What were you trying to do that didn't work?

Destroy a domain. Then get an AVC msg

What is the impact of this issue to you?

AVC denail msg

Please provide the package NVR for which the bug is seen:

libvirt-10.10.0-1.el10.x86_64
qemu-kvm-9.1.0-7.el10.x86_64
selinux-policy-40.13.16-1.el10.noarch

How reproducible is this bug?:

50%. It depends on when the SIGKILL from `virsh destroy` happens

Steps to reproduce

According to the doc for virDomainDestroyFlags( https://libvirt.org/html/libvirt-libvirt-domain.html#virDomainDestroyFlags ):

Calling this function with no flags set (equal to zero) is equivalent to calling virDomainDestroy, and after a reasonable timeout will forcefully terminate the guest (e.g. SIGKILL) if necessary (which may produce undesirable results, for example unflushed disk cache in the guest). 

The key point to reproduce this issue is to make virtqemud forcefully terminate the guest.

Here is a example that may reproduce it:

#!/bin/bash
virsh create domain.xml
strace -p `pgrep qemu-kvm|tail -1` -o log &
sleep 60
virsh destroy avocado-vt-vm1

If there is SIGKILL in strace log, it means the bug is reproduced. Then check the audit log for the AVC denial:

type=AVC msg=audit(1733279381.000:24999): avc:  denied  { sigkill } for  pid=604121 comm="rpc-virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:svirt_t:s0:c4,c878 tclass=process permissive=1

Scripts and the domain XML for reproducing: reproduce.tar.gz

Expected results

No AVC denial

Actual results

As above