1svirt_tcg_selinux(8)       SELinux Policy svirt_tcg       svirt_tcg_selinux(8)
2
3
4

NAME

6       svirt_tcg_selinux  -  Security  Enhanced Linux Policy for the svirt_tcg
7       processes
8

DESCRIPTION

10       Security-Enhanced Linux secures the svirt_tcg  processes  via  flexible
11       mandatory access control.
12
13       The  svirt_tcg processes execute with the svirt_tcg_t SELinux type. You
14       can check if you have these processes running by executing the ps  com‐
15       mand with the -Z qualifier.
16
17       For example:
18
19       ps -eZ | grep svirt_tcg_t
20
21
22

ENTRYPOINTS

24       The  svirt_tcg_t  SELinux  type can be entered via the qemu_exec_t file
25       type.
26
27       The default entrypoint paths for the svirt_tcg_t domain are the follow‐
28       ing:
29
30       /usr/libexec/qemu.*,       /usr/bin/qemu-system-.*,      /usr/bin/qemu,
31       /usr/bin/qemu-kvm
32

PROCESS TYPES

34       SELinux defines process types (domains) for each process running on the
35       system
36
37       You can see the context of a process using the -Z option to ps
38
39       Policy  governs  the  access confined processes have to files.  SELinux
40       svirt_tcg policy  is  very  flexible  allowing  users  to  setup  their
41       svirt_tcg processes in as secure a method as possible.
42
43       The following process types are defined for svirt_tcg:
44
45       svirt_tcg_t
46
47       Note:  semanage  permissive  -a  svirt_tcg_t  can  be  used to make the
48       process type svirt_tcg_t permissive. SELinux does not  deny  access  to
49       permissive  process  types,  but the AVC (SELinux denials) messages are
50       still generated.
51
52

MCS Constrained

54       The SELinux process type svirt_tcg_t is an MCS  (Multi  Category  Secu‐
55       rity)  constrained  type.   Sometimes this separation is referred to as
56       sVirt. These types are usually used for securing multi-tenant  environ‐
57       ments,  such as virtualization, containers or separation of users.  The
58       tools used to launch MCS types, pick out a different MCS label for each
59       process group.
60
61       For  example  one  process might be launched with svirt_tcg_t:s0:c1,c2,
62       and another process launched  with  svirt_tcg_t:s0:c3,c4.  The  SELinux
63       kernel  only  allows  these  processes can only write to content with a
64       matching MCS label, or a MCS Label of s0. A process  running  with  the
65       MCS  level  of s0:c1,c2 is not allowed to write to content with the MCS
66       label of s0:c3,c4
67
68

BOOLEANS

70       SELinux  policy  is  customizable  based  on  least  access   required.
71       svirt_tcg  policy  is  extremely flexible and has several booleans that
72       allow you to manipulate the policy and run svirt_tcg with the  tightest
73       access possible.
74
75
76
77       If you want to allow all domains to execute in fips_mode, you must turn
78       on the fips_mode boolean. Enabled by default.
79
80       setsebool -P fips_mode 1
81
82
83
84       If you want to allow confined virtual guests  to  interact  with  rawip
85       sockets,  you  must turn on the virt_use_rawip boolean. Disabled by de‐
86       fault.
87
88       setsebool -P virt_use_rawip 1
89
90
91

MANAGED FILES

93       The SELinux process type svirt_tcg_t can manage files labeled with  the
94       following file types.  The paths listed are the default paths for these
95       file types.  Note the processes UID still need to have DAC permissions.
96
97       fs_t
98
99
100       glusterd_var_run_t
101
102            /var/run/gluster(/.*)?
103            /var/run/glusterd.*
104            /var/run/glusterd.*
105            /var/run/glusterd(/.*)?
106
107       qemu_var_run_t
108
109            /var/lib/libvirt/qemu(/.*)?
110            /var/run/libvirt/qemu(/.*)?
111
112       svirt_home_t
113
114            /home/[^/]+/.libvirt/qemu(/.*)?
115            /home/[^/]+/.cache/libvirt/qemu(/.*)?
116            /home/[^/]+/.config/libvirt/qemu(/.*)?
117            /home/[^/]+/.local/share/libvirt/boot(/.*)?
118            /home/[^/]+/.local/share/libvirt/images(/.*)?
119            /home/[^/]+/.local/share/gnome-boxes/images(/.*)?
120
121       svirt_image_t
122
123
124       svirt_tmp_t
125
126
127       svirt_tmpfs_t
128
129
130       virt_cache_t
131
132            /var/cache/oz(/.*)?
133            /var/cache/libvirt(/.*)?
134
135

COMMANDS

137       semanage fcontext can also be used to manipulate default  file  context
138       mappings.
139
140       semanage  permissive  can  also  be used to manipulate whether or not a
141       process type is permissive.
142
143       semanage module can also be used to enable/disable/install/remove  pol‐
144       icy modules.
145
146       semanage boolean can also be used to manipulate the booleans
147
148
149       system-config-selinux is a GUI tool available to customize SELinux pol‐
150       icy settings.
151
152

AUTHOR

154       This manual page was auto-generated using sepolicy manpage .
155
156

SEE ALSO

158       selinux(8), svirt_tcg(8), semanage(8), restorecon(8), chcon(1),  sepol‐
159       icy(8), setsebool(8)
160
161
162
163svirt_tcg                          23-02-03               svirt_tcg_selinux(8)
Impressum