1svirt_selinux(8) SELinux Policy svirt svirt_selinux(8)
2
3
4
6 svirt_selinux - Security Enhanced Linux Policy for the svirt processes
7
9 Security-Enhanced Linux secures the svirt processes via flexible manda‐
10 tory access control.
11
12 The svirt processes execute with the svirt_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep svirt_t
19
20
21
23 The svirt_t SELinux type can be entered via the qemu_exec_t file type.
24
25 The default entrypoint paths for the svirt_t domain are the following:
26
27 /usr/libexec/qemu.*, /usr/bin/qemu-system-.*, /usr/bin/qemu,
28 /usr/bin/qemu-kvm
29
31 SELinux defines process types (domains) for each process running on the
32 system
33
34 You can see the context of a process using the -Z option to ps
35
36 Policy governs the access confined processes have to files. SELinux
37 svirt policy is very flexible allowing users to setup their svirt pro‐
38 cesses in as secure a method as possible.
39
40 The following process types are defined for svirt:
41
42 svirt_t, svirt_tcg_t, svirt_qemu_net_t, svirt_socket_t, svirt_kvm_net_t
43
44 Note: semanage permissive -a svirt_t can be used to make the process
45 type svirt_t permissive. SELinux does not deny access to permissive
46 process types, but the AVC (SELinux denials) messages are still gener‐
47 ated.
48
49
51 The SELinux process type svirt_t is an MCS (Multi Category Security)
52 constrained type. Sometimes this separation is referred to as sVirt.
53 These types are usually used for securing multi-tenant environments,
54 such as virtualization, containers or separation of users. The tools
55 used to launch MCS types, pick out a different MCS label for each
56 process group.
57
58 For example one process might be launched with svirt_t:s0:c1,c2, and
59 another process launched with svirt_t:s0:c3,c4. The SELinux kernel only
60 allows these processes can only write to content with a matching MCS
61 label, or a MCS Label of s0. A process running with the MCS level of
62 s0:c1,c2 is not allowed to write to content with the MCS label of
63 s0:c3,c4
64
65
67 SELinux policy is customizable based on least access required. svirt
68 policy is extremely flexible and has several booleans that allow you to
69 manipulate the policy and run svirt with the tightest access possible.
70
71
72
73 If you want to allow all domains to execute in fips_mode, you must turn
74 on the fips_mode boolean. Enabled by default.
75
76 setsebool -P fips_mode 1
77
78
79
80 If you want to allow confined virtual guests to use executable memory
81 and executable stack, you must turn on the virt_use_execmem boolean.
82 Disabled by default.
83
84 setsebool -P virt_use_execmem 1
85
86
87
88 If you want to allow confined virtual guests to interact with rawip
89 sockets, you must turn on the virt_use_rawip boolean. Disabled by de‐
90 fault.
91
92 setsebool -P virt_use_rawip 1
93
94
95
97 The SELinux process type svirt_t can manage files labeled with the fol‐
98 lowing file types. The paths listed are the default paths for these
99 file types. Note the processes UID still need to have DAC permissions.
100
101 fs_t
102
103
104 glusterd_var_run_t
105
106 /var/run/gluster(/.*)?
107 /var/run/glusterd.*
108 /var/run/glusterd.*
109 /var/run/glusterd(/.*)?
110
111 qemu_var_run_t
112
113 /var/lib/libvirt/qemu(/.*)?
114 /var/run/libvirt/qemu(/.*)?
115
116 svirt_home_t
117
118 /home/[^/]+/.libvirt/qemu(/.*)?
119 /home/[^/]+/.cache/libvirt/qemu(/.*)?
120 /home/[^/]+/.config/libvirt/qemu(/.*)?
121 /home/[^/]+/.local/share/libvirt/boot(/.*)?
122 /home/[^/]+/.local/share/libvirt/images(/.*)?
123 /home/[^/]+/.local/share/gnome-boxes/images(/.*)?
124
125 svirt_image_t
126
127
128 svirt_tmp_t
129
130
131 svirt_tmpfs_t
132
133
134 virt_cache_t
135
136 /var/cache/oz(/.*)?
137 /var/cache/libvirt(/.*)?
138
139
141 SELinux requires files to have an extended attribute to define the file
142 type.
143
144 You can see the context of a file using the -Z option to ls
145
146 Policy governs the access confined processes have to these files.
147 SELinux svirt policy is very flexible allowing users to setup their
148 svirt processes in as secure a method as possible.
149
150 STANDARD FILE CONTEXT
151
152 SELinux defines the file context types for the svirt, if you wanted to
153 store files with these types in a diffent paths, you need to execute
154 the semanage command to specify alternate labeling and then use re‐
155 storecon to put the labels on disk.
156
157 semanage fcontext -a -t svirt_home_t '/srv/mysvirt_content(/.*)?'
158 restorecon -R -v /srv/mysvirt_content
159
160 Note: SELinux often uses regular expressions to specify labels that
161 match multiple files.
162
163 The following file types are defined for svirt:
164
165
166
167 svirt_home_t
168
169 - Set files with the svirt_home_t type, if you want to store svirt
170 files in the users home directory.
171
172
173 Paths:
174 /home/[^/]+/.libvirt/qemu(/.*)?, /home/[^/]+/.cache/lib‐
175 virt/qemu(/.*)?, /home/[^/]+/.config/libvirt/qemu(/.*)?,
176 /home/[^/]+/.local/share/libvirt/boot(/.*)?, /home/[^/]+/.lo‐
177 cal/share/libvirt/images(/.*)?, /home/[^/]+/.local/share/gnome-
178 boxes/images(/.*)?
179
180
181 svirt_image_t
182
183 - Set files with the svirt_image_t type, if you want to treat the files
184 as svirt image data.
185
186
187
188 svirt_tmp_t
189
190 - Set files with the svirt_tmp_t type, if you want to store svirt tem‐
191 porary files in the /tmp directories.
192
193
194
195 svirt_tmpfs_t
196
197 - Set files with the svirt_tmpfs_t type, if you want to store svirt
198 files on a tmpfs file system.
199
200
201
202 Note: File context can be temporarily modified with the chcon command.
203 If you want to permanently change the file context you need to use the
204 semanage fcontext command. This will modify the SELinux labeling data‐
205 base. You will need to use restorecon to apply the labels.
206
207
209 semanage fcontext can also be used to manipulate default file context
210 mappings.
211
212 semanage permissive can also be used to manipulate whether or not a
213 process type is permissive.
214
215 semanage module can also be used to enable/disable/install/remove pol‐
216 icy modules.
217
218 semanage boolean can also be used to manipulate the booleans
219
220
221 system-config-selinux is a GUI tool available to customize SELinux pol‐
222 icy settings.
223
224
226 This manual page was auto-generated using sepolicy manpage .
227
228
230 selinux(8), svirt(8), semanage(8), restorecon(8), chcon(1), sepol‐
231 icy(8), setsebool(8), svirt_kvm_net_selinux(8),
232 svirt_kvm_net_selinux(8), svirt_qemu_net_selinux(8),
233 svirt_qemu_net_selinux(8), svirt_socket_selinux(8),
234 svirt_socket_selinux(8), svirt_tcg_selinux(8), svirt_tcg_selinux(8)
235
236
237
238svirt 23-02-03 svirt_selinux(8)