1virtd_selinux(8) SELinux Policy virtd virtd_selinux(8)
2
3
4
6 virtd_selinux - Security Enhanced Linux Policy for the virtd processes
7
9 Security-Enhanced Linux secures the virtd processes via flexible manda‐
10 tory access control.
11
12 The virtd processes execute with the virtd_t SELinux type. You can
13 check if you have these processes running by executing the ps command
14 with the -Z qualifier.
15
16 For example:
17
18 ps -eZ | grep virtd_t
19
20
21
23 The virtd_t SELinux type can be entered via the virtd_exec_t file type.
24
25 The default entrypoint paths for the virtd_t domain are the following:
26
27 /usr/lib/virt-sysprep/firstboot.sh, /usr/bin/virt-who,
28 /usr/sbin/virtvzd, /usr/bin/imgfac.py, /usr/sbin/libvirtd,
29 /usr/sbin/virtlxcd, /usr/sbin/virtxend, /usr/sbin/virtqemud,
30 /usr/sbin/virtvboxd, /usr/sbin/virtproxyd, /usr/share/vdsm/vdsm,
31 /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/virtsecretd,
32 /usr/sbin/virtnetworkd, /usr/sbin/virtnodedevd, /usr/sbin/virtstoraged,
33 /usr/bin/qemu-pr-helper, /usr/libexec/vdsm/vdsmd, /usr/sbin/virtnwfil‐
34 terd, /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host, /usr/sbin/con‐
35 dor_vm-gahp, /usr/sbin/virtinterfaced, /usr/bin/vios-proxy-guest,
36 /usr/libexec/vdsm/respawn, /usr/libexec/qemu-pr-helper, /usr/bin/qemu-
37 storage-daemon, /usr/libexec/vdsm/supervdsmd, /usr/share/vdsm/daemon‐
38 Adapter, /usr/libexec/vdsm/daemonAdapter, /usr/share/vdsm/supervdsm‐
39 Server
40
42 SELinux defines process types (domains) for each process running on the
43 system
44
45 You can see the context of a process using the -Z option to ps
46
47 Policy governs the access confined processes have to files. SELinux
48 virtd policy is very flexible allowing users to setup their virtd pro‐
49 cesses in as secure a method as possible.
50
51 The following process types are defined for virtd:
52
53 virtd_t, virt_bridgehelper_t, virt_qemu_ga_t, virt_qemu_ga_unconfined_t, virtd_lxc_t
54
55 Note: semanage permissive -a virtd_t can be used to make the process
56 type virtd_t permissive. SELinux does not deny access to permissive
57 process types, but the AVC (SELinux denials) messages are still gener‐
58 ated.
59
60
62 SELinux policy is customizable based on least access required. virtd
63 policy is extremely flexible and has several booleans that allow you to
64 manipulate the policy and run virtd with the tightest access possible.
65
66
67
68 If you want to allow virtual processes to run as userdomains, you must
69 turn on the virt_transition_userdomain boolean. Disabled by default.
70
71 setsebool -P virt_transition_userdomain 1
72
73
74
75 If you want to dontaudit all daemons scheduling requests (setsched,
76 sys_nice), you must turn on the daemons_dontaudit_scheduling boolean.
77 Enabled by default.
78
79 setsebool -P daemons_dontaudit_scheduling 1
80
81
82
83 If you want to control the ability to mmap a low area of the address
84 space, as configured by /proc/sys/vm/mmap_min_addr, you must turn on
85 the mmap_low_allowed boolean. Disabled by default.
86
87 setsebool -P mmap_low_allowed 1
88
89
90
91 If you want to allow system to run with NIS, you must turn on the
92 nis_enabled boolean. Disabled by default.
93
94 setsebool -P nis_enabled 1
95
96
97
98 If you want to disable kernel module loading, you must turn on the se‐
99 cure_mode_insmod boolean. Disabled by default.
100
101 setsebool -P secure_mode_insmod 1
102
103
104
105 If you want to allow unconfined executables to make their heap memory
106 executable. Doing this is a really bad idea. Probably indicates a
107 badly coded executable, but could indicate an attack. This executable
108 should be reported in bugzilla, you must turn on the selinuxuser_ex‐
109 echeap boolean. Disabled by default.
110
111 setsebool -P selinuxuser_execheap 1
112
113
114
115 If you want to allow unconfined executables to make their stack exe‐
116 cutable. This should never, ever be necessary. Probably indicates a
117 badly coded executable, but could indicate an attack. This executable
118 should be reported in bugzilla, you must turn on the selinuxuser_exec‐
119 stack boolean. Enabled by default.
120
121 setsebool -P selinuxuser_execstack 1
122
123
124
126 SELinux defines port types to represent TCP and UDP ports.
127
128 You can see the types associated with a port by using the following
129 command:
130
131 semanage port -l
132
133
134 Policy governs the access confined processes have to these ports.
135 SELinux virtd policy is very flexible allowing users to setup their
136 virtd processes in as secure a method as possible.
137
138 The following port types are defined for virtd:
139
140
141 virt_migration_port_t
142
143
144
145 Default Defined Ports:
146 tcp 49152-49216
147
148
149 virt_port_t
150
151
152
153 Default Defined Ports:
154 tcp 16509,16514
155 udp 16509,16514
156
158 The SELinux process type virtd_t can manage files labeled with the fol‐
159 lowing file types. The paths listed are the default paths for these
160 file types. Note the processes UID still need to have DAC permissions.
161
162 file_type
163
164 all files on the system
165
166
168 SELinux requires files to have an extended attribute to define the file
169 type.
170
171 You can see the context of a file using the -Z option to ls
172
173 Policy governs the access confined processes have to these files.
174 SELinux virtd policy is very flexible allowing users to setup their
175 virtd processes in as secure a method as possible.
176
177 STANDARD FILE CONTEXT
178
179 SELinux defines the file context types for the virtd, if you wanted to
180 store files with these types in a different paths, you need to execute
181 the semanage command to specify alternate labeling and then use re‐
182 storecon to put the labels on disk.
183
184 semanage fcontext -a -t virtd_exec_t '/srv/virtd/content(/.*)?'
185 restorecon -R -v /srv/myvirtd_content
186
187 Note: SELinux often uses regular expressions to specify labels that
188 match multiple files.
189
190 The following file types are defined for virtd:
191
192
193
194 virtd_exec_t
195
196 - Set files with the virtd_exec_t type, if you want to transition an
197 executable to the virtd_t domain.
198
199
200 Paths:
201 /usr/lib/virt-sysprep/firstboot.sh, /usr/bin/virt-who,
202 /usr/sbin/virtvzd, /usr/bin/imgfac.py, /usr/sbin/libvirtd,
203 /usr/sbin/virtlxcd, /usr/sbin/virtxend, /usr/sbin/virtqemud,
204 /usr/sbin/virtvboxd, /usr/sbin/virtproxyd, /usr/share/vdsm/vdsm,
205 /usr/bin/imagefactory, /usr/bin/nova-compute, /usr/sbin/virtse‐
206 cretd, /usr/sbin/virtnetworkd, /usr/sbin/virtnodedevd,
207 /usr/sbin/virtstoraged, /usr/bin/qemu-pr-helper,
208 /usr/libexec/vdsm/vdsmd, /usr/sbin/virtnwfilterd,
209 /usr/share/vdsm/respawn, /usr/bin/vios-proxy-host, /usr/sbin/con‐
210 dor_vm-gahp, /usr/sbin/virtinterfaced, /usr/bin/vios-proxy-guest,
211 /usr/libexec/vdsm/respawn, /usr/libexec/qemu-pr-helper,
212 /usr/bin/qemu-storage-daemon, /usr/libexec/vdsm/supervdsmd,
213 /usr/share/vdsm/daemonAdapter, /usr/libexec/vdsm/daemonAdapter,
214 /usr/share/vdsm/supervdsmServer
215
216
217 virtd_initrc_exec_t
218
219 - Set files with the virtd_initrc_exec_t type, if you want to transi‐
220 tion an executable to the virtd_initrc_t domain.
221
222
223
224 virtd_keytab_t
225
226 - Set files with the virtd_keytab_t type, if you want to treat the
227 files as kerberos keytab files.
228
229
230
231 virtd_lxc_exec_t
232
233 - Set files with the virtd_lxc_exec_t type, if you want to transition
234 an executable to the virtd_lxc_t domain.
235
236
237
238 virtd_unit_file_t
239
240 - Set files with the virtd_unit_file_t type, if you want to treat the
241 files as virtd unit content.
242
243
244 Paths:
245 /usr/lib/systemd/system/.*xen.*.service, /usr/lib/systemd/sys‐
246 tem/virt.*.service, /usr/lib/systemd/system/libvirt.*.service
247
248
249 Note: File context can be temporarily modified with the chcon command.
250 If you want to permanently change the file context you need to use the
251 semanage fcontext command. This will modify the SELinux labeling data‐
252 base. You will need to use restorecon to apply the labels.
253
254
256 semanage fcontext can also be used to manipulate default file context
257 mappings.
258
259 semanage permissive can also be used to manipulate whether or not a
260 process type is permissive.
261
262 semanage module can also be used to enable/disable/install/remove pol‐
263 icy modules.
264
265 semanage port can also be used to manipulate the port definitions
266
267 semanage boolean can also be used to manipulate the booleans
268
269
270 system-config-selinux is a GUI tool available to customize SELinux pol‐
271 icy settings.
272
273
275 This manual page was auto-generated using sepolicy manpage .
276
277
279 selinux(8), virtd(8), semanage(8), restorecon(8), chcon(1), sepol‐
280 icy(8), setsebool(8), virt_bridgehelper_selinux(8),
281 virt_qemu_ga_selinux(8), virt_qemu_ga_unconfined_selinux(8),
282 virtd_lxc_selinux(8)
283
284
285
286virtd 23-12-15 virtd_selinux(8)