virtd_selinux(8)

1virtd_selinux(8)             SELinux Policy virtd             virtd_selinux(8)
2
3
4

NAME

6       virtd_selinux - Security Enhanced Linux Policy for the virtd processes
7

DESCRIPTION

9       Security-Enhanced Linux secures the virtd processes via flexible manda‐
10       tory access control.
11
12       The virtd processes execute with the  virtd_t  SELinux  type.  You  can
13       check  if  you have these processes running by executing the ps command
14       with the -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep virtd_t
19
20
21

ENTRYPOINTS

23       The virtd_t SELinux type can be entered via the virtd_exec_t file type.
24
25       The default entrypoint paths for the virtd_t domain are the following:
26
27       /usr/lib/virt-sysprep/firstboot.sh,                  /usr/bin/virt-who,
28       /usr/sbin/virtvzd,        /usr/bin/imgfac.py,       /usr/sbin/libvirtd,
29       /usr/sbin/virtlxcd,      /usr/sbin/virtxend,       /usr/sbin/virtqemud,
30       /usr/sbin/virtvboxd,     /usr/sbin/virtproxyd,    /usr/share/vdsm/vdsm,
31       /usr/bin/imagefactory,  /usr/bin/nova-compute,   /usr/sbin/virtsecretd,
32       /usr/sbin/virtnetworkd, /usr/sbin/virtnodedevd, /usr/sbin/virtstoraged,
33       /usr/bin/qemu-pr-helper, /usr/libexec/vdsm/vdsmd,  /usr/sbin/virtnwfil‐
34       terd, /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host, /usr/sbin/con‐
35       dor_vm-gahp,    /usr/sbin/virtinterfaced,    /usr/bin/vios-proxy-guest,
36       /usr/libexec/vdsm/respawn,  /usr/libexec/qemu-pr-helper, /usr/bin/qemu-
37       storage-daemon,  /usr/libexec/vdsm/supervdsmd,  /usr/share/vdsm/daemon‐
38       Adapter,   /usr/libexec/vdsm/daemonAdapter,  /usr/share/vdsm/supervdsm‐
39       Server
40

PROCESS TYPES

42       SELinux defines process types (domains) for each process running on the
43       system
44
45       You can see the context of a process using the -Z option to ps
46
47       Policy  governs  the  access confined processes have to files.  SELinux
48       virtd policy is very flexible allowing users to setup their virtd  pro‐
49       cesses in as secure a method as possible.
50
51       The following process types are defined for virtd:
52
53       virtd_t, virt_bridgehelper_t, virt_qemu_ga_t, virt_qemu_ga_unconfined_t, virtd_lxc_t
54
55       Note:  semanage  permissive  -a virtd_t can be used to make the process
56       type virtd_t permissive. SELinux does not  deny  access  to  permissive
57       process  types, but the AVC (SELinux denials) messages are still gener‐
58       ated.
59
60

BOOLEANS

62       SELinux policy is customizable based on least access  required.   virtd
63       policy is extremely flexible and has several booleans that allow you to
64       manipulate the policy and run virtd with the tightest access possible.
65
66
67
68       If you want to allow virtual processes to run as userdomains, you  must
69       turn on the virt_transition_userdomain boolean. Disabled by default.
70
71       setsebool -P virt_transition_userdomain 1
72
73
74
75       If  you  want  to  dontaudit all daemons scheduling requests (setsched,
76       sys_nice), you must turn on the  daemons_dontaudit_scheduling  boolean.
77       Enabled by default.
78
79       setsebool -P daemons_dontaudit_scheduling 1
80
81
82
83       If  you  want  to control the ability to mmap a low area of the address
84       space, as configured by /proc/sys/vm/mmap_min_addr, you  must  turn  on
85       the mmap_low_allowed boolean. Disabled by default.
86
87       setsebool -P mmap_low_allowed 1
88
89
90
91       If  you  want  to  allow  system  to run with NIS, you must turn on the
92       nis_enabled boolean. Disabled by default.
93
94       setsebool -P nis_enabled 1
95
96
97
98       If you want to disable kernel module loading, you must turn on the  se‐
99       cure_mode_insmod boolean. Disabled by default.
100
101       setsebool -P secure_mode_insmod 1
102
103
104
105       If  you  want to allow unconfined executables to make their heap memory
106       executable.  Doing this is a really  bad  idea.  Probably  indicates  a
107       badly  coded  executable, but could indicate an attack. This executable
108       should be reported in bugzilla, you must turn  on  the  selinuxuser_ex‐
109       echeap boolean. Disabled by default.
110
111       setsebool -P selinuxuser_execheap 1
112
113
114
115       If  you  want  to allow unconfined executables to make their stack exe‐
116       cutable.  This should never, ever be necessary.  Probably  indicates  a
117       badly  coded  executable, but could indicate an attack. This executable
118       should be reported in bugzilla, you must turn on the  selinuxuser_exec‐
119       stack boolean. Enabled by default.
120
121       setsebool -P selinuxuser_execstack 1
122
123
124

PORT TYPES

126       SELinux defines port types to represent TCP and UDP ports.
127
128       You  can  see  the  types associated with a port by using the following
129       command:
130
131       semanage port -l
132
133
134       Policy governs the access  confined  processes  have  to  these  ports.
135       SELinux  virtd  policy  is  very flexible allowing users to setup their
136       virtd processes in as secure a method as possible.
137
138       The following port types are defined for virtd:
139
140
141       virt_migration_port_t
142
143
144
145       Default Defined Ports:
146                 tcp 49152-49216
147
148
149       virt_port_t
150
151
152
153       Default Defined Ports:
154                 tcp 16509,16514
155                 udp 16509,16514
156

MANAGED FILES

158       The SELinux process type virtd_t can manage files labeled with the fol‐
159       lowing  file  types.   The paths listed are the default paths for these
160       file types.  Note the processes UID still need to have DAC permissions.
161
162       file_type
163
164            all files on the system
165
166

FILE CONTEXTS

168       SELinux requires files to have an extended attribute to define the file
169       type.
170
171       You can see the context of a file using the -Z option to ls
172
173       Policy  governs  the  access  confined  processes  have to these files.
174       SELinux virtd policy is very flexible allowing  users  to  setup  their
175       virtd processes in as secure a method as possible.
176
177       STANDARD FILE CONTEXT
178
179       SELinux  defines the file context types for the virtd, if you wanted to
180       store files with these types in a different paths, you need to  execute
181       the  semanage  command  to  specify alternate labeling and then use re‐
182       storecon to put the labels on disk.
183
184       semanage fcontext -a -t virtd_exec_t '/srv/virtd/content(/.*)?'
185       restorecon -R -v /srv/myvirtd_content
186
187       Note: SELinux often uses regular expressions  to  specify  labels  that
188       match multiple files.
189
190       The following file types are defined for virtd:
191
192
193
194       virtd_exec_t
195
196       -  Set  files  with the virtd_exec_t type, if you want to transition an
197       executable to the virtd_t domain.
198
199
200       Paths:
201            /usr/lib/virt-sysprep/firstboot.sh,             /usr/bin/virt-who,
202            /usr/sbin/virtvzd,     /usr/bin/imgfac.py,     /usr/sbin/libvirtd,
203            /usr/sbin/virtlxcd,    /usr/sbin/virtxend,    /usr/sbin/virtqemud,
204            /usr/sbin/virtvboxd,  /usr/sbin/virtproxyd,  /usr/share/vdsm/vdsm,
205            /usr/bin/imagefactory,  /usr/bin/nova-compute,   /usr/sbin/virtse‐
206            cretd,       /usr/sbin/virtnetworkd,       /usr/sbin/virtnodedevd,
207            /usr/sbin/virtstoraged,                   /usr/bin/qemu-pr-helper,
208            /usr/libexec/vdsm/vdsmd,                  /usr/sbin/virtnwfilterd,
209            /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host,  /usr/sbin/con‐
210            dor_vm-gahp,  /usr/sbin/virtinterfaced, /usr/bin/vios-proxy-guest,
211            /usr/libexec/vdsm/respawn,            /usr/libexec/qemu-pr-helper,
212            /usr/bin/qemu-storage-daemon,        /usr/libexec/vdsm/supervdsmd,
213            /usr/share/vdsm/daemonAdapter,    /usr/libexec/vdsm/daemonAdapter,
214            /usr/share/vdsm/supervdsmServer
215
216
217       virtd_initrc_exec_t
218
219       -  Set  files with the virtd_initrc_exec_t type, if you want to transi‐
220       tion an executable to the virtd_initrc_t domain.
221
222
223
224       virtd_keytab_t
225
226       - Set files with the virtd_keytab_t type, if  you  want  to  treat  the
227       files as kerberos keytab files.
228
229
230
231       virtd_lxc_exec_t
232
233       -  Set  files with the virtd_lxc_exec_t type, if you want to transition
234       an executable to the virtd_lxc_t domain.
235
236
237
238       virtd_unit_file_t
239
240       - Set files with the virtd_unit_file_t type, if you want to  treat  the
241       files as virtd unit content.
242
243
244       Paths:
245            /usr/lib/systemd/system/.*xen.*.service,     /usr/lib/systemd/sys‐
246            tem/virt.*.service, /usr/lib/systemd/system/libvirt.*.service
247
248
249       Note: File context can be temporarily modified with the chcon  command.
250       If  you want to permanently change the file context you need to use the
251       semanage fcontext command.  This will modify the SELinux labeling data‐
252       base.  You will need to use restorecon to apply the labels.
253
254

COMMANDS

256       semanage  fcontext  can also be used to manipulate default file context
257       mappings.
258
259       semanage permissive can also be used to manipulate  whether  or  not  a
260       process type is permissive.
261
262       semanage  module can also be used to enable/disable/install/remove pol‐
263       icy modules.
264
265       semanage port can also be used to manipulate the port definitions
266
267       semanage boolean can also be used to manipulate the booleans
268
269
270       system-config-selinux is a GUI tool available to customize SELinux pol‐
271       icy settings.
272
273

AUTHOR

275       This manual page was auto-generated using sepolicy manpage .
276
277