VM not able to access virtiofs folder due to SELinux restrictions

For a user session KVM/QEMU virtual machine I am trying to use virtiofs to share a folder between guest (windows11) and host (fedora 40), but I get an error:

error: Failed to start domain 'win11'
error: internal error: process exited while connecting to monitor: 2024-06-27T12:34:36.795427Z qemu-system-x86_64: -chardev socket,id=chr-vu-fs0,path=/home/USER/.config/libvirt/qemu/lib/domain-20-win11/fs0-fs.sock: Failed to connect to '/home/USER/.config/libvirt/qemu/lib/domain-20-win11/fs0-fs.sock': Permission denied

and in the logs I will get this message about selinux not allowing for the socket to be created:

audit[18329]: AVC avc:  denied  { connectto } for  pid=18329 comm="qemu-system-x86" path="/home/USER/.config/libvirt/qemu/lib/domain-17-win11/fs0-fs.sock" scontext=unconfined_u:unconfined_r:svirt_t:s0:c353,c434 tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c353,c434 tclass=unix_stream_socket permissive=0

When setting selinux to permissive it works as expected. Fiddling around with selinux a bit I tried:

semanage fcontext -a -f s -t svirt_socket_t /home/[^/]+/\.config/libvirt/domain-[^/]+/.+\.sock


semanage fcontext -a -f s -t svirt_image_t /home/[^/]+/\.config/libvirt/domain-[^/]+/.+\.sock

but no cigar…

I think it might be that the socket is created ok but then selinux is preventing qemu-system-x86 to connect to the newly created socket? But how to tell selinux it’s ok? Any tips on how to proceed would be much appreciated.

Found a solution, added the TE rule:

allow svirt_t unconfined_t:unix_stream_socket connectto;

then it also worked with selinux set to enforcing.

1 Like