1virtd_selinux(8) SELinux Policy virtd virtd_selinux(8)
2
3
4
6 virtd_selinux - Security Enhanced Linux Policy for the virtd processes
7
9 Security-Enhanced Linux secures the virtd processes via flexible manda‐
10 tory access control.
11
12 The virtd processes execute with the virtd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep virtd_t
19
20
21
23 The virtd_t SELinux type can be entered via the virtd_exec_t file type.
24
25 The default entrypoint paths for the virtd_t domain are the following:
26
27 /usr/lib/virt-sysprep/firstboot.sh, /usr/bin/virt-who,
28 /usr/sbin/virtvzd, /usr/bin/imgfac.py, /usr/sbin/libvirtd,
29 /usr/sbin/virtlxcd, /usr/sbin/virtxend, /usr/sbin/virtqemud,
30 /usr/sbin/virtvboxd, /usr/sbin/virtproxyd, /usr/share/vdsm/vdsm,
31 /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/virtsecretd,
32 /usr/sbin/virtnetworkd, /usr/sbin/virtnodedevd, /usr/sbin/virtstoraged,
33 /usr/bin/qemu-pr-helper, /usr/libexec/vdsm/vdsmd, /usr/sbin/virtnwfil‐
34 terd, /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host, /usr/sbin/con‐
35 dor_vm-gahp, /usr/sbin/virtinterfaced, /usr/bin/vios-proxy-guest,
36 /usr/libexec/vdsm/respawn, /usr/libexec/qemu-pr-helper, /usr/bin/qemu-
37 storage-daemon, /usr/libexec/vdsm/supervdsmd, /usr/share/vdsm/daemon‐
38 Adapter, /usr/libexec/vdsm/daemonAdapter, /usr/share/vdsm/supervdsm‐
39 Server
40
42 SELinux defines process types (domains) for each process running on the
43 system
44
45 You can see the context of a process using the -Z option to ps
46
47 Policy governs the access confined processes have to files. SELinux
48 virtd policy is very flexible allowing users to setup their virtd pro‐
49 cesses in as secure a method as possible.
50
51 The following process types are defined for virtd:
52
53 virtd_t, virt_bridgehelper_t, virt_qemu_ga_t, virtd_lxc_t, virt_qemu_ga_unconfined_t
54
55 Note: semanage permissive -a virtd_t can be used to make the process
56 type virtd_t permissive. SELinux does not deny access to permissive
57 process types, but the AVC (SELinux denials) messages are still gener‐
58 ated.
59
60
62 SELinux policy is customizable based on least access required. virtd
63 policy is extremely flexible and has several booleans that allow you to
64 manipulate the policy and run virtd with the tightest access possible.
65
66
67
68 If you want to allow virtual processes to run as userdomains, you must
69 turn on the virt_transition_userdomain boolean. Disabled by default.
70
71 setsebool -P virt_transition_userdomain 1
72
73
74
75 If you want to control the ability to mmap a low area of the address
76 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
77 the mmap_low_allowed boolean. Disabled by default.
78
79 setsebool -P mmap_low_allowed 1
80
81
82
83 If you want to disable kernel module loading, you must turn on the se‐
84 cure_mode_insmod boolean. Enabled by default.
85
86 setsebool -P secure_mode_insmod 1
87
88
89
90 If you want to allow unconfined executables to make their heap memory
91 executable. Doing this is a really bad idea. Probably indicates a
92 badly coded executable, but could indicate an attack. This executable
93 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
94 echeap boolean. Disabled by default.
95
96 setsebool -P selinuxuser_execheap 1
97
98
99
100 If you want to allow unconfined executables to make their stack exe‐
101 cutable. This should never, ever be necessary. Probably indicates a
102 badly coded executable, but could indicate an attack. This executable
103 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
104 stack boolean. Enabled by default.
105
106 setsebool -P selinuxuser_execstack 1
107
108
109
111 SELinux defines port types to represent TCP and UDP ports.
112
113 You can see the types associated with a port by using the following
114 command:
115
116 semanage port -l
117
118
119 Policy governs the access confined processes have to these ports.
120 SELinux virtd policy is very flexible allowing users to setup their
121 virtd processes in as secure a method as possible.
122
123 The following port types are defined for virtd:
124
125
126 virt_migration_port_t
127
128
129
130 Default Defined Ports:
131 tcp 49152-49216
132
133
134 virt_port_t
135
136
137
138 Default Defined Ports:
139 tcp 16509,16514
140 udp 16509,16514
141
143 The SELinux process type virtd_t can manage files labeled with the fol‐
144 lowing file types. The paths listed are the default paths for these
145 file types. Note the processes UID still need to have DAC permissions.
146
147 file_type
148
149 all files on the system
150
151
153 SELinux requires files to have an extended attribute to define the file
154 type.
155
156 You can see the context of a file using the -Z option to ls
157
158 Policy governs the access confined processes have to these files.
159 SELinux virtd policy is very flexible allowing users to setup their
160 virtd processes in as secure a method as possible.
161
162 STANDARD FILE CONTEXT
163
164 SELinux defines the file context types for the virtd, if you wanted to
165 store files with these types in a diffent paths, you need to execute
166 the semanage command to specify alternate labeling and then use re‐
167 storecon to put the labels on disk.
168
169 semanage fcontext -a -t virtd_keytab_t '/srv/myvirtd_content(/.*)?'
170 restorecon -R -v /srv/myvirtd_content
171
172 Note: SELinux often uses regular expressions to specify labels that
173 match multiple files.
174
175 The following file types are defined for virtd:
176
177
178
179 virtd_exec_t
180
181 - Set files with the virtd_exec_t type, if you want to transition an
182 executable to the virtd_t domain.
183
184
185 Paths:
186 /usr/lib/virt-sysprep/firstboot.sh, /usr/bin/virt-who,
187 /usr/sbin/virtvzd, /usr/bin/imgfac.py, /usr/sbin/libvirtd,
188 /usr/sbin/virtlxcd, /usr/sbin/virtxend, /usr/sbin/virtqemud,
189 /usr/sbin/virtvboxd, /usr/sbin/virtproxyd, /usr/share/vdsm/vdsm,
190 /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/virtse‐
191 cretd, /usr/sbin/virtnetworkd, /usr/sbin/virtnodedevd,
192 /usr/sbin/virtstoraged, /usr/bin/qemu-pr-helper,
193 /usr/libexec/vdsm/vdsmd, /usr/sbin/virtnwfilterd,
194 /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host, /usr/sbin/con‐
195 dor_vm-gahp, /usr/sbin/virtinterfaced, /usr/bin/vios-proxy-guest,
196 /usr/libexec/vdsm/respawn, /usr/libexec/qemu-pr-helper,
197 /usr/bin/qemu-storage-daemon, /usr/libexec/vdsm/supervdsmd,
198 /usr/share/vdsm/daemonAdapter, /usr/libexec/vdsm/daemonAdapter,
199 /usr/share/vdsm/supervdsmServer
200
201
202 virtd_initrc_exec_t
203
204 - Set files with the virtd_initrc_exec_t type, if you want to transi‐
205 tion an executable to the virtd_initrc_t domain.
206
207
208
209 virtd_keytab_t
210
211 - Set files with the virtd_keytab_t type, if you want to treat the
212 files as kerberos keytab files.
213
214
215
216 virtd_lxc_exec_t
217
218 - Set files with the virtd_lxc_exec_t type, if you want to transition
219 an executable to the virtd_lxc_t domain.
220
221
222
223 virtd_unit_file_t
224
225 - Set files with the virtd_unit_file_t type, if you want to treat the
226 files as virtd unit content.
227
228
229 Paths:
230 /usr/lib/systemd/system/.*xen.*.service, /usr/lib/systemd/sys‐
231 tem/virt.*.service, /usr/lib/systemd/system/libvirt.*.service
232
233
234 Note: File context can be temporarily modified with the chcon command.
235 If you want to permanently change the file context you need to use the
236 semanage fcontext command. This will modify the SELinux labeling data‐
237 base. You will need to use restorecon to apply the labels.
238
239
241 semanage fcontext can also be used to manipulate default file context
242 mappings.
243
244 semanage permissive can also be used to manipulate whether or not a
245 process type is permissive.
246
247 semanage module can also be used to enable/disable/install/remove pol‐
248 icy modules.
249
250 semanage port can also be used to manipulate the port definitions
251
252 semanage boolean can also be used to manipulate the booleans
253
254
255 system-config-selinux is a GUI tool available to customize SELinux pol‐
256 icy settings.
257
258
260 This manual page was auto-generated using sepolicy manpage .
261
262
264 selinux(8), virtd(8), semanage(8), restorecon(8), chcon(1), sepol‐
265 icy(8), setsebool(8), virt_bridgehelper_selinux(8),
266 virt_qemu_ga_selinux(8), virt_qemu_ga_unconfined_selinux(8),
267 virtd_lxc_selinux(8)
268
269
270
271virtd 23-02-03 virtd_selinux(8)