What were you trying to do that didn't work?

Triggered by https://bugzilla.redhat.com/show_bug.cgi?id=2328030 , I created some integration tests for cockpit-machines for a Linux user with the sysadm_u role (instead of the default unconfined_u in https://github.com/cockpit-project/cockpit-machines/pull/1975 . This works fine in Fedora an RHEL 8/9, but regressed for RHEL/CentOS 10

What is the impact of this issue to you?

sysadm_u users cannot use libvirt-dbus/cockpit-machines any more.

Please provide the package NVR for which the bug is seen:

selinux-policy-40.13.21-1.el10.noarch
libvirt-daemon-10.10.0-2.el10.x86_64
libvirt-daemon-common-10.10.0-2.el10.x86_64

How reproducible is this bug?

Always

Steps to reproduce

As a system_u user:

$ id
uid=1003(test_libvirt_user) gid=1003(test_libvirt_user) groups=1003(test_libvirt_user),985(libvirt) context=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023

$ busctl call org.libvirt /org/libvirt/QEMU org.libvirt.Connect ListDomains u 0
Call failed: Access denied

Expected results

ListDomains call should succeed, as it does after setenforce 0.

Actual results

Call fails. The only journal message is

dbus-broker[762]: A security policy denied :1.128 to send method call /org/libvirt/QEMU:org.libvirt.Connect.ListDomains to org.libvirt.