Content-type: text/html Manpage of virtd_selinux

virtd_selinux

Section: virtd SELinux Policy documentation (8)
Updated: virtd
Index Return to Main Contents
 

NAME

virtd_selinux - Security Enhanced Linux Policy for the virtd processes  

DESCRIPTION

Security-Enhanced Linux secures the virtd processes via flexible mandatory access control.

 

BOOLEANS

SELinux policy is customizable based on least access required. virtd policy is extremely flexible and has several booleans that allow you to manipulate the policy and run virtd with the tightest access possible.

If you want to allow staff user to create and transition to svirt domains, you must turn on the staff_use_svirt boolean.

setsebool -P staff_use_svirt 1

If you want to allow confined virtual guests to manage nfs files, you must turn on the virt_use_nfs boolean.

setsebool -P virt_use_nfs 1

If you want to allow confined virtual guests to use serial/parallel communication ports, you must turn on the virt_use_comm boolean.

setsebool -P virt_use_comm 1

If you want to allow confined virtual guests to interact with the xserver, you must turn on the virt_use_xserver boolean.

setsebool -P virt_use_xserver 1

If you want to allow confined virtual guests to manage device configuration, (pci), you must turn on the virt_use_sysfs boolean.

setsebool -P virt_use_sysfs 1

If you want to allow unprivledged user to create and transition to svirt domains, you must turn on the unprivuser_use_svirt boolean.

setsebool -P unprivuser_use_svirt 1

If you want to allow confined virtual guests to interact with the sanlock, you must turn on the virt_use_sanlock boolean.

setsebool -P virt_use_sanlock 1

If you want to allow confined virtual guests to use executable memory and executable stack, you must turn on the virt_use_execmem boolean.

setsebool -P virt_use_execmem 1

If you want to allow confined virtual guests to read fuse files, you must turn on the virt_use_fusefs boolean.

setsebool -P virt_use_fusefs 1

If you want to allow confined virtual guests to use usb devices, you must turn on the virt_use_usb boolean.

setsebool -P virt_use_usb 1

If you want to allow confined virtual guests to manage cifs files, you must turn on the virt_use_samba boolean.

setsebool -P virt_use_samba 1

 

NSSWITCH DOMAIN

If you want to allow users to resolve user passwd entries directly from ldap rather then using a sssd serve for the virtd_t, virtd_lxc_t, you must turn on the authlogin_nsswitch_use_ldap boolean.

setsebool -P authlogin_nsswitch_use_ldap 1

If you want to allow confined applications to run with kerberos for the virtd_t, virtd_lxc_t, you must turn on the kerberos_enabled boolean.

setsebool -P kerberos_enabled 1

 

FILE CONTEXTS

SELinux requires files to have an extended attribute to define the file type.

You can see the context of a file using the -Z option to lsP Policy governs the access confined processes have to these files. SELinux virtd policy is very flexible allowing users to setup their virtd processes in as secure a method as possible.

The following file types are defined for virtd:

virtd_exec_t

- Set files with the virtd_exec_t type, if you want to transition an executable to the virtd_t domain.


Paths:
/usr/sbin/condor_vm-gahp, /usr/bin/imagefactory, /usr/bin/vios-proxy-host, /usr/bin/imgfac.py, /usr/bin/vios-proxy-guest, /usr/bin/nova-compute, /usr/sbin/libvirtd

virtd_initrc_exec_t

- Set files with the virtd_initrc_exec_t type, if you want to transition an executable to the virtd_initrc_t domain.

virtd_keytab_t

- Set files with the virtd_keytab_t type, if you want to treat the files as kerberos keytab files.

virtd_lxc_exec_t

- Set files with the virtd_lxc_exec_t type, if you want to transition an executable to the virtd_lxc_t domain.

Note: File context can be temporarily modified with the chcon command.

 

Index

NAME
DESCRIPTION
BOOLEANS
NSSWITCH DOMAIN
FILE CONTEXTS
This document was created by man2html, using the manual pages.
Time: 19:36:06 GMT, September 30, 2012