From 3270011fee1f5faac89d647c03c4b11957ce77f1 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 28 Jul 2025 18:23:24 -0500
Subject: [PATCH] r/vmhost: Work around libvirt SELinux policy bug

With the transition to modular _libvirt_ daemons, the SELinux policy is
a bit more granular.  Unfortunately, the new policy has a funny [bug]: it
assumes directories named `storage` under `/run/libvirt` must be for
_virtstoraged_ and labels them as such, which prevents _virtnetworkd_
from managing a virtual network named `storage`.

To work around this, we need to give `/run/libvirt/network` a special
label so that its children do not match the file transition pattern for
_virtstoraged_ and thus keep their `virtnetworkd_var_run_t` label.

[bug]: https://bugzilla.redhat.com/show_bug.cgi?id=2362040
---
 .../vmhost/files/fix-run-libvirt-network.conf |  3 +++
 roles/vmhost/tasks/main.yml                   | 25 +++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 roles/vmhost/files/fix-run-libvirt-network.conf

diff --git a/roles/vmhost/files/fix-run-libvirt-network.conf b/roles/vmhost/files/fix-run-libvirt-network.conf
new file mode 100644
index 0000000..710aaf5
--- /dev/null
+++ b/roles/vmhost/files/fix-run-libvirt-network.conf
@@ -0,0 +1,3 @@
+[Service]
+ExecStartPre=+/bin/mkdir -p %t/libvirt/network
+ExecStartPre=+/bin/chcon -t virtnetworkd_var_run_t %t/libvirt/network
diff --git a/roles/vmhost/tasks/main.yml b/roles/vmhost/tasks/main.yml
index 93ffa3f..b492095 100644
--- a/roles/vmhost/tasks/main.yml
+++ b/roles/vmhost/tasks/main.yml
@@ -40,6 +40,31 @@
   tags:
   - log-dir
 
+- name: ensure virtnetworkd.service drop-in directory exists
+  file:
+    path: /etc/systemd/system/virtnetworkd.service.d
+    owner: root
+    group: root
+    mode: u=rwx,go=rx
+    state: directory
+  tags:
+  - systemd
+  - virtnetworkd-selinux-bug
+  - 'rhbz#2362040'
+- name: 'ensure virtnetworkd selinux bug work-around is in place (rhbz#2362040)'
+  copy:
+    src: fix-run-libvirt-network.conf
+    dest: /etc/systemd/system/virtnetworkd.service.d/
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload systemd
+  tags:
+  - systemd
+  - virtnetworkd-selinux-bug
+  - 'rhbz#2362040'
+
 - name: ensure libvirtd starts at boot
   service:
     name: '{{ item }}'