docs: Document SELinux caveats when migrating over UNIX sockets

The information about sockets having different label than the one on the file
and the way it needs to be set is very difficult to find for those who did not
come across it before.  Let's describe what needs to happen in order for the
migration to go through rather than rely on general knowledge of others.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>

docs/manpages/virsh.rst

@@ -3340,7 +3340,12 @@ migrating disks.  This can be *tcp://address:port* to specify a listen address
 UNIX socket with that specified path.  In this case you need to make sure the
 same socket path is accessible to both source and destination hypervisors and
 connecting to the socket on the source (after hypervisor creates it on the
-destination) will actually connect to the destination.
+destination) will actually connect to the destination. If you are using SELinux
+(at least on the source host) you need to make sure the socket on the source is
+accessible to libvirtd/QEMU for connection.  Libvirt cannot change the context
+of the existing socket because it is different from the file representation of
+the socket and the context is chosen by its creator (usually by using
+*setsockcreatecon{,_raw}()* functions).
 
 
 migrate-compcache

docs/migration.html.in

@@ -677,6 +677,15 @@ virsh migrate --domain web1 [--p2p] --copy-storage-all
   --disks-uri unix:///tmp/migdir/test-sock-nbd
     </pre>
 
+    <p>
+      One caveat is that on SELinux-enabled systems all the sockets that the
+      hypervisor is going to connect to needs to have the proper context and
+      that is chosen before its creation by the process that creates it.  That
+      is usually done by using <code>setsockcreatecon{,raw}()</code> functions.
+      Generally *system_r:system_u:svirt_socket_t:s0* should do the trick, but
+      check the SELinux rules and settings of your system.
+    </p>
+
     <p>
       Supported by QEMU driver
     </p>