1virt_qemu_ga_selinux(8)   SELinux Policy virt_qemu_ga  virt_qemu_ga_selinux(8)
2
3
4

NAME

6       virt_qemu_ga_selinux   -   Security   Enhanced  Linux  Policy  for  the
7       virt_qemu_ga processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the virt_qemu_ga processes via flexible
11       mandatory access control.
12
13       The  virt_qemu_ga  processes  execute  with  the virt_qemu_ga_t SELinux
14       type. You can check if you have these processes  running  by  executing
15       the ps command with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep virt_qemu_ga_t
20
21
22

ENTRYPOINTS

24       The    virt_qemu_ga_t   SELinux   type   can   be   entered   via   the
25       virt_qemu_ga_exec_t file type.
26
27       The default entrypoint paths for the virt_qemu_ga_t domain are the fol‐
28       lowing:
29
30       /usr/libexec/qemu-ga(/.*)?, /usr/bin/qemu-ga
31

PROCESS TYPES

33       SELinux defines process types (domains) for each process running on the
34       system
35
36       You can see the context of a process using the -Z option to ps
37
38       Policy governs the access confined processes have  to  files.   SELinux
39       virt_qemu_ga  policy  is  very  flexible  allowing users to setup their
40       virt_qemu_ga processes in as secure a method as possible.
41
42       The following process types are defined for virt_qemu_ga:
43
44       virt_qemu_ga_t, virt_qemu_ga_unconfined_t
45
46       Note: semanage permissive -a virt_qemu_ga_t can be  used  to  make  the
47       process type virt_qemu_ga_t permissive. SELinux does not deny access to
48       permissive process types, but the AVC (SELinux  denials)  messages  are
49       still generated.
50
51

BOOLEANS

53       SELinux   policy  is  customizable  based  on  least  access  required.
54       virt_qemu_ga policy is extremely flexible and has several booleans that
55       allow you to manipulate the policy and run virt_qemu_ga with the tight‐
56       est access possible.
57
58
59
60       If you want to allow qemu-ga read ssh home directory content, you  must
61       turn on the virt_qemu_ga_manage_ssh boolean. Disabled by default.
62
63       setsebool -P virt_qemu_ga_manage_ssh 1
64
65
66
67       If you want to allow qemu-ga read all non-security file types, you must
68       turn on the virt_qemu_ga_read_nonsecurity_files  boolean.  Disabled  by
69       default.
70
71       setsebool -P virt_qemu_ga_read_nonsecurity_files 1
72
73
74
75       If  you  want to allow qemu-ga to run unconfined scripts, you must turn
76       on the virt_qemu_ga_run_unconfined boolean. Disabled by default.
77
78       setsebool -P virt_qemu_ga_run_unconfined 1
79
80
81
82       If you want to dontaudit all  daemons  scheduling  requests  (setsched,
83       sys_nice),  you  must turn on the daemons_dontaudit_scheduling boolean.
84       Enabled by default.
85
86       setsebool -P daemons_dontaudit_scheduling 1
87
88
89
90       If you want to allow all domains to execute in fips_mode, you must turn
91       on the fips_mode boolean. Enabled by default.
92
93       setsebool -P fips_mode 1
94
95
96
97       If  you  want  to  allow  system  to run with NIS, you must turn on the
98       nis_enabled boolean. Disabled by default.
99
100       setsebool -P nis_enabled 1
101
102
103
104       If you want to allow qemu-ga to read qemu-ga date, you must turn on the
105       virt_read_qemu_ga_data boolean. Disabled by default.
106
107       setsebool -P virt_read_qemu_ga_data 1
108
109
110
111       If  you  want to allow qemu-ga to manage qemu-ga date, you must turn on
112       the virt_rw_qemu_ga_data boolean. Disabled by default.
113
114       setsebool -P virt_rw_qemu_ga_data 1
115
116
117

MANAGED FILES

119       The SELinux process type virt_qemu_ga_t can manage files  labeled  with
120       the  following  file types.  The paths listed are the default paths for
121       these file types.  Note the processes UID still need to have  DAC  per‐
122       missions.
123
124       cluster_conf_t
125
126            /etc/cluster(/.*)?
127
128       cluster_var_lib_t
129
130            /var/lib/pcsd(/.*)?
131            /var/lib/cluster(/.*)?
132            /var/lib/openais(/.*)?
133            /var/lib/pengine(/.*)?
134            /var/lib/corosync(/.*)?
135            /usr/lib/heartbeat(/.*)?
136            /var/lib/heartbeat(/.*)?
137            /var/lib/pacemaker(/.*)?
138
139       cluster_var_run_t
140
141            /var/run/crm(/.*)?
142            /var/run/cman_.*
143            /var/run/rsctmp(/.*)?
144            /var/run/aisexec.*
145            /var/run/heartbeat(/.*)?
146            /var/run/pcsd-ruby.socket
147            /var/run/corosync-qnetd(/.*)?
148            /var/run/corosync-qdevice(/.*)?
149            /var/run/corosync.pid
150            /var/run/cpglockd.pid
151            /var/run/rgmanager.pid
152            /var/run/cluster/rgmanager.sk
153
154       devicekit_var_run_t
155
156            /var/run/udisks.*
157            /var/run/devkit(/.*)?
158            /var/run/upower(/.*)?
159            /var/run/pm-utils(/.*)?
160            /var/run/DeviceKit-disks(/.*)?
161
162       krb5_host_rcache_t
163
164            /var/tmp/krb5_0.rcache2
165            /var/cache/krb5rcache(/.*)?
166            /var/tmp/nfs_0
167            /var/tmp/DNS_25
168            /var/tmp/host_0
169            /var/tmp/imap_0
170            /var/tmp/HTTP_23
171            /var/tmp/HTTP_48
172            /var/tmp/ldap_55
173            /var/tmp/ldap_487
174            /var/tmp/ldapmap1_0
175
176       root_t
177
178            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
179            /
180            /initrd
181
182       ssh_home_t
183
184            /var/lib/[^/]+/.ssh(/.*)?
185            /root/.ssh(/.*)?
186            /var/lib/one/.ssh(/.*)?
187            /var/lib/pgsql/.ssh(/.*)?
188            /var/lib/openshift/[^/]+/.ssh(/.*)?
189            /var/lib/amanda/.ssh(/.*)?
190            /var/lib/stickshift/[^/]+/.ssh(/.*)?
191            /var/lib/gitolite/.ssh(/.*)?
192            /var/lib/nocpulse/.ssh(/.*)?
193            /var/lib/gitolite3/.ssh(/.*)?
194            /var/lib/openshift/gear/[^/]+/.ssh(/.*)?
195            /root/.shosts
196            /home/[^/]+/.ssh(/.*)?
197            /home/[^/]+/.ansible/cp/.*
198            /home/[^/]+/.shosts
199
200       sysfs_t
201
202            /sys(/.*)?
203
204       systemd_passwd_var_run_t
205
206            /var/run/systemd/ask-password(/.*)?
207            /var/run/systemd/ask-password-block(/.*)?
208
209       virt_qemu_ga_data_t
210
211
212       virt_qemu_ga_log_t
213
214            /var/log/qemu-ga(/.*)?
215            /var/log/qemu-ga.log.*
216
217       virt_qemu_ga_tmp_t
218
219
220       virt_qemu_ga_var_run_t
221
222            /var/run/qga.state
223            /var/run/qemu-ga.pid
224
225

FILE CONTEXTS

227       SELinux requires files to have an extended attribute to define the file
228       type.
229
230       You can see the context of a file using the -Z option to ls
231
232       Policy governs the access  confined  processes  have  to  these  files.
233       SELinux  virt_qemu_ga  policy  is very flexible allowing users to setup
234       their virt_qemu_ga processes in as secure a method as possible.
235
236       EQUIVALENCE DIRECTORIES
237
238
239       virt_qemu_ga policy stores data with multiple  different  file  context
240       types under the /var/log/qemu-ga directory.  If you would like to store
241       the data in a different directory you can use the semanage  command  to
242       create  an equivalence mapping.  If you wanted to store this data under
243       the /srv directory you would execute the following command:
244
245       semanage fcontext -a -e /var/log/qemu-ga /srv/qemu-ga
246       restorecon -R -v /srv/qemu-ga
247
248       STANDARD FILE CONTEXT
249
250       SELinux defines the file context types for  the  virt_qemu_ga,  if  you
251       wanted  to  store files with these types in a different paths, you need
252       to execute the semanage command to specify alternate labeling and  then
253       use restorecon to put the labels on disk.
254
255       semanage  fcontext  -a  -t  virt_qemu_ga_exec_t '/srv/virt_qemu_ga/con‐
256       tent(/.*)?'
257       restorecon -R -v /srv/myvirt_qemu_ga_content
258
259       Note: SELinux often uses regular expressions  to  specify  labels  that
260       match multiple files.
261
262       The following file types are defined for virt_qemu_ga:
263
264
265
266       virt_qemu_ga_data_t
267
268       - Set files with the virt_qemu_ga_data_t type, if you want to treat the
269       files as virt qemu ga content.
270
271
272
273       virt_qemu_ga_exec_t
274
275       - Set files with the virt_qemu_ga_exec_t type, if you want  to  transi‐
276       tion an executable to the virt_qemu_ga_t domain.
277
278
279       Paths:
280            /usr/libexec/qemu-ga(/.*)?, /usr/bin/qemu-ga
281
282
283       virt_qemu_ga_log_t
284
285       -  Set files with the virt_qemu_ga_log_t type, if you want to treat the
286       data as virt qemu ga log data, usually stored under the /var/log direc‐
287       tory.
288
289
290       Paths:
291            /var/log/qemu-ga(/.*)?, /var/log/qemu-ga.log.*
292
293
294       virt_qemu_ga_tmp_t
295
296       - Set files with the virt_qemu_ga_tmp_t type, if you want to store virt
297       qemu ga temporary files in the /tmp directories.
298
299
300
301       virt_qemu_ga_unconfined_exec_t
302
303       - Set files with the virt_qemu_ga_unconfined_exec_t type, if  you  want
304       to transition an executable to the virt_qemu_ga_unconfined_t domain.
305
306
307       Paths:
308            /etc/qemu-ga/fsfreeze-hook.d(/.*)?,     /var/run/qemu-ga/fsfreeze-
309            hook.d(/.*)?, /usr/libexec/qemu-ga/fsfreeze-hook.d(/.*)?
310
311
312       virt_qemu_ga_var_run_t
313
314       - Set files with the virt_qemu_ga_var_run_t type, if you want to  store
315       the virt qemu ga files under the /run or /var/run directory.
316
317
318       Paths:
319            /var/run/qga.state, /var/run/qemu-ga.pid
320
321
322       Note:  File context can be temporarily modified with the chcon command.
323       If you want to permanently change the file context you need to use  the
324       semanage fcontext command.  This will modify the SELinux labeling data‐
325       base.  You will need to use restorecon to apply the labels.
326
327

COMMANDS

329       semanage fcontext can also be used to manipulate default  file  context
330       mappings.
331
332       semanage  permissive  can  also  be used to manipulate whether or not a
333       process type is permissive.
334
335       semanage module can also be used to enable/disable/install/remove  pol‐
336       icy modules.
337
338       semanage boolean can also be used to manipulate the booleans
339
340
341       system-config-selinux is a GUI tool available to customize SELinux pol‐
342       icy settings.
343
344

AUTHOR

346       This manual page was auto-generated using sepolicy manpage .
347
348

SEE ALSO

350       selinux(8), virt_qemu_ga(8), semanage(8), restorecon(8), chcon(1),  se‐
351       policy(8),       setsebool(8),      virt_qemu_ga_unconfined_selinux(8),
352       virt_qemu_ga_unconfined_selinux(8)
353
354
355
356virt_qemu_ga                       23-10-20            virt_qemu_ga_selinux(8)
Impressum