https://bugzilla.suse.com/show_bug.cgi?id=1216903 Bug ID: 1216903 Summary: SELinux: policy update broke kvm network autostart Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: jsegitz@suse.com Reporter: rfrohl@suse.com QA Contact: qa-bugs@suse.de CC: cathy.hu@suse.com Target Milestone: --- Found By: --- Blocker: --- Hi, since the update to selinux-policy: 20231030 KVM network autostart/interaction is broken. If one tries to start the network manually in virsh the following error is observed:

virsh # net-start default error: Failed to start network default error: internal error: Failed to apply firewall rules /sbin/iptables -w --table filter --list-rules: libvirt: error : cannot execute binary /sbin/iptables: Permission denied

with

virsh # net-info default Name: default UUID: 31f53528-0578-4d70-b510-2f50fcf424f0 Active: no Persistent: yes Autostart: yes Bridge: virbr0

As a workaround I am using:

# setenforce 0 # virsh net-start default # setenforce 1

There is only one detail to be observed: if virsh is run before 'setenforce 0', then the above does not work until the system is restarted. More details: it is not even 'needed' to net-start, any virsh command will trigger the autostart if 'setenforce 0' was issued. -- You are receiving this mail because: You are on the CC list for the bug.