mansecurityReviewed March 6, 2026
SELinux, virtd_t, and common denials
On SELinux enabled hosts, libvirt daemons run in controlled domains such as virtd t. Guest resources often carry svirt labels so the hypervisor can touch only what the policy allows. Why this breaks guest startup The gue
selinuxvirtd_tsvirtavc
On SELinux-enabled hosts, libvirt daemons run in controlled domains such as virtd_t. Guest resources often carry svirt_* labels so the hypervisor can touch only what the policy allows.
Why this breaks guest startup
The guest XML may be correct while SELinux blocks the disk path, firmware file, socket, or host device. That means the fix is usually labeling or policy, not a libvirt syntax change.
BASH
getenforce
ps -eZ | grep -E "virtqemud|libvirtd"
ausearch -m AVC,USER_AVC -ts recentCommon denial patterns
- Disk images stored in a random directory without the expected label.
- ISO files mounted from a path that the daemon domain cannot read.
- Shared folders or custom device nodes that never received the right context.
Fix pattern
BASH
ls -Z /var/lib/libvirt /var/lib/libvirt/images
restorecon -Rv /var/lib/libvirt
journalctl -t setroubleshoot -n 50If the storage path is intentionally outside the default tree, document the labeling strategy instead of relying on ad hoc fixes.