

The commit addresses the following AVC denial: type=PROCTITLE msg=audit(01-12-2…5 05:41:56.864:230) : proctitle=/usr/bin/virtnodedevd --timeout 120 type=PATH msg=audit(01-12-25 05:41:56.864:230) : item=0 name=/proc/self/fd/20 inode=68864 dev=00:19 mode=file,200 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(01-12-25 05:41:56.864:230) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f10297f8e50 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=5621 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=udev-event exe=/usr/bin/virtnodedevd subj=system_u:system_r:virtnodedevd_t:s0 key=(null) type=AVC msg=audit(01-12-25 05:41:56.864:230) : avc: denied { dac_override } for pid=5621 comm=udev-event capability=dac_override scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0 type=AVC msg=audit(01-12-25 05:41:56.864:230) : avc: denied { dac_read_search } for pid=5621 comm=udev-event capability=dac_read_search scontext=system_u:system_r:virtnodedevd_t:s0 tcontext=system_u:system_r:virtnodedevd_t:s0 tclass=capability permissive=0 Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2394805

digitalman · February 11, 2026, 3:48pm

Yes, that’s good news. I’ve been following that bug. Now I just need to figure out how to track when this gets added to Fedora so I can try again.

digitalman · March 9, 2026, 1:10pm

The fix for 2394805 – SELinux is preventing udev-event from using the 'dac_override' capabilities. was just pushed to stable. I updated to version selinux-policy-42.25-1.fc43 and have loaded all my VMs and so far didn’t see the SE Linux errors, so it seems to be fixed. Thanks for the help.

Topic		Replies	Views
Multiple SELinux denials related to the use of Virtiofs Ask Fedora libvirt , virtio , qemukvm , virtualization , selinux , windows , windows-guest , virtual-machine-manager , f42	1	252	November 17, 2025
SELinux context issue with rpc-virtqemud Ask Fedora libvirt , qemukvm , selinux , atomic-desktops	5	1002	March 10, 2025
Troubleshooting SELinux on FCOS Ask Fedora selinux , coreos , server	13	1470	December 20, 2023
SELinux preventing libvirtd to work with LVM devices Ask Fedora f34 , libvirt , selinux	3	1989	September 27, 2021
Creating new VM with TPM using virt-manager results in SELinux-related error Ask Fedora selinux	16	2038	May 2, 2024

SELinux Errors when starting a VM

Related topics