1virtd_selinux(8)             SELinux Policy virtd             virtd_selinux(8)
2
3
4

NAME

6       virtd_selinux - Security Enhanced Linux Policy for the virtd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the virtd processes via flexible manda‐
10       tory access control.
11
12       The virtd processes execute with the  virtd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep virtd_t
19
20
21

ENTRYPOINTS

23       The virtd_t SELinux type can be entered via the virtd_exec_t file type.
24
25       The default entrypoint paths for the virtd_t domain are the following:
26
27       /usr/lib/virt-sysprep/firstboot.sh,                  /usr/bin/virt-who,
28       /usr/sbin/virtvzd,        /usr/bin/imgfac.py,       /usr/sbin/libvirtd,
29       /usr/sbin/virtlxcd,      /usr/sbin/virtxend,       /usr/sbin/virtqemud,
30       /usr/sbin/virtvboxd,     /usr/sbin/virtproxyd,    /usr/share/vdsm/vdsm,
31       /usr/bin/imagefactory,  /usr/bin/nova-compute,   /usr/sbin/virtsecretd,
32       /usr/sbin/virtnetworkd, /usr/sbin/virtnodedevd, /usr/sbin/virtstoraged,
33       /usr/bin/qemu-pr-helper, /usr/libexec/vdsm/vdsmd,  /usr/sbin/virtnwfil‐
34       terd, /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host, /usr/sbin/con‐
35       dor_vm-gahp,    /usr/sbin/virtinterfaced,    /usr/bin/vios-proxy-guest,
36       /usr/libexec/vdsm/respawn,  /usr/libexec/qemu-pr-helper, /usr/bin/qemu-
37       storage-daemon,  /usr/libexec/vdsm/supervdsmd,  /usr/share/vdsm/daemon‐
38       Adapter,   /usr/libexec/vdsm/daemonAdapter,  /usr/share/vdsm/supervdsm‐
39       Server
40

PROCESS TYPES

42       SELinux defines process types (domains) for each process running on the
43       system
44
45       You can see the context of a process using the -Z option to ps
46
47       Policy  governs  the  access confined processes have to files.  SELinux
48       virtd policy is very flexible allowing users to setup their virtd  pro‐
49       cesses in as secure a method as possible.
50
51       The following process types are defined for virtd:
52
53       virtd_t, virt_bridgehelper_t, virt_qemu_ga_t, virtd_lxc_t, virt_qemu_ga_unconfined_t
54
55       Note:  semanage  permissive  -a virtd_t can be used to make the process
56       type virtd_t permissive. SELinux does not  deny  access  to  permissive
57       process  types, but the AVC (SELinux denials) messages are still gener‐
58       ated.
59
60

BOOLEANS

62       SELinux policy is customizable based on least access  required.   virtd
63       policy is extremely flexible and has several booleans that allow you to
64       manipulate the policy and run virtd with the tightest access possible.
65
66
67
68       If you want to allow virtual processes to run as userdomains, you  must
69       turn on the virt_transition_userdomain boolean. Disabled by default.
70
71       setsebool -P virt_transition_userdomain 1
72
73
74
75       If  you  want  to control the ability to mmap a low area of the address
76       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
77       the mmap_low_allowed boolean. Disabled by default.
78
79       setsebool -P mmap_low_allowed 1
80
81
82
83       If  you want to disable kernel module loading, you must turn on the se‐
84       cure_mode_insmod boolean. Enabled by default.
85
86       setsebool -P secure_mode_insmod 1
87
88
89
90       If you want to allow unconfined executables to make their  heap  memory
91       executable.   Doing  this  is  a  really bad idea. Probably indicates a
92       badly coded executable, but could indicate an attack.  This  executable
93       should  be  reported  in bugzilla, you must turn on the selinuxuser_ex‐
94       echeap boolean. Disabled by default.
95
96       setsebool -P selinuxuser_execheap 1
97
98
99
100       If you want to allow unconfined executables to make  their  stack  exe‐
101       cutable.   This  should  never, ever be necessary. Probably indicates a
102       badly coded executable, but could indicate an attack.  This  executable
103       should  be reported in bugzilla, you must turn on the selinuxuser_exec‐
104       stack boolean. Enabled by default.
105
106       setsebool -P selinuxuser_execstack 1
107
108
109

PORT TYPES

111       SELinux defines port types to represent TCP and UDP ports.
112
113       You can see the types associated with a port  by  using  the  following
114       command:
115
116       semanage port -l
117
118
119       Policy  governs  the  access  confined  processes  have to these ports.
120       SELinux virtd policy is very flexible allowing  users  to  setup  their
121       virtd processes in as secure a method as possible.
122
123       The following port types are defined for virtd:
124
125
126       virt_migration_port_t
127
128
129
130       Default Defined Ports:
131                 tcp 49152-49216
132
133
134       virt_port_t
135
136
137
138       Default Defined Ports:
139                 tcp 16509,16514
140                 udp 16509,16514
141

MANAGED FILES

143       The SELinux process type virtd_t can manage files labeled with the fol‐
144       lowing file types.  The paths listed are the default  paths  for  these
145       file types.  Note the processes UID still need to have DAC permissions.
146
147       file_type
148
149            all files on the system
150
151

FILE CONTEXTS

153       SELinux requires files to have an extended attribute to define the file
154       type.
155
156       You can see the context of a file using the -Z option to ls
157
158       Policy governs the access  confined  processes  have  to  these  files.
159       SELinux  virtd  policy  is  very flexible allowing users to setup their
160       virtd processes in as secure a method as possible.
161
162       STANDARD FILE CONTEXT
163
164       SELinux defines the file context types for the virtd, if you wanted  to
165       store  files  with  these types in a diffent paths, you need to execute
166       the semanage command to specify alternate labeling  and  then  use  re‐
167       storecon to put the labels on disk.
168
169       semanage fcontext -a -t virtd_keytab_t '/srv/myvirtd_content(/.*)?'
170       restorecon -R -v /srv/myvirtd_content
171
172       Note:  SELinux  often  uses  regular expressions to specify labels that
173       match multiple files.
174
175       The following file types are defined for virtd:
176
177
178
179       virtd_exec_t
180
181       - Set files with the virtd_exec_t type, if you want  to  transition  an
182       executable to the virtd_t domain.
183
184
185       Paths:
186            /usr/lib/virt-sysprep/firstboot.sh,             /usr/bin/virt-who,
187            /usr/sbin/virtvzd,     /usr/bin/imgfac.py,     /usr/sbin/libvirtd,
188            /usr/sbin/virtlxcd,    /usr/sbin/virtxend,    /usr/sbin/virtqemud,
189            /usr/sbin/virtvboxd,  /usr/sbin/virtproxyd,  /usr/share/vdsm/vdsm,
190            /usr/bin/imagefactory,   /usr/bin/nova-compute,  /usr/sbin/virtse‐
191            cretd,       /usr/sbin/virtnetworkd,       /usr/sbin/virtnodedevd,
192            /usr/sbin/virtstoraged,                   /usr/bin/qemu-pr-helper,
193            /usr/libexec/vdsm/vdsmd,                  /usr/sbin/virtnwfilterd,
194            /usr/share/vdsm/respawn,  /usr/bin/vios-proxy-host, /usr/sbin/con‐
195            dor_vm-gahp, /usr/sbin/virtinterfaced,  /usr/bin/vios-proxy-guest,
196            /usr/libexec/vdsm/respawn,            /usr/libexec/qemu-pr-helper,
197            /usr/bin/qemu-storage-daemon,        /usr/libexec/vdsm/supervdsmd,
198            /usr/share/vdsm/daemonAdapter,    /usr/libexec/vdsm/daemonAdapter,
199            /usr/share/vdsm/supervdsmServer
200
201
202       virtd_initrc_exec_t
203
204       - Set files with the virtd_initrc_exec_t type, if you want  to  transi‐
205       tion an executable to the virtd_initrc_t domain.
206
207
208
209       virtd_keytab_t
210
211       -  Set  files  with  the  virtd_keytab_t type, if you want to treat the
212       files as kerberos keytab files.
213
214
215
216       virtd_lxc_exec_t
217
218       - Set files with the virtd_lxc_exec_t type, if you want  to  transition
219       an executable to the virtd_lxc_t domain.
220
221
222
223       virtd_unit_file_t
224
225       -  Set  files with the virtd_unit_file_t type, if you want to treat the
226       files as virtd unit content.
227
228
229       Paths:
230            /usr/lib/systemd/system/.*xen.*.service,     /usr/lib/systemd/sys‐
231            tem/virt.*.service, /usr/lib/systemd/system/libvirt.*.service
232
233
234       Note:  File context can be temporarily modified with the chcon command.
235       If you want to permanently change the file context you need to use  the
236       semanage fcontext command.  This will modify the SELinux labeling data‐
237       base.  You will need to use restorecon to apply the labels.
238
239

COMMANDS

241       semanage fcontext can also be used to manipulate default  file  context
242       mappings.
243
244       semanage  permissive  can  also  be used to manipulate whether or not a
245       process type is permissive.
246
247       semanage module can also be used to enable/disable/install/remove  pol‐
248       icy modules.
249
250       semanage port can also be used to manipulate the port definitions
251
252       semanage boolean can also be used to manipulate the booleans
253
254
255       system-config-selinux is a GUI tool available to customize SELinux pol‐
256       icy settings.
257
258

AUTHOR

260       This manual page was auto-generated using sepolicy manpage .
261
262

SEE ALSO

264       selinux(8),  virtd(8),  semanage(8),  restorecon(8),  chcon(1),  sepol‐
265       icy(8),           setsebool(8),           virt_bridgehelper_selinux(8),
266       virt_qemu_ga_selinux(8),            virt_qemu_ga_unconfined_selinux(8),
267       virtd_lxc_selinux(8)
268
269
270
271virtd                              23-02-03                   virtd_selinux(8)
Impressum