This is a follow up on RHEL-40887. smooney@redhat.com called out that OpenStack VMs create their console logs under non default paths. This seems to not be working at this point. Unsure if this is due to missing dependencies. This issue is to help clarify.

What were you trying to do that didn't work?

Run Openstack VM on RHEL 10.0

What is the impact of this issue to you?

? smooney@redhat.com

Please provide the package NVR for which the bug is seen:

selinux-policy-41.25-1.fc42.noarch
selinux-policy-40.13.14-1.el10.noarch

How reproducible is this bug?:

100%

Steps to reproduce

1. Configure a VM with one of the following two consoles

   1.  <console type="pty">
        <log file="/var/lib/console.log" append="on"/>
        ...
      </console>

   2. <console type="file">
        <source path="/var/lib/console.log"/>
        ...
      </console>

2. Make sure SELinux is enforcing
3. Start the VM

Expected results

The VM starts and the console output is written to the file.

Actual results

error: Failed to start domain 'rhel9'
error: Unable to open file: /var/lib/console.log: Permission denied

Additional notes

1. With Permissive the VM starts well.
2. Audit log for denial

   type=SERVICE_START msg=audit(1732183181.763:736): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=virtqemud comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=VIRT_MACHINE_ID msg=audit(1732183205.463:737): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 vm-ctx=system_u:system_r:svirt_t:s0:c191,c703 img-ctx=system_u:object_r:svirt_image_t:s0:c191,c703 model=selinux exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=VIRT_MACHINE_ID msg=audit(1732183205.463:738): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 vm-ctx=+107:+107 img-ctx=+107:+107 model=dac exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=AVC msg=audit(1732183205.463:739): avc:  denied  { write } for  pid=375987 comm="virtlogd" name="lib" dev="dm-9" ino=3014658 scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
   type=SYSCALL msg=audit(1732183205.463:739): arch=80000016 syscall=288 success=no exit=-13 a0=ffffffffffffff9c a1=2aa1635b7b0 a2=80441 a3=180 items=1 ppid=1 pid=375987 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)^]ARCH=s390x SYSCALL=openat AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
   type=CWD msg=audit(1732183205.463:739): cwd="/"
   type=PATH msg=audit(1732183205.463:739): item=0 name="/var/lib/" inode=3014658 dev=fd:09 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0^]OUID="root" OGID="root"
   type=PROCTITLE msg=audit(1732183205.463:739): proctitle="/usr/sbin/virtlogd"
   type=VIRT_RESOURCE msg=audit(1732183205.473:740): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=disk reason=start vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 old-disk="?" new-disk="/var/lib/libvirt/images/RHEL-9.5-s390x-latest.qcow2" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=VIRT_RESOURCE msg=audit(1732183205.473:741): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=net reason=start vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 old-net="?" new-net="52:54:00:42:96:ac" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=VIRT_RESOURCE msg=audit(1732183205.473:742): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=rng reason=start vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 old-rng="?" new-rng="/dev/urandom" exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=VIRT_RESOURCE msg=audit(1732183205.473:743): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=mem reason=start vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 old-mem=0 new-mem=2097152 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=VIRT_RESOURCE msg=audit(1732183205.473:744): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm resrc=vcpu reason=start vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 old-vcpu=0 new-vcpu=2 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
   type=VIRT_CONTROL msg=audit(1732183205.473:745): pid=382368 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:virtqemud_t:s0 msg='virt=kvm op=start reason=booted vm="rhel9" uuid=2213e76f-942a-43ad-8ce4-82c041071cc2 vm-pid=0 exe="/usr/sbin/virtqemud" hostname=? addr=? terminal=? res=failed'^]UID="root" AUID="unset"