1virtlogd_selinux(8) SELinux Policy virtlogd virtlogd_selinux(8)
2
3
4
6 virtlogd_selinux - Security Enhanced Linux Policy for the virtlogd pro‐
7 cesses
8
10 Security-Enhanced Linux secures the virtlogd processes via flexible
11 mandatory access control.
12
13 The virtlogd processes execute with the virtlogd_t SELinux type. You
14 can check if you have these processes running by executing the ps com‐
15 mand with the -Z qualifier.
16
17 For example:
18
19 ps -eZ | grep virtlogd_t
20
21
22
24 The virtlogd_t SELinux type can be entered via the virtlogd_exec_t file
25 type.
26
27 The default entrypoint paths for the virtlogd_t domain are the follow‐
28 ing:
29
30 /usr/sbin/virtlogd
31
33 SELinux defines process types (domains) for each process running on the
34 system
35
36 You can see the context of a process using the -Z option to ps
37
38 Policy governs the access confined processes have to files. SELinux
39 virtlogd policy is very flexible allowing users to setup their virtlogd
40 processes in as secure a method as possible.
41
42 The following process types are defined for virtlogd:
43
44 virtlogd_t
45
46 Note: semanage permissive -a virtlogd_t can be used to make the process
47 type virtlogd_t permissive. SELinux does not deny access to permissive
48 process types, but the AVC (SELinux denials) messages are still gener‐
49 ated.
50
51
53 SELinux policy is customizable based on least access required. virt‐
54 logd policy is extremely flexible and has several booleans that allow
55 you to manipulate the policy and run virtlogd with the tightest access
56 possible.
57
58
59
60 If you want to allow users to resolve user passwd entries directly from
61 ldap rather then using a sssd server, you must turn on the authlo‐
62 gin_nsswitch_use_ldap boolean. Disabled by default.
63
64 setsebool -P authlogin_nsswitch_use_ldap 1
65
66
67
68 If you want to allow all domains to execute in fips_mode, you must turn
69 on the fips_mode boolean. Enabled by default.
70
71 setsebool -P fips_mode 1
72
73
74
75 If you want to allow confined applications to run with kerberos, you
76 must turn on the kerberos_enabled boolean. Enabled by default.
77
78 setsebool -P kerberos_enabled 1
79
80
81
82 If you want to allow system to run with NIS, you must turn on the
83 nis_enabled boolean. Disabled by default.
84
85 setsebool -P nis_enabled 1
86
87
88
89 If you want to allow confined applications to use nscd shared memory,
90 you must turn on the nscd_use_shm boolean. Disabled by default.
91
92 setsebool -P nscd_use_shm 1
93
94
95
96 If you want to allow confined virtual guests to manage nfs files, you
97 must turn on the virt_use_nfs boolean. Disabled by default.
98
99 setsebool -P virt_use_nfs 1
100
101
102
104 The SELinux process type virtlogd_t can manage files labeled with the
105 following file types. The paths listed are the default paths for these
106 file types. Note the processes UID still need to have DAC permissions.
107
108 cluster_conf_t
109
110 /etc/cluster(/.*)?
111
112 cluster_var_lib_t
113
114 /var/lib/pcsd(/.*)?
115 /var/lib/cluster(/.*)?
116 /var/lib/openais(/.*)?
117 /var/lib/pengine(/.*)?
118 /var/lib/corosync(/.*)?
119 /usr/lib/heartbeat(/.*)?
120 /var/lib/heartbeat(/.*)?
121 /var/lib/pacemaker(/.*)?
122
123 cluster_var_run_t
124
125 /var/run/crm(/.*)?
126 /var/run/cman_.*
127 /var/run/rsctmp(/.*)?
128 /var/run/aisexec.*
129 /var/run/heartbeat(/.*)?
130 /var/run/corosync-qnetd(/.*)?
131 /var/run/corosync-qdevice(/.*)?
132 /var/run/corosync.pid
133 /var/run/cpglockd.pid
134 /var/run/rgmanager.pid
135 /var/run/cluster/rgmanager.sk
136
137 root_t
138
139 /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
140 /
141 /initrd
142
143 svirt_image_t
144
145
146 svirt_tmp_t
147
148
149 virt_etc_rw_t
150
151 /etc/xen/[^/]*
152 /etc/xen/.*/.*
153 /etc/libvirt/[^/]*
154 /etc/libvirt/.*/.*
155
156 virt_log_t
157
158 /var/log/log(/.*)?
159 /var/log/vdsm(/.*)?
160 /var/log/libvirt(/.*)?
161 /var/lock/xl
162
163 virt_tmp_t
164
165
166 virtlogd_var_run_t
167
168 /var/run/virtlogd.pid
169 /var/run/libvirt/virtlogd-sock
170
171
173 SELinux requires files to have an extended attribute to define the file
174 type.
175
176 You can see the context of a file using the -Z option to ls
177
178 Policy governs the access confined processes have to these files.
179 SELinux virtlogd policy is very flexible allowing users to setup their
180 virtlogd processes in as secure a method as possible.
181
182 STANDARD FILE CONTEXT
183
184 SELinux defines the file context types for the virtlogd, if you wanted
185 to store files with these types in a diffent paths, you need to execute
186 the semanage command to sepecify alternate labeling and then use
187 restorecon to put the labels on disk.
188
189 semanage fcontext -a -t virtlogd_unit_file_t '/srv/myvirtlogd_con‐
190 tent(/.*)?'
191 restorecon -R -v /srv/myvirtlogd_content
192
193 Note: SELinux often uses regular expressions to specify labels that
194 match multiple files.
195
196 The following file types are defined for virtlogd:
197
198
199
200 virtlogd_etc_t
201
202 - Set files with the virtlogd_etc_t type, if you want to store virtlogd
203 files in the /etc directories.
204
205
206
207 virtlogd_exec_t
208
209 - Set files with the virtlogd_exec_t type, if you want to transition an
210 executable to the virtlogd_t domain.
211
212
213
214 virtlogd_initrc_exec_t
215
216 - Set files with the virtlogd_initrc_exec_t type, if you want to tran‐
217 sition an executable to the virtlogd_initrc_t domain.
218
219
220
221 virtlogd_unit_file_t
222
223 - Set files with the virtlogd_unit_file_t type, if you want to treat
224 the files as virtlogd unit content.
225
226
227
228 virtlogd_var_run_t
229
230 - Set files with the virtlogd_var_run_t type, if you want to store the
231 virtlogd files under the /run or /var/run directory.
232
233
234 Paths:
235 /var/run/virtlogd.pid, /var/run/libvirt/virtlogd-sock
236
237
238 Note: File context can be temporarily modified with the chcon command.
239 If you want to permanently change the file context you need to use the
240 semanage fcontext command. This will modify the SELinux labeling data‐
241 base. You will need to use restorecon to apply the labels.
242
243
245 semanage fcontext can also be used to manipulate default file context
246 mappings.
247
248 semanage permissive can also be used to manipulate whether or not a
249 process type is permissive.
250
251 semanage module can also be used to enable/disable/install/remove pol‐
252 icy modules.
253
254 semanage boolean can also be used to manipulate the booleans
255
256
257 system-config-selinux is a GUI tool available to customize SELinux pol‐
258 icy settings.
259
260
262 This manual page was auto-generated using sepolicy manpage .
263
264
266 selinux(8), virtlogd(8), semanage(8), restorecon(8), chcon(1), sepol‐
267 icy(8), setsebool(8)
268
269
270
271virtlogd 19-05-30 virtlogd_selinux(8)