Libvirt virtualization API
false
Allow virt daemons run unconfined hooks
false
Allow virtlockd read and lock block devices.
false
Allow sandbox containers to share apache content
true
Allow sandbox containers to use all capabilities
true
Allow sandbox containers to send audit messages
false
Allow sandbox containers manage fuse files
false
Allow sandbox containers to use mknod system calls
false
Allow sandbox containers to use netlink system calls
false
Allow sandbox containers to use sys_admin system calls, for example mount
false
Allow virtual processes to run as userdomains
false
Allow confined virtual guests to use serial/parallel communication ports
false
Allow confined virtual guests to use executable memory and executable stack
false
Allow confined virtual guests to read fuse files
false
Allow confined virtual guests to use glusterd
false
Allow confined virtual guests to manage nfs files
false
Allow confined virtual guests to use smartcards
false
Allow confined virtual guests to use pulseaudio
false
Allow confined virtual guests to interact with rawip sockets
false
Allow confined virtual guests to manage cifs files
false
Allow confined virtual guests to interact with the sanlock
true
Allow confined virtual guests to use usb devices
false
Allow confined virtual guests to interact with the xserver
true
Allow virtqemu driver to use executable memory and executable stack
Make the specified type usable as a svirt file type
Parameter: | Description: |
---|---|
type |
Type to be used as a svirt file type |
All of the rules required to administrate an virt environment
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
role |
Role allowed access. |
Allow the specified domain to append virt log files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to attach to virt sandbox TUN devices
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to attach to virt TUN devices
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the specified domain to create virt log files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create qemu PID files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send and receive messages from virt over dbus.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send and receive messages from virt-dbus over dbus.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr on virt executable.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Send to libvirt with a unix dgram socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a domain transition to run virt.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Dontaudit attempts to Read virt_image_type devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Dontaudit inherited read virt lib files.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Dontaudit read the process state (/proc/pid) of libvirt
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Do not audit attempts to write virt daemon unnamed pipes.
Parameter: | Description: |
---|---|
domain |
Domain to not audit. |
Execute virtd in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute Sandbox Files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute virsh in the caller domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable as a virt file type
Parameter: | Description: |
---|---|
type |
Type to be used as a virt file type |
Create .virt directory in the user home directory with an correct label.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Transition to virt named content
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to manage virt image files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr on virt executable.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Allow domain to getattr virt image direcories
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Getattr Sandbox File systems
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable as a virt image
Parameter: | Description: |
---|---|
type |
Type to be used as a virtual image |
Send a sigkill to virtd daemon.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a sigkill to virtual machines
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
List Sandbox Dirs
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete svirt cache files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
manage virt config files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to manage virt image files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage virt home files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to manage virt image files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create, read, write, and delete virt lib files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to manage virt log files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage virt pid directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage virt pid files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage virt pid sock files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage qemu PID socket files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage Sandbox Files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
allow domain to manage virt tmpfs files
Parameter: | Description: |
---|---|
domain |
Domain allowed access |
Mounton Sandbox Files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to svirt_image devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Create objects in the pid directory with a private type with a type transition.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
file |
Type to which the created node will be transitioned. |
class |
Object class(es) (single or set including {}) for which this the transition will occur. |
name |
The name of the object being created. |
Allow caller domain to run bpftool.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Ptrace the svirt domain
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Allow domain to read virt blk image files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read virt config files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to manage virt image files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to read virt image files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read virt lib files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the specified domain to read virt's log files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read virt PID files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read virt PID symlinks files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read qemu PID files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read Sandbox Files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
allow domain to read virt tmpfs files
Parameter: | Description: |
---|---|
domain |
Domain allowed access |
Relabel Sandbox File systems
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to svirt_image devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to read/write virt image chr files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to apmd unix stream sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to virt_domain unix stream sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the specified domain read and write to virtqemud unix stream sockets.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to svirt_image devices.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read and write to svirt_image files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Execute a file in a sandbox directory in the specified domain.
Execute a file in a sandbox directory in the specified domain. This allows the specified domain to execute any file on these filesystems in the specified domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
target_domain |
The type of the new process. |
Allow any svirt_file_type to be an entrypoint of this domain
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Read the process state of virt sandbox containers
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to search virt image direcories
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Search virt lib directories.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a signal to virtd daemon.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a signal to sandbox domains
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send a signal to virtual machines
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Send null signal to virtd daemon.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Connect to virt over a unix domain stream socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Connect to lxc process over a unix domain stream socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Connect to virt over a unix domain stream socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Connect to svirt process over a unix domain stream socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
container_file_t stub interface. No access allowed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
virtd_lxc_t stub interface. No access allowed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
svirt_sandbox_domain attribute stub interface. No access allowed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
container_file_t and container_ro_file_t stub interface. No access allowed.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage svirt home files,dirs and sockfiles.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Manage svirt tmp files,dirs and sockfiles.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write svirt tmp files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Make the specified type usable as a virt system domain
Parameter: | Description: |
---|---|
type |
Type to be used as a virt system domain |
Execute virt server in the virt domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Execute qemu in the svirt domain, and allow the specified role the svirt domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access |
role |
The role to be allowed the sandbox domain. |
Execute qemu in the svirt domain, and allow the specified role the svirt domain.
Parameter: | Description: |
---|---|
domain |
Domain allowed access |
role |
The role to be allowed the sandbox domain. |
Allow the specified domain to ioctl virtqemud over a unix domain stream socket.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow domain to write virt image files
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Allow the specified domain to write virt log files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Write qemu PID files.
Parameter: | Description: |
---|---|
domain |
Domain allowed access. |
Get virtd services status
Parameter: | Description: |
---|---|
domain |
Domain allowed to transition. |
Creates types and rules for a basic qemu process domain.
Parameter: | Description: |
---|---|
prefix |
Prefix for the domain. |
Creates types and rules for a basic virt driver domain.
Parameter: | Description: |
---|---|
prefix |
Prefix for the domain. |
Make the specified type usable as a lxc domain
Parameter: | Description: |
---|---|
type |
Type to be used as a lxc domain |
Creates types and rules for a basic virt_lxc process domain.
Parameter: | Description: |
---|---|
prefix |
Prefix for the domain. |
Make the specified type usable as a lxc network domain
Parameter: | Description: |
---|---|
type |
Type to be used as a lxc network domain |