Policy doesn’t allow access to files with SELinux type var_lib_t
which are actually symlinks.
One option is to relabel the datastores directories to more suitable virt_image_t
, e.g.:
semanage fcontext -a -t virt_image_t '/var/lib/one/datastores(/.*)?'
restorecon -Rv /var/lib/one/datastores/
In your case, this won’t be probably enough, so you should do the same also for the custom location you are symlinking to.
The other option is to make a custom module, which allows reading var_lib_t
even if they are symlinks. For example:
# cat <<EOF >opennebula.te
module opennebula 1.0;
require {
type svirt_t;
type var_lib_t;
class lnk_file read;
}
#============= svirt_t ==============
#!!!! WARNING: 'var_lib_t' is a base type.
allow svirt_t var_lib_t:lnk_file read;
EOF
# checkmodule -M -m -o opennebula.mod opennebula.te
# semodule_package -o opennebula.pp -m opennebula.mod
# semodule -i opennebula.pp
Best regards,
Vlastimil