I developed a very good method of fixing selinux problems.
When something is denied, clear the audit log file, try the same thing again, then run audit2why.
If you do it quick in that order you will only get the denied relevant to that problem and you can add them to policy with audit2allow.
I've create some shortcuts where I can run cAuditLog to clear the log, a2y to run audit2why on the audit log, and a2a to create a module with the output of a2y.
With time I've learned to modify the policies by hand, so when something else pops up, I can edit the policy and recompile it.
It becomes easy to understand with time. Virt-manager can't open an iso in your downloads folder? Try runing chcon -t virt_image_t <isoname>.
Virt manager wants to relable that image? Add it to the policy module by addin 'allow virtd_t xdg_downloads:file { relableto relabelfrom open read write }
do a setenforce 0 before anlizing the problem, clear the log, run the blocked action, fix your labels/policies, setenforce 1, try again.
Also create a folder called 'selinux-policies' and create a folder for each program you want to make a custom policy, for example libvirt folder, and then name your policies 'local_<program>' for example local_libvirt.te and local_libvirt.pp
When you want to check what local policies you have installed, you just need to run 'semodule -lfull | grep local'
Anonymous