1virtd_selinux(8)             SELinux Policy virtd             virtd_selinux(8)
2
3
4

NAME

6       virtd_selinux - Security Enhanced Linux Policy for the virtd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the virtd processes via flexible manda‐
10       tory access control.
11
12       The virtd processes execute with the  virtd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep virtd_t
19
20
21

ENTRYPOINTS

23       The virtd_t SELinux type can be entered via the virtd_exec_t file type.
24
25       The default entrypoint paths for the virtd_t domain are the following:
26
27       /usr/lib/virt-sysprep/firstboot.sh,  /usr/bin/virt-who,   /usr/bin/img‐
28       fac.py,  /usr/sbin/libvirtd,  /usr/share/vdsm/vdsm,  /usr/bin/imagefac‐
29       tory,          /usr/bin/nova-compute,          /usr/bin/qemu-pr-helper,
30       /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host, /usr/sbin/condor_vm-
31       gahp,     /usr/bin/vios-proxy-guest,     /usr/share/vdsm/daemonAdapter,
32       /usr/share/vdsm/supervdsmServer
33

PROCESS TYPES

35       SELinux defines process types (domains) for each process running on the
36       system
37
38       You can see the context of a process using the -Z option to ps
39
40       Policy governs the access confined processes have  to  files.   SELinux
41       virtd  policy is very flexible allowing users to setup their virtd pro‐
42       cesses in as secure a method as possible.
43
44       The following process types are defined for virtd:
45
46       virtd_t, virt_qmf_t, virt_bridgehelper_t, virt_qemu_ga_t, virtd_lxc_t, virt_qemu_ga_unconfined_t
47
48       Note: semanage permissive -a virtd_t can be used to  make  the  process
49       type  virtd_t  permissive.  SELinux  does not deny access to permissive
50       process types, but the AVC (SELinux denials) messages are still  gener‐
51       ated.
52
53

BOOLEANS

55       SELinux  policy  is customizable based on least access required.  virtd
56       policy is extremely flexible and has several booleans that allow you to
57       manipulate the policy and run virtd with the tightest access possible.
58
59
60
61       If  you want to allow virtual processes to run as userdomains, you must
62       turn on the virt_transition_userdomain boolean. Disabled by default.
63
64       setsebool -P virt_transition_userdomain 1
65
66
67
68       If you want to allow confined virtual guests to manage nfs  files,  you
69       must turn on the virt_use_nfs boolean. Disabled by default.
70
71       setsebool -P virt_use_nfs 1
72
73
74
75       If  you want to allow confined virtual guests to manage cifs files, you
76       must turn on the virt_use_samba boolean. Disabled by default.
77
78       setsebool -P virt_use_samba 1
79
80
81
82       If you want to allow users to resolve user passwd entries directly from
83       ldap  rather  then  using  a  sssd server, you must turn on the authlo‐
84       gin_nsswitch_use_ldap boolean. Disabled by default.
85
86       setsebool -P authlogin_nsswitch_use_ldap 1
87
88
89
90       If you want to deny user domains applications to map a memory region as
91       both  executable  and  writable,  this  is dangerous and the executable
92       should be reported in bugzilla, you must turn on the deny_execmem bool‐
93       ean. Enabled by default.
94
95       setsebool -P deny_execmem 1
96
97
98
99       If you want to allow all domains to execute in fips_mode, you must turn
100       on the fips_mode boolean. Enabled by default.
101
102       setsebool -P fips_mode 1
103
104
105
106       If you want to allow confined applications to run  with  kerberos,  you
107       must turn on the kerberos_enabled boolean. Disabled by default.
108
109       setsebool -P kerberos_enabled 1
110
111
112
113       If  you  want  to control the ability to mmap a low area of the address
114       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
115       the mmap_low_allowed boolean. Disabled by default.
116
117       setsebool -P mmap_low_allowed 1
118
119
120
121       If  you  want  to  allow  system  to run with NIS, you must turn on the
122       nis_enabled boolean. Disabled by default.
123
124       setsebool -P nis_enabled 1
125
126
127
128       If you want to allow confined applications to use nscd  shared  memory,
129       you must turn on the nscd_use_shm boolean. Disabled by default.
130
131       setsebool -P nscd_use_shm 1
132
133
134
135       If  you  want  to  disable  kernel module loading, you must turn on the
136       secure_mode_insmod boolean. Enabled by default.
137
138       setsebool -P secure_mode_insmod 1
139
140
141
142       If you want to allow unconfined executables to make their  heap  memory
143       executable.   Doing  this  is  a  really bad idea. Probably indicates a
144       badly coded executable, but could indicate an attack.  This  executable
145       should   be   reported  in  bugzilla,  you  must  turn  on  the  selin‐
146       uxuser_execheap boolean. Disabled by default.
147
148       setsebool -P selinuxuser_execheap 1
149
150
151
152       If you want to allow unconfined executables to make  their  stack  exe‐
153       cutable.   This  should  never, ever be necessary. Probably indicates a
154       badly coded executable, but could indicate an attack.  This  executable
155       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
156       stack boolean. Disabled by default.
157
158       setsebool -P selinuxuser_execstack 1
159
160
161

PORT TYPES

163       SELinux defines port types to represent TCP and UDP ports.
164
165       You can see the types associated with a port  by  using  the  following
166       command:
167
168       semanage port -l
169
170
171       Policy  governs  the  access  confined  processes  have to these ports.
172       SELinux virtd policy is very flexible allowing  users  to  setup  their
173       virtd processes in as secure a method as possible.
174
175       The following port types are defined for virtd:
176
177
178       virt_migration_port_t
179
180
181
182       Default Defined Ports:
183                 tcp 49152-49216
184
185
186       virt_port_t
187
188
189
190       Default Defined Ports:
191                 tcp 16509,16514
192                 udp 16509,16514
193

MANAGED FILES

195       The SELinux process type virtd_t can manage files labeled with the fol‐
196       lowing file types.  The paths listed are the default  paths  for  these
197       file types.  Note the processes UID still need to have DAC permissions.
198
199       file_type
200
201            all files on the system
202
203

FILE CONTEXTS

205       SELinux requires files to have an extended attribute to define the file
206       type.
207
208       You can see the context of a file using the -Z option to ls
209
210       Policy governs the access  confined  processes  have  to  these  files.
211       SELinux  virtd  policy  is  very flexible allowing users to setup their
212       virtd processes in as secure a method as possible.
213
214       STANDARD FILE CONTEXT
215
216       SELinux defines the file context types for the virtd, if you wanted  to
217       store  files  with  these types in a diffent paths, you need to execute
218       the semanage command  to  sepecify  alternate  labeling  and  then  use
219       restorecon to put the labels on disk.
220
221       semanage fcontext -a -t virtd_keytab_t '/srv/myvirtd_content(/.*)?'
222       restorecon -R -v /srv/myvirtd_content
223
224       Note:  SELinux  often  uses  regular expressions to specify labels that
225       match multiple files.
226
227       The following file types are defined for virtd:
228
229
230
231       virtd_exec_t
232
233       - Set files with the virtd_exec_t type, if you want  to  transition  an
234       executable to the virtd_t domain.
235
236
237       Paths:
238            /usr/lib/virt-sysprep/firstboot.sh,             /usr/bin/virt-who,
239            /usr/bin/imgfac.py,   /usr/sbin/libvirtd,    /usr/share/vdsm/vdsm,
240            /usr/bin/imagefactory,   /usr/bin/nova-compute,  /usr/bin/qemu-pr-
241            helper,     /usr/share/vdsm/respawn,     /usr/bin/vios-proxy-host,
242            /usr/sbin/condor_vm-gahp,               /usr/bin/vios-proxy-guest,
243            /usr/share/vdsm/daemonAdapter, /usr/share/vdsm/supervdsmServer
244
245
246       virtd_initrc_exec_t
247
248       - Set files with the virtd_initrc_exec_t type, if you want  to  transi‐
249       tion an executable to the virtd_initrc_t domain.
250
251
252
253       virtd_keytab_t
254
255       -  Set  files  with  the  virtd_keytab_t type, if you want to treat the
256       files as kerberos keytab files.
257
258
259
260       virtd_lxc_exec_t
261
262       - Set files with the virtd_lxc_exec_t type, if you want  to  transition
263       an executable to the virtd_lxc_t domain.
264
265
266
267       virtd_unit_file_t
268
269       -  Set  files with the virtd_unit_file_t type, if you want to treat the
270       files as virtd unit content.
271
272
273       Paths:
274            /usr/lib/systemd/system/.*xen.*.service,     /usr/lib/systemd/sys‐
275            tem/virt.*.service, /usr/lib/systemd/system/libvirt.*.service
276
277
278       Note:  File context can be temporarily modified with the chcon command.
279       If you want to permanently change the file context you need to use  the
280       semanage fcontext command.  This will modify the SELinux labeling data‐
281       base.  You will need to use restorecon to apply the labels.
282
283

COMMANDS

285       semanage fcontext can also be used to manipulate default  file  context
286       mappings.
287
288       semanage  permissive  can  also  be used to manipulate whether or not a
289       process type is permissive.
290
291       semanage module can also be used to enable/disable/install/remove  pol‐
292       icy modules.
293
294       semanage port can also be used to manipulate the port definitions
295
296       semanage boolean can also be used to manipulate the booleans
297
298
299       system-config-selinux is a GUI tool available to customize SELinux pol‐
300       icy settings.
301
302

AUTHOR

304       This manual page was auto-generated using sepolicy manpage .
305
306

SEE ALSO

308       selinux(8),  virtd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
309       icy(8),           setsebool(8),           virt_bridgehelper_selinux(8),
310       virt_qemu_ga_selinux(8),            virt_qemu_ga_unconfined_selinux(8),
311       virt_qmf_selinux(8), virtd_lxc_selinux(8)
312
313
314
315virtd                              19-12-02                   virtd_selinux(8)
Impressum