New versions of libvirt separates log functionality from main code to new virtlogd daemon. The new daemon does not defined in the sec-policy/selinux-virt module policy. # eselect rc start libvirtd Starting init script Authenticating root. Password: * Caching service dependencies ... [ ok ] * Starting virtlogd ... 2017-10-14 18:32:30.385+0000: 4584: info : libvirt version: 3.6.0 2017-10-14 18:32:30.385+0000: 4584: info : hostname: XXXX 2017-10-14 18:32:30.385+0000: 4584: error : main:972 : Can't load config file: Failed to open file '/etc/libvirt/virtlogd.conf': Permission denied: /etc/libvirt/virtlogd.conf * start-stop-daemon: failed to start `/usr/sbin/virtlogd' * Failed to start virtlogd [ !! ] * ERROR: virtlogd failed to start * ERROR: cannot start libvirtd as virtlogd would not start # ls -lZ `which virtlogd` -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 712112 Oct 14 21:27 /usr/sbin/virtlogd # matchpathcon /usr/sbin/virtlogd /usr/sbin/virtlogd system_u:object_r:bin_t:s0 # qlist -ICv sec-policy/selinux-virt sec-policy/selinux-virt-2.20170204-r4 Last unstable sec-policy/selinux-virt version 2.20170805-r2 still does not contains virtlogd type definition with related resources access.
yeah ive got some tentative patches for this but havent gotten around to cleaning them up and merging yet :( https://github.com/perfinion/hardened-refpolicy/commits/next It used to work before, im not sure if there have been more changes that need updating. I'll try and clean these up soon.
# seinfo -t virtlogd_t -x Types: 1 type virtlogd_t, domain, daemon; I can see the type already in policy. Do you want any else action to do?