SELinux: Which context allows libvirt to access a user's files?

Ask Fedora
, ,
1

I have a virbr0 created already, as root, so any new VMs should just specify virbr0 as bridge name instead of trying to create one.

I want to quickly create a development VM for myself that is bootstrapped with cloud-init, and maps a local directory so I can use it for building projects with tools I don’t have.

virt-install \
  --name ubuntu-dev-vm \
  --memory 6144 \
  --vcpus 6 \
  --os-variant ubuntu22.04 \
  --disk path=/var/home/vms/ubuntu-dev-vm.qcow2,backing_store=/var/home/vms/noble-server-cloudimg-amd64.img,backing_format=qcow2,size=40 \
  --network bridge=virbr0,model=virtio \
  --graphics none \
  --cloud-init user-data=/var/home/stemid/IaC/ubuntu-dev-vm/cloud-init.yml \
  --filesystem source=/var/home/vms/code,target=host_share,type=mount,accessmode=passthrough

Since libvirt requires a lot of permission changes I made a new storage pool in /var/home/vms instead of trying to mess with my HOME dir.

[stemid@precision ubuntu-dev-vm](365/0)$ ls -ltraiZ /var/home/vms
total 606148
 4162791 drwxr-xr-x. 1 stemid stemid system_u:object_r:virt_content_t:s0:c178,c451       546 Oct  6 13:43 code
     256 drwxr-xr-x. 1 root   root   system_u:object_r:home_root_t:s0                     18 Oct  7 14:25 ..
11060210 -rw-r--r--. 1 stemid stemid system_u:object_r:virt_content_t:s0           620695552 Oct  7 14:26 noble-server-cloudimg-amd64.img
11060182 drwxr-xr-x. 1 stemid stemid unconfined_u:object_r:virt_image_t:s0                82 Oct  7 14:37 .

But trying to start the VM I get permission denied errors.

ERROR    internal error: QEMU unexpectedly closed the monitor (vm='ubuntu-dev-vm'): 2025-10-07T12:37:59.078609Z qemu-system-x86_64: -device {"driver":"virtio-9p-pci","id":"fs0","fsdev":"fsdev-fs0","mount_tag":"host_share","bus":"pci.1","addr":"0x0"}: cannot initialize fsdev 'fsdev-fs0': failed to open '/var/home/vms/code': Permission denied

It works with SElinux temporarily disabled so I checked ausearch.

type=AVC msg=audit(1759840558.152:3958): avc:  denied  { read } for  pid=29891 comm="qemu-system-x86" name="code" dev="dm-0" ino=4162791 scontext=unconfined_u:unconfined_r:svirt_t:s0:c198,c271 tcontext=system_u:object_r:virt_content_t:s0:c178,c451 tclass=dir permissive=0

So which context should I use for libvirt to access these files?

3

Edit: Better yet, it appears there is a svirt_home_t that has full access.

$ sesearch --allow -s svirt_t | grep svirt_home_t
allow virt_domain svirt_home_t:dir { add_name create ioctl link lock read remove_name rename reparent rmdir setattr unlink watch watch_reads write };
allow virt_domain svirt_home_t:file { append create getattr ioctl link lock open read rename setattr unlink watch watch_reads write };
allow virt_domain svirt_home_t:sock_file { append create getattr ioctl link lock open read rename setattr unlink write };

So the following would probably work best.

# semanage fcontext -a -t svirt_home_t "/var/home/vms(/.*)?"
# restorecon -rv /var/home/vms
1 Like