virtd_selinux(8)

1virtd_selinux(8)             SELinux Policy virtd             virtd_selinux(8)
2
3
4

NAME

6       virtd_selinux - Security Enhanced Linux Policy for the virtd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the virtd processes via flexible manda‐
10       tory access control.
11
12       The virtd processes execute with the  virtd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep virtd_t
19
20
21

ENTRYPOINTS

23       The virtd_t SELinux type can be entered via the file_type, unlabeled_t,
24       proc_type,  virtd_exec_t,  filesystem_type,  mtrr_device_t, sysctl_type
25       file types.
26
27       The default entrypoint paths for the virtd_t domain are the following:
28
29       all  files  on  the  system,  /usr/sbin/libvirtd,   /usr/bin/imgfac.py,
30       /usr/share/vdsm/vdsm,   /usr/bin/imagefactory,   /usr/bin/nova-compute,
31       /usr/share/vdsm/respawn, /usr/sbin/condor_vm-gahp, /usr/bin/vios-proxy-
32       host,    /usr/bin/vios-proxy-guest,    /usr/share/vdsm/supervdsmServer,
33       /dev/cpu/mtrr
34

PROCESS TYPES

36       SELinux defines process types (domains) for each process running on the
37       system
38
39       You can see the context of a process using the -Z option to ps
40
41       Policy  governs  the  access confined processes have to files.  SELinux
42       virtd policy is very flexible allowing users to setup their virtd  pro‐
43       cesses in as secure a method as possible.
44
45       The following process types are defined for virtd:
46
47       virt_qemu_ga_unconfined_t, virtd_lxc_t, virt_qmf_t, virt_qemu_ga_t, virt_bridgehelper_t, virtd_t
48
49       Note:  semanage  permissive  -a virtd_t can be used to make the process
50       type virtd_t permissive. SELinux does not  deny  access  to  permissive
51       process  types, but the AVC (SELinux denials) messages are still gener‐
52       ated.
53
54

BOOLEANS

56       SELinux policy is customizable based on least access  required.   virtd
57       policy is extremely flexible and has several booleans that allow you to
58       manipulate the policy and run virtd with the tightest access possible.
59
60
61
62       If you want to allow virt to manage nfs files, you  must  turn  on  the
63       virt_use_nfs boolean. Disabled by default.
64
65       setsebool -P virt_use_nfs 1
66
67
68
69       If  you  want  to allow virt to manage cifs files, you must turn on the
70       virt_use_samba boolean. Disabled by default.
71
72       setsebool -P virt_use_samba 1
73
74
75
76       If you want to allow all daemons to write corefiles to /, you must turn
77       on the allow_daemons_dump_core boolean. Disabled by default.
78
79       setsebool -P allow_daemons_dump_core 1
80
81
82
83       If  you want to allow all daemons to use tcp wrappers, you must turn on
84       the allow_daemons_use_tcp_wrapper boolean. Disabled by default.
85
86       setsebool -P allow_daemons_use_tcp_wrapper 1
87
88
89
90       If you want to allow all daemons the ability to  read/write  terminals,
91       you  must  turn  on  the  allow_daemons_use_tty  boolean.  Disabled  by
92       default.
93
94       setsebool -P allow_daemons_use_tty 1
95
96
97
98       If you want to allow all domains to use other domains file descriptors,
99       you must turn on the allow_domain_fd_use boolean. Enabled by default.
100
101       setsebool -P allow_domain_fd_use 1
102
103
104
105       If you want to allow all domains to use other domains file descriptors,
106       you must turn on the allow_domain_fd_use boolean. Enabled by default.
107
108       setsebool -P allow_domain_fd_use 1
109
110
111
112       If you want to allow unconfined executables to make their  heap  memory
113       executable.   Doing  this  is  a  really bad idea. Probably indicates a
114       badly coded executable, but could indicate an attack.  This  executable
115       should  be  reported  in  bugzilla, you must turn on the allow_execheap
116       boolean. Disabled by default.
117
118       setsebool -P allow_execheap 1
119
120
121
122       If you want to allow unconfined executables to map a memory  region  as
123       both  executable  and  writable,  this  is dangerous and the executable
124       should be reported in bugzilla), you must  turn  on  the  allow_execmem
125       boolean. Enabled by default.
126
127       setsebool -P allow_execmem 1
128
129
130
131       If  you  want  to  allow  all  unconfined  executables to use libraries
132       requiring text relocation that are not  labeled  textrel_shlib_t),  you
133       must turn on the allow_execmod boolean. Enabled by default.
134
135       setsebool -P allow_execmod 1
136
137
138
139       If  you  want  to allow unconfined executables to make their stack exe‐
140       cutable.  This should never, ever be necessary.  Probably  indicates  a
141       badly  coded  executable, but could indicate an attack. This executable
142       should be reported in bugzilla), you must turn on  the  allow_execstack
143       boolean. Enabled by default.
144
145       setsebool -P allow_execstack 1
146
147
148
149       If  you  want  to allow confined applications to run with kerberos, you
150       must turn on the allow_kerberos boolean. Enabled by default.
151
152       setsebool -P allow_kerberos 1
153
154
155
156       If you want to allow confined applications to run  with  kerberos,  you
157       must turn on the allow_kerberos boolean. Enabled by default.
158
159       setsebool -P allow_kerberos 1
160
161
162
163       If  you want to allow sysadm to debug or ptrace all processes, you must
164       turn on the allow_ptrace boolean. Disabled by default.
165
166       setsebool -P allow_ptrace 1
167
168
169
170       If you want to allow sysadm to debug or ptrace all processes, you  must
171       turn on the allow_ptrace boolean. Disabled by default.
172
173       setsebool -P allow_ptrace 1
174
175
176
177       If  you  want  to  allow  system  to run with NIS, you must turn on the
178       allow_ypbind boolean. Disabled by default.
179
180       setsebool -P allow_ypbind 1
181
182
183
184       If you want to allow system to run with  NIS,  you  must  turn  on  the
185       allow_ypbind boolean. Disabled by default.
186
187       setsebool -P allow_ypbind 1
188
189
190
191       If  you  want  to enable cluster mode for daemons, you must turn on the
192       daemons_enable_cluster_mode boolean. Disabled by default.
193
194       setsebool -P daemons_enable_cluster_mode 1
195
196
197
198       If you want to allow all domains to have the kernel load  modules,  you
199       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
200       default.
201
202       setsebool -P domain_kernel_load_modules 1
203
204
205
206       If you want to allow all domains to have the kernel load  modules,  you
207       must  turn  on  the  domain_kernel_load_modules  boolean.  Disabled  by
208       default.
209
210       setsebool -P domain_kernel_load_modules 1
211
212
213
214       If you want to allow all domains to execute in fips_mode, you must turn
215       on the fips_mode boolean. Enabled by default.
216
217       setsebool -P fips_mode 1
218
219
220
221       If you want to allow all domains to execute in fips_mode, you must turn
222       on the fips_mode boolean. Enabled by default.
223
224       setsebool -P fips_mode 1
225
226
227
228       If you want to enable reading of urandom for all domains, you must turn
229       on the global_ssp boolean. Disabled by default.
230
231       setsebool -P global_ssp 1
232
233
234
235       If you want to enable reading of urandom for all domains, you must turn
236       on the global_ssp boolean. Disabled by default.
237
238       setsebool -P global_ssp 1
239
240
241
242       If you want to enable support for upstart as the init program, you must
243       turn on the init_upstart boolean. Enabled by default.
244
245       setsebool -P init_upstart 1
246
247
248
249       If  you  want to allow certain domains to map low memory in the kernel,
250       you must turn on the mmap_low_allowed boolean. Disabled by default.
251
252       setsebool -P mmap_low_allowed 1
253
254
255
256       If you want to allow confined applications to use nscd  shared  memory,
257       you must turn on the nscd_use_shm boolean. Enabled by default.
258
259       setsebool -P nscd_use_shm 1
260
261
262
263       If  you  want to allow confined applications to use nscd shared memory,
264       you must turn on the nscd_use_shm boolean. Enabled by default.
265
266       setsebool -P nscd_use_shm 1
267
268
269
270       If you want to boolean to determine whether the system permits  loading
271       policy,  setting enforcing mode, and changing boolean values.  Set this
272       to true and you have to reboot to set it back, you  must  turn  on  the
273       secure_mode_policyload boolean. Disabled by default.
274
275       setsebool -P secure_mode_policyload 1
276
277
278
279       If  you want to allow virt to use serial/parallell communication ports,
280       you must turn on the virt_use_comm boolean. Disabled by default.
281
282       setsebool -P virt_use_comm 1
283
284
285
286       If you want to allow confined virtual guests to use  executable  memory
287       and  executable  stack,  you must turn on the virt_use_execmem boolean.
288       Disabled by default.
289
290       setsebool -P virt_use_execmem 1
291
292
293
294       If you want to allow virt to read fuse files,  you  must  turn  on  the
295       virt_use_fusefs boolean. Disabled by default.
296
297       setsebool -P virt_use_fusefs 1
298
299
300
301       If  you  want  to  allow virt to manage nfs files, you must turn on the
302       virt_use_nfs boolean. Disabled by default.
303
304       setsebool -P virt_use_nfs 1
305
306
307
308       If you want to allow virt to manage cifs files, you must  turn  on  the
309       virt_use_samba boolean. Disabled by default.
310
311       setsebool -P virt_use_samba 1
312
313
314
315       If  you want to allow confined virtual guests to interact with the san‐
316       lock, you must  turn  on  the  virt_use_sanlock  boolean.  Disabled  by
317       default.
318
319       setsebool -P virt_use_sanlock 1
320
321
322
323       If  you  want  to allow virt to manage device configuration, (pci), you
324       must turn on the virt_use_sysfs boolean. Enabled by default.
325
326       setsebool -P virt_use_sysfs 1
327
328
329
330       If you want to allow virt to use usb devices,  you  must  turn  on  the
331       virt_use_usb boolean. Enabled by default.
332
333       setsebool -P virt_use_usb 1
334
335
336
337       If  you want to allow virtual machine to interact with the xserver, you
338       must turn on the virt_use_xserver boolean. Disabled by default.
339
340       setsebool -P virt_use_xserver 1
341
342
343
344       If you want to support X userspace object manager, you must turn on the
345       xserver_object_manager boolean. Disabled by default.
346
347       setsebool -P xserver_object_manager 1
348
349
350

PORT TYPES

352       SELinux defines port types to represent TCP and UDP ports.
353
354       You  can  see  the  types associated with a port by using the following
355       command:
356
357       semanage port -l
358
359
360       Policy governs the access  confined  processes  have  to  these  ports.
361       SELinux  virtd  policy  is  very flexible allowing users to setup their
362       virtd processes in as secure a method as possible.
363
364       The following port types are defined for virtd:
365
366
367       virt_migration_port_t
368
369
370
371       Default Defined Ports:
372                 tcp 49152-49216
373
374
375       virt_port_t
376
377
378
379       Default Defined Ports:
380                 tcp 16509,16514
381                 udp 16509,16514
382

MANAGED FILES

384       The SELinux process type virtd_t can manage files labeled with the fol‐
385       lowing  file  types.   The paths listed are the default paths for these
386       file types.  Note the processes UID still need to have DAC permissions.
387
388       file_type
389
390            all files on the system
391
392

FILE CONTEXTS

394       SELinux requires files to have an extended attribute to define the file
395       type.
396
397       You can see the context of a file using the -Z option to ls
398
399       Policy  governs  the  access  confined  processes  have to these files.
400       SELinux virtd policy is very flexible allowing  users  to  setup  their
401       virtd processes in as secure a method as possible.
402
403       STANDARD FILE CONTEXT
404
405       SELinux  defines the file context types for the virtd, if you wanted to
406       store files with these types in a diffent paths, you  need  to  execute
407       the  semanage  command  to  sepecify  alternate  labeling  and then use
408       restorecon to put the labels on disk.
409
410       semanage fcontext -a -t virtd_keytab_t '/srv/myvirtd_content(/.*)?'
411       restorecon -R -v /srv/myvirtd_content
412
413       Note: SELinux often uses regular expressions  to  specify  labels  that
414       match multiple files.
415
416       The following file types are defined for virtd:
417
418
419
420       virtd_exec_t
421
422       -  Set  files  with the virtd_exec_t type, if you want to transition an
423       executable to the virtd_t domain.
424
425
426       Paths:
427            /usr/sbin/libvirtd,   /usr/bin/imgfac.py,    /usr/share/vdsm/vdsm,
428            /usr/bin/imagefactory,                      /usr/bin/nova-compute,
429            /usr/share/vdsm/respawn, /usr/sbin/condor_vm-gahp,  /usr/bin/vios-
430            proxy-host,  /usr/bin/vios-proxy-guest, /usr/share/vdsm/supervdsm‐
431            Server
432
433
434       virtd_initrc_exec_t
435
436       - Set files with the virtd_initrc_exec_t type, if you want  to  transi‐
437       tion an executable to the virtd_initrc_t domain.
438
439
440
441       virtd_keytab_t
442
443       -  Set  files  with  the  virtd_keytab_t type, if you want to treat the
444       files as kerberos keytab files.
445
446
447
448       virtd_lxc_exec_t
449
450       - Set files with the virtd_lxc_exec_t type, if you want  to  transition
451       an executable to the virtd_lxc_t domain.
452
453
454
455       Note:  File context can be temporarily modified with the chcon command.
456       If you want to permanently change the file context you need to use  the
457       semanage fcontext command.  This will modify the SELinux labeling data‐
458       base.  You will need to use restorecon to apply the labels.
459
460

COMMANDS

462       semanage fcontext can also be used to manipulate default  file  context
463       mappings.
464
465       semanage  permissive  can  also  be used to manipulate whether or not a
466       process type is permissive.
467
468       semanage module can also be used to enable/disable/install/remove  pol‐
469       icy modules.
470
471       semanage port can also be used to manipulate the port definitions
472
473       semanage boolean can also be used to manipulate the booleans
474
475
476       system-config-selinux is a GUI tool available to customize SELinux pol‐
477       icy settings.
478
479

AUTHOR

481       This manual page was auto-generated using sepolicy manpage .
482
483