Only libvirtd uses virtd_t/virt_exec_t context, modular daemons use their specific context each. Signed-off-by: Jiri Denemark <jdenemar(a)redhat.com&gt; --- run.in | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/run.in b/run.in index 2821b71230..d8db7cf697 100644 --- a/run.in +++ b/run.in @@ -202,10 +202,11 @@ else: stopped_units.append(unit) if opts.selinux: + progname = os.path.basename(prog) # if using a wrapper command like 'gdb', setting the selinux # context won't work because the wrapper command will not be a # valid entrypoint for the virtd_t context - if os.path.basename(prog) not in ["libvirtd", *modular_daemons]: + if progname not in ["libvirtd", *modular_daemons]: raise Exception("'{}' is not recognized as a valid daemon. " "Selinux process context can only be set when " "executing a daemon directly without wrapper " @@ -216,17 +217,22 @@ else: "'{}' outside build directory" .format(progpath)) + if progname == "libvirtd": + context = "virtd" + else: + context = progname + # selinux won't allow us to transition to the virtd_t context from # e.g. the user_home_t context (the likely label of the local # executable file) - if not chcon(progpath, "system_u", "object_r", "virtd_exec_t"): + if not chcon(progpath, "system_u", "object_r", f"{context}_exec_t"): raise Exception("Failed to change selinux context of binary") dorestorecon = True args = ['runcon', '-u', 'system_u', '-r', 'system_r', - '-t', 'virtd_t', *args] + '-t', f'{context}_t', *args] print("Running '%s'..." % str(" ".join(args))) ret = subprocess.call(args, env=env) -- 2.48.1