1svirt_tcg_selinux(8)       SELinux Policy svirt_tcg       svirt_tcg_selinux(8)
2
3
4

NAME

6       svirt_tcg_selinux  -  Security  Enhanced Linux Policy for the svirt_tcg
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the svirt_tcg  processes  via  flexible
11       mandatory access control.
12
13       The  svirt_tcg processes execute with the svirt_tcg_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep svirt_tcg_t
20
21
22

ENTRYPOINTS

24       The  svirt_tcg_t  SELinux  type can be entered via the qemu_exec_t file
25       type.
26
27       The default entrypoint paths for the svirt_tcg_t domain are the follow‐
28       ing:
29
30       /usr/libexec/qemu.*,       /usr/bin/qemu-system-.*,      /usr/bin/qemu,
31       /usr/bin/qemu-kvm
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       svirt_tcg policy  is  very  flexible  allowing  users  to  setup  their
41       svirt_tcg processes in as secure a method as possible.
42
43       The following process types are defined for svirt_tcg:
44
45       svirt_tcg_t
46
47       Note:  semanage  permissive  -a  svirt_tcg_t  can  be  used to make the
48       process type svirt_tcg_t permissive. SELinux does not  deny  access  to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

MCS Constrained

54       The SELinux process type svirt_tcg_t is an MCS  (Multi  Category  Secu‐
55       rity)  constrained  type.   Sometimes this separation is referred to as
56       sVirt. These types are usually used for securing multi-tenant  environ‐
57       ments,  such as virtualization, containers or separation of users.  The
58       tools used to launch MCS types, pick out a different MCS label for each
59       process group.
60
61       For  example  one  process might be launched with svirt_tcg_t:s0:c1,c2,
62       and another process launched  with  svirt_tcg_t:s0:c3,c4.  The  SELinux
63       kernel  only  allows  these  processes can only write to content with a
64       matching MCS label, or a MCS Label of s0. A process  running  with  the
65       MCS  level  of s0:c1,c2 is not allowed to write to content with the MCS
66       label of s0:c3,c4
67
68

BOOLEANS

70       SELinux  policy  is  customizable  based  on  least  access   required.
71       svirt_tcg  policy  is  extremely flexible and has several booleans that
72       allow you to manipulate the policy and run svirt_tcg with the  tightest
73       access possible.
74
75
76
77       If you want to allow all domains to execute in fips_mode, you must turn
78       on the fips_mode boolean. Enabled by default.
79
80       setsebool -P fips_mode 1
81
82
83
84       If you want to allow confined virtual guests to use  executable  memory
85       and  executable  stack,  you must turn on the virt_use_execmem boolean.
86       Disabled by default.
87
88       setsebool -P virt_use_execmem 1
89
90
91
92       If you want to allow confined virtual guests  to  interact  with  rawip
93       sockets,  you  must  turn  on  the  virt_use_rawip boolean. Disabled by
94       default.
95
96       setsebool -P virt_use_rawip 1
97
98
99

MANAGED FILES

101       The SELinux process type svirt_tcg_t can manage files labeled with  the
102       following file types.  The paths listed are the default paths for these
103       file types.  Note the processes UID still need to have DAC permissions.
104
105       anon_inodefs_t
106
107
108       cephfs_t
109
110
111       cifs_t
112
113
114       dosfs_t
115
116
117       fusefs_t
118
119            /var/run/user/[^/]*/gvfs
120
121       glusterd_var_run_t
122
123            /var/run/gluster(/.*)?
124            /var/run/glusterd.*
125            /var/run/glusterd.*
126            /var/run/glusterd(/.*)?
127
128       nfs_t
129
130
131       qemu_var_run_t
132
133            /var/lib/libvirt/qemu(/.*)?
134            /var/run/libvirt/qemu(/.*)?
135
136       svirt_home_t
137
138            /home/[^/]+/.libvirt/qemu(/.*)?
139            /home/[^/]+/.cache/libvirt/qemu(/.*)?
140            /home/[^/]+/.config/libvirt/qemu(/.*)?
141            /home/[^/]+/.local/share/libvirt/boot(/.*)?
142            /home/[^/]+/.local/share/libvirt/images(/.*)?
143            /home/[^/]+/.local/share/gnome-boxes/images(/.*)?
144
145       svirt_image_t
146
147
148       svirt_tmp_t
149
150
151       svirt_tmpfs_t
152
153
154       usbfs_t
155
156
157       virt_cache_t
158
159            /var/cache/oz(/.*)?
160            /var/cache/libvirt(/.*)?
161
162

COMMANDS

164       semanage fcontext can also be used to manipulate default  file  context
165       mappings.
166
167       semanage  permissive  can  also  be used to manipulate whether or not a
168       process type is permissive.
169
170       semanage module can also be used to enable/disable/install/remove  pol‐
171       icy modules.
172
173       semanage boolean can also be used to manipulate the booleans
174
175
176       system-config-selinux is a GUI tool available to customize SELinux pol‐
177       icy settings.
178
179

AUTHOR

181       This manual page was auto-generated using sepolicy manpage .
182
183

SEE ALSO

185       selinux(8), svirt_tcg(8), semanage(8), restorecon(8), chcon(1),  sepol‐
186       icy(8), setsebool(8)
187
188
189
190svirt_tcg                          19-06-18               svirt_tcg_selinux(8)
Impressum