1svirt_tcg_selinux(8)       SELinux Policy svirt_tcg       svirt_tcg_selinux(8)
2
3
4

NAME

6       svirt_tcg_selinux  -  Security  Enhanced Linux Policy for the svirt_tcg
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the svirt_tcg  processes  via  flexible
11       mandatory access control.
12
13       The  svirt_tcg processes execute with the svirt_tcg_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep svirt_tcg_t
20
21
22

ENTRYPOINTS

24       The  svirt_tcg_t  SELinux  type can be entered via the qemu_exec_t file
25       type.
26
27       The default entrypoint paths for the svirt_tcg_t domain are the follow‐
28       ing:
29
30       /usr/libexec/qemu.*,       /usr/bin/qemu-system-.*,      /usr/bin/qemu,
31       /usr/bin/qemu-kvm
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       svirt_tcg policy  is  very  flexible  allowing  users  to  setup  their
41       svirt_tcg processes in as secure a method as possible.
42
43       The following process types are defined for svirt_tcg:
44
45       svirt_tcg_t
46
47       Note:  semanage  permissive  -a  svirt_tcg_t  can  be  used to make the
48       process type svirt_tcg_t permissive. SELinux does not  deny  access  to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

MCS Constrained

54       The SELinux process type svirt_tcg_t is an MCS  (Multi  Category  Secu‐
55       rity)  constrained  type.   Sometimes this separation is referred to as
56       sVirt. These types are usually used for securing multi-tenant  environ‐
57       ments,  such as virtualization, containers or separation of users.  The
58       tools used to launch MCS types, pick out a different MCS label for each
59       process group.
60
61       For  example  one  process might be launched with svirt_tcg_t:s0:c1,c2,
62       and another process launched  with  svirt_tcg_t:s0:c3,c4.  The  SELinux
63       kernel  only  allows  these  processes can only write to content with a
64       matching MCS label, or a MCS Label of s0. A process  running  with  the
65       MCS  level  of s0:c1,c2 is not allowed to write to content with the MCS
66       label of s0:c3,c4
67
68

BOOLEANS

70       SELinux  policy  is  customizable  based  on  least  access   required.
71       svirt_tcg  policy  is  extremely flexible and has several booleans that
72       allow you to manipulate the policy and run svirt_tcg with the  tightest
73       access possible.
74
75
76
77       If you want to allow all domains to execute in fips_mode, you must turn
78       on the fips_mode boolean. Enabled by default.
79
80       setsebool -P fips_mode 1
81
82
83
84       If you want to allow confined virtual guests to use  executable  memory
85       and  executable  stack,  you must turn on the virt_use_execmem boolean.
86       Disabled by default.
87
88       setsebool -P virt_use_execmem 1
89
90
91
92       If you want to allow confined virtual guests  to  interact  with  rawip
93       sockets,  you  must  turn  on  the  virt_use_rawip boolean. Disabled by
94       default.
95
96       setsebool -P virt_use_rawip 1
97
98
99

MANAGED FILES

101       The SELinux process type svirt_tcg_t can manage files labeled with  the
102       following file types.  The paths listed are the default paths for these
103       file types.  Note the processes UID still need to have DAC permissions.
104
105       anon_inodefs_t
106
107
108       cephfs_t
109
110
111       cifs_t
112
113
114       dosfs_t
115
116
117       ecryptfs_t
118
119            /home/[^/]+/.Private(/.*)?
120            /home/[^/]+/.ecryptfs(/.*)?
121
122       fusefs_t
123
124            /var/run/user/[^/]*/gvfs
125
126       glusterd_var_run_t
127
128            /var/run/gluster(/.*)?
129            /var/run/glusterd.*
130            /var/run/glusterd.*
131            /var/run/glusterd(/.*)?
132
133       nfs_t
134
135
136       qemu_var_run_t
137
138            /var/lib/libvirt/qemu(/.*)?
139            /var/run/libvirt/qemu(/.*)?
140
141       svirt_home_t
142
143            /home/[^/]+/.libvirt/qemu(/.*)?
144            /home/[^/]+/.cache/libvirt/qemu(/.*)?
145            /home/[^/]+/.config/libvirt/qemu(/.*)?
146            /home/[^/]+/.local/share/libvirt/boot(/.*)?
147            /home/[^/]+/.local/share/libvirt/images(/.*)?
148            /home/[^/]+/.local/share/gnome-boxes/images(/.*)?
149
150       svirt_image_t
151
152
153       svirt_tmp_t
154
155
156       svirt_tmpfs_t
157
158
159       usbfs_t
160
161
162       virt_cache_t
163
164            /var/cache/oz(/.*)?
165            /var/cache/libvirt(/.*)?
166
167

COMMANDS

169       semanage fcontext can also be used to manipulate default  file  context
170       mappings.
171
172       semanage  permissive  can  also  be used to manipulate whether or not a
173       process type is permissive.
174
175       semanage module can also be used to enable/disable/install/remove  pol‐
176       icy modules.
177
178       semanage boolean can also be used to manipulate the booleans
179
180
181       system-config-selinux is a GUI tool available to customize SELinux pol‐
182       icy settings.
183
184

AUTHOR

186       This manual page was auto-generated using sepolicy manpage .
187
188

SEE ALSO

190       selinux(8), svirt_tcg(8), semanage(8), restorecon(8), chcon(1),  sepol‐
191       icy(8), setsebool(8)
192
193
194
195svirt_tcg                          19-12-02               svirt_tcg_selinux(8)
Impressum