Hi guys.
I've upgrade from Centos 9 to 10 - I did not have any custom
fcontext labes there - all still works in Centos 9
Now, with the same paths Selinux denies virt to start
virtual machines.
-> $ sealert -l d039a67f-6e33-4faa-9e95-09cd4480164b
...
Additional Information:
Source Context system_u:system_r:virtqemud_t:s0
Target Context
system_u:object_r:qemu_var_run_t:s0
Target Objects ubusrv1_VARS.fd [ file ]
Source rpc-virtqemud
Source Path /usr/sbin/virtqemud
Port <Unknown>
Host dzien.mine.priv
Source RPM Packages
libvirt-daemon-driver-qemu-11.10.0-4.el10.x86_64
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-42.1.16-1.el10.noarch
Local Policy RPM selinux-policy-targeted-42.1.16-1.el10.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name dzien.mine.priv
Platform Linux dzien.mine.priv
6.18.13-1.el10.x86_64 #1 SMP
PREEMPT_DYNAMIC Fri Feb 20
07:21:36 UTC 2026
x86_64
Alert Count 17
First Seen 2026-02-23 10:18:58 CET
Last Seen 2026-02-23 11:50:47 CET
Local ID
d039a67f-6e33-4faa-9e95-09cd4480164b
Raw Audit Messages
type=AVC msg=audit(1771843847.650:2619): avc: denied {
relabelto } for pid=75097 comm="rpc-virtqemud"
name="ubusrv1_VARS.fd" dev="dm-1" ino=134359259
scontext=system_u:system_r:virtqemud_t:s0
tcontext=system_u:object_r:qemu_var_run_t:s0 tclass=file
permissive=1
type=SYSCALL msg=audit(1771843847.650:2619): arch=x86_64
syscall=setxattr success=yes exit=0 a0=55b4b4c7fc10
a1=7f8a6a7d01ac a2=7f8a4c01ff10 a3=24 items=0 ppid=10743
pid=75097 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm=rpc-virtqemud exe=/usr/sbin/virtqemud
subj=system_u:system_r:virtqemud_t:s0 key=(null)
This is the file from libvirt xml domain:
/var/lib/libvirt/qemu/nvram/ubusrv1_VARS.fd
snippet of xml: <os>
<type arch='x86_64' machine='pc-q35-rhel9.6.0'>hvm</type>
<loader readonly='yes' secure='yes'
type='pflash'>/usr/share/edk2/ovmf/OVMF_CODE.secboot.fd</loader>
<nvram>/var/lib/libvirt/qemu/nvram/ubusrv1_VARS.fd</nvram>
<boot dev='hd'/>
<boot dev='network'/>
<bootmenu enable='yes'/>
</os>
..
Do default selinux policies need a fix or default location
for those nvram files is different in Centos 10, would you know?
many thanks, L.
