1virtd_selinux(8) SELinux Policy virtd virtd_selinux(8)
2
3
4
6 virtd_selinux - Security Enhanced Linux Policy for the virtd processes
7
9 Security-Enhanced Linux secures the virtd processes via flexible manda‐
10 tory access control.
11
12 The virtd processes execute with the virtd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep virtd_t
19
20
21
23 The virtd_t SELinux type can be entered via the file_type, unlabeled_t,
24 proc_type, virtd_exec_t, filesystem_type, mtrr_device_t, sysctl_type
25 file types.
26
27 The default entrypoint paths for the virtd_t domain are the following:
28
29 all files on the system, /usr/sbin/libvirtd, /usr/bin/imgfac.py,
30 /usr/share/vdsm/vdsm, /usr/bin/imagefactory, /usr/bin/nova-compute,
31 /usr/share/vdsm/respawn, /usr/sbin/condor_vm-gahp, /usr/bin/vios-proxy-
32 host, /usr/bin/vios-proxy-guest, /usr/share/vdsm/supervdsmServer,
33 /dev/cpu/mtrr
34
36 SELinux defines process types (domains) for each process running on the
37 system
38
39 You can see the context of a process using the -Z option to ps
40
41 Policy governs the access confined processes have to files. SELinux
42 virtd policy is very flexible allowing users to setup their virtd pro‐
43 cesses in as secure a method as possible.
44
45 The following process types are defined for virtd:
46
47 virt_qemu_ga_unconfined_t, virtd_lxc_t, virt_qmf_t, virt_qemu_ga_t, virt_bridgehelper_t, virtd_t
48
49 Note: semanage permissive -a virtd_t can be used to make the process
50 type virtd_t permissive. SELinux does not deny access to permissive
51 process types, but the AVC (SELinux denials) messages are still gener‐
52 ated.
53
54
56 SELinux policy is customizable based on least access required. virtd
57 policy is extremely flexible and has several booleans that allow you to
58 manipulate the policy and run virtd with the tightest access possible.
59
60
61
62 If you want to allow virt to manage nfs files, you must turn on the
63 virt_use_nfs boolean. Disabled by default.
64
65 setsebool -P virt_use_nfs 1
66
67
68
69 If you want to allow virt to manage cifs files, you must turn on the
70 virt_use_samba boolean. Disabled by default.
71
72 setsebool -P virt_use_samba 1
73
74
75
76 If you want to allow all daemons to write corefiles to /, you must turn
77 on the allow_daemons_dump_core boolean. Disabled by default.
78
79 setsebool -P allow_daemons_dump_core 1
80
81
82
83 If you want to allow all daemons to use tcp wrappers, you must turn on
84 the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
85
86 setsebool -P allow_daemons_use_tcp_wrapper 1
87
88
89
90 If you want to allow all daemons the ability to read/write terminals,
91 you must turn on the allow_daemons_use_tty boolean. Disabled by
92 default.
93
94 setsebool -P allow_daemons_use_tty 1
95
96
97
98 If you want to allow all domains to use other domains file descriptors,
99 you must turn on the allow_domain_fd_use boolean. Enabled by default.
100
101 setsebool -P allow_domain_fd_use 1
102
103
104
105 If you want to allow all domains to use other domains file descriptors,
106 you must turn on the allow_domain_fd_use boolean. Enabled by default.
107
108 setsebool -P allow_domain_fd_use 1
109
110
111
112 If you want to allow unconfined executables to make their heap memory
113 executable. Doing this is a really bad idea. Probably indicates a
114 badly coded executable, but could indicate an attack. This executable
115 should be reported in bugzilla, you must turn on the allow_execheap
116 boolean. Disabled by default.
117
118 setsebool -P allow_execheap 1
119
120
121
122 If you want to allow unconfined executables to map a memory region as
123 both executable and writable, this is dangerous and the executable
124 should be reported in bugzilla), you must turn on the allow_execmem
125 boolean. Enabled by default.
126
127 setsebool -P allow_execmem 1
128
129
130
131 If you want to allow all unconfined executables to use libraries
132 requiring text relocation that are not labeled textrel_shlib_t), you
133 must turn on the allow_execmod boolean. Enabled by default.
134
135 setsebool -P allow_execmod 1
136
137
138
139 If you want to allow unconfined executables to make their stack exe‐
140 cutable. This should never, ever be necessary. Probably indicates a
141 badly coded executable, but could indicate an attack. This executable
142 should be reported in bugzilla), you must turn on the allow_execstack
143 boolean. Enabled by default.
144
145 setsebool -P allow_execstack 1
146
147
148
149 If you want to allow confined applications to run with kerberos, you
150 must turn on the allow_kerberos boolean. Enabled by default.
151
152 setsebool -P allow_kerberos 1
153
154
155
156 If you want to allow confined applications to run with kerberos, you
157 must turn on the allow_kerberos boolean. Enabled by default.
158
159 setsebool -P allow_kerberos 1
160
161
162
163 If you want to allow sysadm to debug or ptrace all processes, you must
164 turn on the allow_ptrace boolean. Disabled by default.
165
166 setsebool -P allow_ptrace 1
167
168
169
170 If you want to allow sysadm to debug or ptrace all processes, you must
171 turn on the allow_ptrace boolean. Disabled by default.
172
173 setsebool -P allow_ptrace 1
174
175
176
177 If you want to allow system to run with NIS, you must turn on the
178 allow_ypbind boolean. Disabled by default.
179
180 setsebool -P allow_ypbind 1
181
182
183
184 If you want to allow system to run with NIS, you must turn on the
185 allow_ypbind boolean. Disabled by default.
186
187 setsebool -P allow_ypbind 1
188
189
190
191 If you want to enable cluster mode for daemons, you must turn on the
192 daemons_enable_cluster_mode boolean. Disabled by default.
193
194 setsebool -P daemons_enable_cluster_mode 1
195
196
197
198 If you want to allow all domains to have the kernel load modules, you
199 must turn on the domain_kernel_load_modules boolean. Disabled by
200 default.
201
202 setsebool -P domain_kernel_load_modules 1
203
204
205
206 If you want to allow all domains to have the kernel load modules, you
207 must turn on the domain_kernel_load_modules boolean. Disabled by
208 default.
209
210 setsebool -P domain_kernel_load_modules 1
211
212
213
214 If you want to allow all domains to execute in fips_mode, you must turn
215 on the fips_mode boolean. Enabled by default.
216
217 setsebool -P fips_mode 1
218
219
220
221 If you want to allow all domains to execute in fips_mode, you must turn
222 on the fips_mode boolean. Enabled by default.
223
224 setsebool -P fips_mode 1
225
226
227
228 If you want to enable reading of urandom for all domains, you must turn
229 on the global_ssp boolean. Disabled by default.
230
231 setsebool -P global_ssp 1
232
233
234
235 If you want to enable reading of urandom for all domains, you must turn
236 on the global_ssp boolean. Disabled by default.
237
238 setsebool -P global_ssp 1
239
240
241
242 If you want to enable support for upstart as the init program, you must
243 turn on the init_upstart boolean. Enabled by default.
244
245 setsebool -P init_upstart 1
246
247
248
249 If you want to allow certain domains to map low memory in the kernel,
250 you must turn on the mmap_low_allowed boolean. Disabled by default.
251
252 setsebool -P mmap_low_allowed 1
253
254
255
256 If you want to allow confined applications to use nscd shared memory,
257 you must turn on the nscd_use_shm boolean. Enabled by default.
258
259 setsebool -P nscd_use_shm 1
260
261
262
263 If you want to allow confined applications to use nscd shared memory,
264 you must turn on the nscd_use_shm boolean. Enabled by default.
265
266 setsebool -P nscd_use_shm 1
267
268
269
270 If you want to boolean to determine whether the system permits loading
271 policy, setting enforcing mode, and changing boolean values. Set this
272 to true and you have to reboot to set it back, you must turn on the
273 secure_mode_policyload boolean. Disabled by default.
274
275 setsebool -P secure_mode_policyload 1
276
277
278
279 If you want to allow virt to use serial/parallell communication ports,
280 you must turn on the virt_use_comm boolean. Disabled by default.
281
282 setsebool -P virt_use_comm 1
283
284
285
286 If you want to allow confined virtual guests to use executable memory
287 and executable stack, you must turn on the virt_use_execmem boolean.
288 Disabled by default.
289
290 setsebool -P virt_use_execmem 1
291
292
293
294 If you want to allow virt to read fuse files, you must turn on the
295 virt_use_fusefs boolean. Disabled by default.
296
297 setsebool -P virt_use_fusefs 1
298
299
300
301 If you want to allow virt to manage nfs files, you must turn on the
302 virt_use_nfs boolean. Disabled by default.
303
304 setsebool -P virt_use_nfs 1
305
306
307
308 If you want to allow virt to manage cifs files, you must turn on the
309 virt_use_samba boolean. Disabled by default.
310
311 setsebool -P virt_use_samba 1
312
313
314
315 If you want to allow confined virtual guests to interact with the san‐
316 lock, you must turn on the virt_use_sanlock boolean. Disabled by
317 default.
318
319 setsebool -P virt_use_sanlock 1
320
321
322
323 If you want to allow virt to manage device configuration, (pci), you
324 must turn on the virt_use_sysfs boolean. Enabled by default.
325
326 setsebool -P virt_use_sysfs 1
327
328
329
330 If you want to allow virt to use usb devices, you must turn on the
331 virt_use_usb boolean. Enabled by default.
332
333 setsebool -P virt_use_usb 1
334
335
336
337 If you want to allow virtual machine to interact with the xserver, you
338 must turn on the virt_use_xserver boolean. Disabled by default.
339
340 setsebool -P virt_use_xserver 1
341
342
343
344 If you want to support X userspace object manager, you must turn on the
345 xserver_object_manager boolean. Disabled by default.
346
347 setsebool -P xserver_object_manager 1
348
349
350
352 SELinux defines port types to represent TCP and UDP ports.
353
354 You can see the types associated with a port by using the following
355 command:
356
357 semanage port -l
358
359
360 Policy governs the access confined processes have to these ports.
361 SELinux virtd policy is very flexible allowing users to setup their
362 virtd processes in as secure a method as possible.
363
364 The following port types are defined for virtd:
365
366
367 virt_migration_port_t
368
369
370
371 Default Defined Ports:
372 tcp 49152-49216
373
374
375 virt_port_t
376
377
378
379 Default Defined Ports:
380 tcp 16509,16514
381 udp 16509,16514
382
384 The SELinux process type virtd_t can manage files labeled with the fol‐
385 lowing file types. The paths listed are the default paths for these
386 file types. Note the processes UID still need to have DAC permissions.
387
388 file_type
389
390 all files on the system
391
392
394 SELinux requires files to have an extended attribute to define the file
395 type.
396
397 You can see the context of a file using the -Z option to ls
398
399 Policy governs the access confined processes have to these files.
400 SELinux virtd policy is very flexible allowing users to setup their
401 virtd processes in as secure a method as possible.
402
403 STANDARD FILE CONTEXT
404
405 SELinux defines the file context types for the virtd, if you wanted to
406 store files with these types in a diffent paths, you need to execute
407 the semanage command to sepecify alternate labeling and then use
408 restorecon to put the labels on disk.
409
410 semanage fcontext -a -t virtd_keytab_t '/srv/myvirtd_content(/.*)?'
411 restorecon -R -v /srv/myvirtd_content
412
413 Note: SELinux often uses regular expressions to specify labels that
414 match multiple files.
415
416 The following file types are defined for virtd:
417
418
419
420 virtd_exec_t
421
422 - Set files with the virtd_exec_t type, if you want to transition an
423 executable to the virtd_t domain.
424
425
426 Paths:
427 /usr/sbin/libvirtd, /usr/bin/imgfac.py, /usr/share/vdsm/vdsm,
428 /usr/bin/imagefactory, /usr/bin/nova-compute,
429 /usr/share/vdsm/respawn, /usr/sbin/condor_vm-gahp, /usr/bin/vios-
430 proxy-host, /usr/bin/vios-proxy-guest, /usr/share/vdsm/supervdsm‐
431 Server
432
433
434 virtd_initrc_exec_t
435
436 - Set files with the virtd_initrc_exec_t type, if you want to transi‐
437 tion an executable to the virtd_initrc_t domain.
438
439
440
441 virtd_keytab_t
442
443 - Set files with the virtd_keytab_t type, if you want to treat the
444 files as kerberos keytab files.
445
446
447
448 virtd_lxc_exec_t
449
450 - Set files with the virtd_lxc_exec_t type, if you want to transition
451 an executable to the virtd_lxc_t domain.
452
453
454
455 Note: File context can be temporarily modified with the chcon command.
456 If you want to permanently change the file context you need to use the
457 semanage fcontext command. This will modify the SELinux labeling data‐
458 base. You will need to use restorecon to apply the labels.
459
460
462 semanage fcontext can also be used to manipulate default file context
463 mappings.
464
465 semanage permissive can also be used to manipulate whether or not a
466 process type is permissive.
467
468 semanage module can also be used to enable/disable/install/remove pol‐
469 icy modules.
470
471 semanage port can also be used to manipulate the port definitions
472
473 semanage boolean can also be used to manipulate the booleans
474
475
476 system-config-selinux is a GUI tool available to customize SELinux pol‐
477 icy settings.
478
479
481 This manual page was auto-generated using sepolicy manpage .
482
483
485 selinux(8), virtd(8), semanage(8), restorecon(8), chcon(1) , setse‐
486 bool(8), virt_bridgehelper_selinux(8), virt_qemu_ga_selinux(8),
487 virt_qemu_ga_unconfined_selinux(8), virt_qmf_selinux(8),
488 virtd_lxc_selinux(8)
489
490
491
492virtd 15-06-03 virtd_selinux(8)