...
The default behaviour is defined in "/etc/selinux/config".
You can get the current SELinux state of a VM by running getenforce.
...
Then, get the errors from the logs, those are called AVCs in the SELinux dialect. You can for example try grep avc /var/log/messages | grep <program>, to get <program>'s denials.
Let's for example say that you just added V4V communications to the program fish. grep avc /var/log/messages | grep fish, gives you :
[...] avc: denied { open } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
[...] avc: denied { read } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
[...] avc: denied { write } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
...
For our example, there is a macro in "policy/support/obj_perm_sets.spt": define('rw_chr_file_perms',{ getattr open read write append ioctl lock })
...
...[a few greps later]...
"policy/modules/system/xc_files.if" defines the interface xc_files_rw_v4v_chr, which take one argument : the source context.
...