What were you trying to do that didn't work?

AVC denials happen when start a guest with dbus graphics 

This issue is related to the rdp backed graphics new feature which is still not be supported by qemu. So set this issue to a RFE bug.

Please provide the package NVR for which bug is seen:

libvirt-11.2.0-1.el10.x86_64
qemu-kvm-10.0.0-0.rc4.el10.preview.x86_64

How reproducible:

100%

Steps to reproduce

1. Prepare a guest with dbus graphics.

# virsh dumpxml rhel --xpath //graphics
<graphics type="dbus"/>

2. Start the guest.

1. virsh start rhel
   error: Failed to start domain 'rhel'
   error: can't open log context: Unable to open file: /run/libvirt/qemu/dbus/3-rhel.log: Permission denied

   Expected results

Can start guest.

Actual results 

Start guest failed.

Additional info

1. This feature is not yet supported so severity Low but as called out by Peter, virtlogd should be able to access that path.

1. The guest can start with permissive mode.
2. The log:

   time->Sun Apr 20 22:57:37 2025
   type=PROCTITLE msg=audit(1745204257.379:27159): proctitle="/usr/sbin/virtlogd"
   type=SYSCALL msg=audit(1745204257.379:27159): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=5651733e0bd0 a2=80441 a3=180 items=0 ppid=1 pid=44041 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="virtlogd" exe="/usr/sbin/virtlogd" subj=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 key=(null)
   type=AVC msg=audit(1745204257.379:27159): avc:  denied  { dac_override } for  pid=44041 comm="virtlogd" capability=1  scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability permissive=0
   type=AVC msg=audit(1745204257.379:27159): avc:  denied  { dac_read_search } for  pid=44041 comm="virtlogd" capability=2  scontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:virtlogd_t:s0-s0:c0.c1023 tclass=capability permissive=0