1svirt_selinux(8) SELinux Policy svirt svirt_selinux(8)
2
3
4
6 svirt_selinux - Security Enhanced Linux Policy for the svirt processes
7
9 Security-Enhanced Linux secures the svirt processes via flexible manda‐
10 tory access control.
11
12 The svirt processes execute with the svirt_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep svirt_t
19
20
21
23 The svirt_t SELinux type can be entered via the qemu_exec_t file type.
24
25 The default entrypoint paths for the svirt_t domain are the following:
26
27 /usr/libexec/qemu.*, /usr/bin/qemu-system-.*, /usr/bin/qemu,
28 /usr/bin/qemu-kvm
29
31 SELinux defines process types (domains) for each process running on the
32 system
33
34 You can see the context of a process using the -Z option to ps
35
36 Policy governs the access confined processes have to files. SELinux
37 svirt policy is very flexible allowing users to setup their svirt pro‐
38 cesses in as secure a method as possible.
39
40 The following process types are defined for svirt:
41
42 svirt_t, svirt_tcg_t, svirt_qemu_net_t, svirt_socket_t, svirt_kvm_net_t
43
44 Note: semanage permissive -a svirt_t can be used to make the process
45 type svirt_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
49
51 The SELinux process type svirt_t is an MCS (Multi Category Security)
52 constrained type. Sometimes this separation is referred to as sVirt.
53 These types are usually used for securing multi-tenant environments,
54 such as virtualization, containers or separation of users. The tools
55 used to launch MCS types, pick out a different MCS label for each
56 process group.
57
58 For example one process might be launched with svirt_t:s0:c1,c2, and
59 another process launched with svirt_t:s0:c3,c4. The SELinux kernel only
60 allows these processes can only write to content with a matching MCS
61 label, or a MCS Label of s0. A process running with the MCS level of
62 s0:c1,c2 is not allowed to write to content with the MCS label of
63 s0:c3,c4
64
65
67 SELinux policy is customizable based on least access required. svirt
68 policy is extremely flexible and has several booleans that allow you to
69 manipulate the policy and run svirt with the tightest access possible.
70
71
72
73 If you want to allow all domains to execute in fips_mode, you must turn
74 on the fips_mode boolean. Enabled by default.
75
76 setsebool -P fips_mode 1
77
78
79
80 If you want to allow confined virtual guests to use executable memory
81 and executable stack, you must turn on the virt_use_execmem boolean.
82 Disabled by default.
83
84 setsebool -P virt_use_execmem 1
85
86
87
88 If you want to allow confined virtual guests to interact with rawip
89 sockets, you must turn on the virt_use_rawip boolean. Disabled by
90 default.
91
92 setsebool -P virt_use_rawip 1
93
94
95
97 The SELinux process type svirt_t can manage files labeled with the fol‐
98 lowing file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 anon_inodefs_t
102
103
104 cephfs_t
105
106
107 cifs_t
108
109
110 dosfs_t
111
112
113 fusefs_t
114
115 /var/run/user/[^/]*/gvfs
116
117 glusterd_var_run_t
118
119 /var/run/gluster(/.*)?
120 /var/run/glusterd.*
121 /var/run/glusterd.*
122 /var/run/glusterd(/.*)?
123
124 nfs_t
125
126
127 qemu_var_run_t
128
129 /var/lib/libvirt/qemu(/.*)?
130 /var/run/libvirt/qemu(/.*)?
131
132 svirt_home_t
133
134 /home/[^/]+/.libvirt/qemu(/.*)?
135 /home/[^/]+/.cache/libvirt/qemu(/.*)?
136 /home/[^/]+/.config/libvirt/qemu(/.*)?
137 /home/[^/]+/.local/share/libvirt/boot(/.*)?
138 /home/[^/]+/.local/share/libvirt/images(/.*)?
139 /home/[^/]+/.local/share/gnome-boxes/images(/.*)?
140
141 svirt_image_t
142
143
144 svirt_tmp_t
145
146
147 svirt_tmpfs_t
148
149
150 usbfs_t
151
152
153 virt_cache_t
154
155 /var/cache/oz(/.*)?
156 /var/cache/libvirt(/.*)?
157
158
160 SELinux requires files to have an extended attribute to define the file
161 type.
162
163 You can see the context of a file using the -Z option to ls
164
165 Policy governs the access confined processes have to these files.
166 SELinux svirt policy is very flexible allowing users to setup their
167 svirt processes in as secure a method as possible.
168
169 STANDARD FILE CONTEXT
170
171 SELinux defines the file context types for the svirt, if you wanted to
172 store files with these types in a diffent paths, you need to execute
173 the semanage command to sepecify alternate labeling and then use
174 restorecon to put the labels on disk.
175
176 semanage fcontext -a -t svirt_home_t '/srv/mysvirt_content(/.*)?'
177 restorecon -R -v /srv/mysvirt_content
178
179 Note: SELinux often uses regular expressions to specify labels that
180 match multiple files.
181
182 The following file types are defined for svirt:
183
184
185
186 svirt_home_t
187
188 - Set files with the svirt_home_t type, if you want to store svirt
189 files in the users home directory.
190
191
192 Paths:
193 /home/[^/]+/.libvirt/qemu(/.*)?, /home/[^/]+/.cache/lib‐
194 virt/qemu(/.*)?, /home/[^/]+/.config/libvirt/qemu(/.*)?,
195 /home/[^/]+/.local/share/libvirt/boot(/.*)?,
196 /home/[^/]+/.local/share/libvirt/images(/.*)?,
197 /home/[^/]+/.local/share/gnome-boxes/images(/.*)?
198
199
200 svirt_image_t
201
202 - Set files with the svirt_image_t type, if you want to treat the files
203 as svirt image data.
204
205
206
207 svirt_tmp_t
208
209 - Set files with the svirt_tmp_t type, if you want to store svirt tem‐
210 porary files in the /tmp directories.
211
212
213
214 svirt_tmpfs_t
215
216 - Set files with the svirt_tmpfs_t type, if you want to store svirt
217 files on a tmpfs file system.
218
219
220
221 Note: File context can be temporarily modified with the chcon command.
222 If you want to permanently change the file context you need to use the
223 semanage fcontext command. This will modify the SELinux labeling data‐
224 base. You will need to use restorecon to apply the labels.
225
226
228 semanage fcontext can also be used to manipulate default file context
229 mappings.
230
231 semanage permissive can also be used to manipulate whether or not a
232 process type is permissive.
233
234 semanage module can also be used to enable/disable/install/remove pol‐
235 icy modules.
236
237 semanage boolean can also be used to manipulate the booleans
238
239
240 system-config-selinux is a GUI tool available to customize SELinux pol‐
241 icy settings.
242
243
245 This manual page was auto-generated using sepolicy manpage .
246
247
249 selinux(8), svirt(8), semanage(8), restorecon(8), chcon(1), sepol‐
250 icy(8), setsebool(8), svirt_kvm_net_selinux(8),
251 svirt_kvm_net_selinux(8), svirt_qemu_net_selinux(8),
252 svirt_qemu_net_selinux(8), svirt_socket_selinux(8),
253 svirt_socket_selinux(8), svirt_tcg_selinux(8), svirt_tcg_selinux(8)
254
255
256
257svirt 19-06-18 svirt_selinux(8)