1qemu_selinux(8) SELinux Policy qemu qemu_selinux(8)
2
3
4
6 qemu_selinux - Security Enhanced Linux Policy for the qemu processes
7
9 Security-Enhanced Linux secures the qemu processes via flexible manda‐
10 tory access control.
11
12 The qemu processes execute with the qemu_t SELinux type. You can check
13 if you have these processes running by executing the ps command with
14 the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep qemu_t
19
20
21
23 The qemu_t SELinux type can be entered via the qemu_exec_t, qemu_exec_t
24 file types.
25
26 The default entrypoint paths for the qemu_t domain are the following:
27
28 /usr/libexec/qemu.*, /usr/bin/qemu-system-.*, /usr/bin/qemu,
29 /usr/bin/qemu-kvm, /usr/libexec/qemu.*, /usr/bin/qemu-system-.*,
30 /usr/bin/qemu, /usr/bin/qemu-kvm
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 qemu policy is very flexible allowing users to setup their qemu pro‐
40 cesses in as secure a method as possible.
41
42 The following process types are defined for qemu:
43
44 qemu_t
45
46 Note: semanage permissive -a qemu_t can be used to make the process
47 type qemu_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. qemu
54 policy is extremely flexible and has several booleans that allow you to
55 manipulate the policy and run qemu with the tightest access possible.
56
57
58
59 If you want to allow qemu to connect fully to the network, you must
60 turn on the qemu_full_network boolean. Enabled by default.
61
62 setsebool -P qemu_full_network 1
63
64
65
66 If you want to allow qemu to use cifs/Samba file systems, you must turn
67 on the qemu_use_cifs boolean. Enabled by default.
68
69 setsebool -P qemu_use_cifs 1
70
71
72
73 If you want to allow qemu to user serial/parallel communication ports,
74 you must turn on the qemu_use_comm boolean. Disabled by default.
75
76 setsebool -P qemu_use_comm 1
77
78
79
80 If you want to allow qemu to use nfs file systems, you must turn on the
81 qemu_use_nfs boolean. Enabled by default.
82
83 setsebool -P qemu_use_nfs 1
84
85
86
87 If you want to allow qemu to use usb devices, you must turn on the
88 qemu_use_usb boolean. Enabled by default.
89
90 setsebool -P qemu_use_usb 1
91
92
93
94 If you want to allow all domains to use other domains file descriptors,
95 you must turn on the allow_domain_fd_use boolean. Enabled by default.
96
97 setsebool -P allow_domain_fd_use 1
98
99
100
101 If you want to allow confined applications to run with kerberos, you
102 must turn on the allow_kerberos boolean. Enabled by default.
103
104 setsebool -P allow_kerberos 1
105
106
107
108 If you want to allow sysadm to debug or ptrace all processes, you must
109 turn on the allow_ptrace boolean. Disabled by default.
110
111 setsebool -P allow_ptrace 1
112
113
114
115 If you want to allow system to run with NIS, you must turn on the
116 allow_ypbind boolean. Disabled by default.
117
118 setsebool -P allow_ypbind 1
119
120
121
122 If you want to allow all domains to have the kernel load modules, you
123 must turn on the domain_kernel_load_modules boolean. Disabled by
124 default.
125
126 setsebool -P domain_kernel_load_modules 1
127
128
129
130 If you want to allow all domains to execute in fips_mode, you must turn
131 on the fips_mode boolean. Enabled by default.
132
133 setsebool -P fips_mode 1
134
135
136
137 If you want to enable reading of urandom for all domains, you must turn
138 on the global_ssp boolean. Disabled by default.
139
140 setsebool -P global_ssp 1
141
142
143
144 If you want to allow confined applications to use nscd shared memory,
145 you must turn on the nscd_use_shm boolean. Enabled by default.
146
147 setsebool -P nscd_use_shm 1
148
149
150
151 If you want to allow confined virtual guests to use executable memory
152 and executable stack, you must turn on the virt_use_execmem boolean.
153 Disabled by default.
154
155 setsebool -P virt_use_execmem 1
156
157
158
159 If you want to allow virt to manage nfs files, you must turn on the
160 virt_use_nfs boolean. Disabled by default.
161
162 setsebool -P virt_use_nfs 1
163
164
165
166 If you want to allow virt to manage cifs files, you must turn on the
167 virt_use_samba boolean. Disabled by default.
168
169 setsebool -P virt_use_samba 1
170
171
172
174 The SELinux process type qemu_t can manage files labeled with the fol‐
175 lowing file types. The paths listed are the default paths for these
176 file types. Note the processes UID still need to have DAC permissions.
177
178 anon_inodefs_t
179
180
181 cifs_t
182
183
184 dosfs_t
185
186
187 initrc_tmp_t
188
189
190 mnt_t
191
192 /mnt(/[^/]*)
193 /mnt(/[^/]*)?
194 /rhev(/[^/]*)?
195 /media(/[^/]*)
196 /media(/[^/]*)?
197 /etc/rhgb(/.*)?
198 /media/.hal-.*
199 /net
200 /afs
201 /rhev
202 /misc
203
204 nfs_t
205
206
207 nova_var_lib_t
208
209 /var/lib/nova(/.*)?
210
211 qemu_tmp_t
212
213
214 qemu_tmpfs_t
215
216
217 qemu_var_run_t
218
219 /var/lib/libvirt/qemu(/.*)?
220 /var/run/libvirt/qemu(/.*)?
221
222 tmp_t
223
224 /tmp
225 /usr/tmp
226 /var/tmp
227 /tmp-inst
228 /var/tmp-inst
229 /var/tmp/vi.recover
230
231 tmpfs_t
232
233 /dev/shm
234
235 usbfs_t
236
237
238 virt_cache_t
239
240 /var/cache/oz(/.*)?
241 /var/cache/libvirt
242
243 virt_image_type
244
245 all virtual image files
246
247 xen_image_t
248
249 /xen(/.*)?
250 /var/lib/xen/images(/.*)?
251
252
254 SELinux requires files to have an extended attribute to define the file
255 type.
256
257 You can see the context of a file using the -Z option to ls
258
259 Policy governs the access confined processes have to these files.
260 SELinux qemu policy is very flexible allowing users to setup their qemu
261 processes in as secure a method as possible.
262
263 STANDARD FILE CONTEXT
264
265 SELinux defines the file context types for the qemu, if you wanted to
266 store files with these types in a diffent paths, you need to execute
267 the semanage command to sepecify alternate labeling and then use
268 restorecon to put the labels on disk.
269
270 semanage fcontext -a -t qemu_var_run_t '/srv/myqemu_content(/.*)?'
271 restorecon -R -v /srv/myqemu_content
272
273 Note: SELinux often uses regular expressions to specify labels that
274 match multiple files.
275
276 The following file types are defined for qemu:
277
278
279
280 qemu_exec_t
281
282 - Set files with the qemu_exec_t type, if you want to transition an
283 executable to the qemu_t domain.
284
285
286 Paths:
287 /usr/libexec/qemu.*, /usr/bin/qemu-system-.*, /usr/bin/qemu,
288 /usr/bin/qemu-kvm
289
290
291 qemu_image_t
292
293 - Set files with the qemu_image_t type, if you want to treat the files
294 as qemu image data.
295
296
297
298 qemu_tmp_t
299
300 - Set files with the qemu_tmp_t type, if you want to store qemu tempo‐
301 rary files in the /tmp directories.
302
303
304
305 qemu_tmpfs_t
306
307 - Set files with the qemu_tmpfs_t type, if you want to store qemu files
308 on a tmpfs file system.
309
310
311
312 qemu_var_run_t
313
314 - Set files with the qemu_var_run_t type, if you want to store the qemu
315 files under the /run or /var/run directory.
316
317
318 Paths:
319 /var/lib/libvirt/qemu(/.*)?, /var/run/libvirt/qemu(/.*)?
320
321
322 Note: File context can be temporarily modified with the chcon command.
323 If you want to permanently change the file context you need to use the
324 semanage fcontext command. This will modify the SELinux labeling data‐
325 base. You will need to use restorecon to apply the labels.
326
327
329 semanage fcontext can also be used to manipulate default file context
330 mappings.
331
332 semanage permissive can also be used to manipulate whether or not a
333 process type is permissive.
334
335 semanage module can also be used to enable/disable/install/remove pol‐
336 icy modules.
337
338 semanage boolean can also be used to manipulate the booleans
339
340
341 system-config-selinux is a GUI tool available to customize SELinux pol‐
342 icy settings.
343
344
346 This manual page was auto-generated using sepolicy manpage .
347
348
350 selinux(8), qemu(8), semanage(8), restorecon(8), chcon(1) , setse‐
351 bool(8)
352
353
354
355qemu 15-06-03 qemu_selinux(8)