...
You can get the current SELinux state of a VM by running "getenforce".
You can set the current SELinux state of a VM by running "setenforce", followed by 0 for Permissive, 1 for Enforcing.
SELinux is also used to separate QEMU processes from eachother each other using an architecture known as sVirt. Our implementation of sVirt is documented in the OpenXT's predecessor sVirt page.
...
First, you need to be in Permissive mode before running your program. Otherwise, SELinux could block it to early to trigger all the denyalsdenials.
Then, get the errors from the logs, those are called AVCs in the SELinux dialect. You can for example try "try grep avc /var/log/messages | grep <program>" to get <program>'s denials.
Let's for example say that you just added V4V communications to the program fish. " grep avc /var/log/messages | grep fish" gives you :
[...] avc: denied { open } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
[...] avc: denied { read } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
[...] avc: denied { write } for pid=131 comm="fish" path="/dev/v4v_stream" dev=tmpfs ino=3626 scontext=system_u:system_r:fish_t:s0 tcontext=system_u:object_r:v4v_t:s0 tclass=chr_file
...
For our example, there is a macro in policy/support/obj_perm_sets.spt spt: define(`rw'rw_chr_file_perms',`{ getattr open read write append ioctl lock }')
Let's use it! You can now write :
...
policy/modules/system/xc_files.if defines the interface xc_files_rw_v4v_chr, which take one argument : the source context.
...