1svirt_tcg_selinux(8)       SELinux Policy svirt_tcg       svirt_tcg_selinux(8)
2
3
4

NAME

6       svirt_tcg_selinux  -  Security  Enhanced Linux Policy for the svirt_tcg
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the svirt_tcg  processes  via  flexible
11       mandatory access control.
12
13       The  svirt_tcg processes execute with the svirt_tcg_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep svirt_tcg_t
20
21
22

ENTRYPOINTS

24       The  svirt_tcg_t  SELinux  type can be entered via the qemu_exec_t file
25       type.
26
27       The default entrypoint paths for the svirt_tcg_t domain are the follow‐
28       ing:
29
30       /usr/libexec/qemu.*,       /usr/bin/qemu-system-.*,      /usr/bin/qemu,
31       /usr/bin/qemu-kvm
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       svirt_tcg policy  is  very  flexible  allowing  users  to  setup  their
41       svirt_tcg processes in as secure a method as possible.
42
43       The following process types are defined for svirt_tcg:
44
45       svirt_tcg_t
46
47       Note:  semanage  permissive  -a  svirt_tcg_t  can  be  used to make the
48       process type svirt_tcg_t permissive. SELinux does not  deny  access  to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

MCS Constrained

54       The SELinux process type svirt_tcg_t is an MCS  (Multi  Category  Secu‐
55       rity)  constrained  type.   Sometimes this separation is referred to as
56       sVirt. These types are usually used for securing multi-tenant  environ‐
57       ments,  such as virtualization, containers or separation of users.  The
58       tools used to launch MCS types, pick out a different MCS label for each
59       process group.
60
61       For  example  one  process might be launched with svirt_tcg_t:s0:c1,c2,
62       and another process launched  with  svirt_tcg_t:s0:c3,c4.  The  SELinux
63       kernel  only  allows  these  processes can only write to content with a
64       matching MCS label, or a MCS Label of s0. A process  running  with  the
65       MCS  level  of s0:c1,c2 is not allowed to write to content with the MCS
66       label of s0:c3,c4
67
68

BOOLEANS

70       SELinux  policy  is  customizable  based  on  least  access   required.
71       svirt_tcg  policy  is  extremely flexible and has several booleans that
72       allow you to manipulate the policy and run svirt_tcg with the  tightest
73       access possible.
74
75
76
77       If you want to allow all domains to execute in fips_mode, you must turn
78       on the fips_mode boolean. Enabled by default.
79
80       setsebool -P fips_mode 1
81
82
83
84       If you want to allow confined virtual guests to use  executable  memory
85       and  executable  stack,  you must turn on the virt_use_execmem boolean.
86       Disabled by default.
87
88       setsebool -P virt_use_execmem 1
89
90
91
92       If you want to allow confined virtual guests  to  interact  with  rawip
93       sockets,  you  must  turn  on  the  virt_use_rawip boolean. Disabled by
94       default.
95
96       setsebool -P virt_use_rawip 1
97
98
99

MANAGED FILES

101       The SELinux process type svirt_tcg_t can manage files labeled with  the
102       following file types.  The paths listed are the default paths for these
103       file types.  Note the processes UID still need to have DAC permissions.
104
105       anon_inodefs_t
106
107
108       cifs_t
109
110
111       dosfs_t
112
113
114       fusefs_t
115
116            /var/run/user/[^/]*/gvfs
117
118       glusterd_var_run_t
119
120            /var/run/gluster(/.*)?
121            /var/run/glusterd.*
122            /var/run/glusterd.*
123            /var/run/glusterd(/.*)?
124
125       nfs_t
126
127
128       qemu_var_run_t
129
130            /var/lib/libvirt/qemu(/.*)?
131            /var/run/libvirt/qemu(/.*)?
132
133       svirt_home_t
134
135            /home/[^/]+/.libvirt/qemu(/.*)?
136            /home/[^/]+/.cache/libvirt/qemu(/.*)?
137            /home/[^/]+/.config/libvirt/qemu(/.*)?
138            /home/[^/]+/.local/share/libvirt/boot(/.*)?
139            /home/[^/]+/.local/share/libvirt/images(/.*)?
140            /home/[^/]+/.local/share/gnome-boxes/images(/.*)?
141
142       svirt_image_t
143
144
145       svirt_tmp_t
146
147
148       svirt_tmpfs_t
149
150
151       usbfs_t
152
153
154       virt_cache_t
155
156            /var/cache/oz(/.*)?
157            /var/cache/libvirt(/.*)?
158
159

COMMANDS

161       semanage fcontext can also be used to manipulate default  file  context
162       mappings.
163
164       semanage  permissive  can  also  be used to manipulate whether or not a
165       process type is permissive.
166
167       semanage module can also be used to enable/disable/install/remove  pol‐
168       icy modules.
169
170       semanage boolean can also be used to manipulate the booleans
171
172
173       system-config-selinux is a GUI tool available to customize SELinux pol‐
174       icy settings.
175
176

AUTHOR

178       This manual page was auto-generated using sepolicy manpage .
179
180

SEE ALSO

182       selinux(8), svirt_tcg(8), semanage(8), restorecon(8), chcon(1),  sepol‐
183       icy(8), setsebool(8)
184
185
186
187svirt_tcg                          19-10-08               svirt_tcg_selinux(8)
Impressum