r/vmhost: Work around libvirt SELinux policy bug

With the transition to modular _libvirt_ daemons, the SELinux policy is a bit more granular. Unfortunately, the new policy has a funny [bug]: it assumes directories named `storage` under `/run/libvirt` must be for _virtstoraged_ and labels them as such, which prevents _virtnetworkd_ from managing a virtual network named `storage`. To work around this, we need to give `/run/libvirt/network` a special label so that its children do not match the file transition pattern for _virtstoraged_ and thus keep their `virtnetworkd_var_run_t` label. [bug]: https://bugzilla.redhat.com/show_bug.cgi?id=2362040
2025-07-28 18:23:24 -05:00 · 2025-07-28 18:23:24 -05:00 · 3270011fee
parent 2ee86f6344
commit 3270011fee
2 changed files with 28 additions and 0 deletions
--- a/roles/vmhost/files/fix-run-libvirt-network.conf
+++ b/roles/vmhost/files/fix-run-libvirt-network.conf
@ -0,0 +1,3 @@
+[Service]
+ExecStartPre=+/bin/mkdir -p %t/libvirt/network
+ExecStartPre=+/bin/chcon -t virtnetworkd_var_run_t %t/libvirt/network
--- a/roles/vmhost/tasks/main.yml
+++ b/roles/vmhost/tasks/main.yml
@ -40,6 +40,31 @@
  tags:
  - log-dir

+- name: ensure virtnetworkd.service drop-in directory exists
+  file:
+    path: /etc/systemd/system/virtnetworkd.service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+  - virtnetworkd-selinux-bug
+  - 'rhbz#2362040'
+- name: 'ensure virtnetworkd selinux bug work-around is in place (rhbz#2362040)'
+  copy:
+    src: fix-run-libvirt-network.conf
+    dest: /etc/systemd/system/virtnetworkd.service.d/
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+  - virtnetworkd-selinux-bug
+  - 'rhbz#2362040'
+
 - name: ensure libvirtd starts at boot
  service:
    name: '{{ item }}'