4.3. sVirt Configuration
SELinux Booleans are variables that can be toggled on or off, quickly enabling or disabling features or other special conditions. Booleans can be toggled by running either
setsebool boolean_name {on|off} for a temporary change, or setsebool -P boolean_name {on|off} to make the change persistent across reboots.
The following table shows the SELinux Boolean values that affect KVM when launched by libvirt. The current state of these booleans (on or off) can be found by running the command
getsebool -a|grep virt.
| SELinux Boolean | Description |
|---|---|
| staff_use_svirt | Allow staff user to create and transition to sVirt domains. |
| unprivuser_use_svirt | Allow unprivileged user to create and transition to sVirt domains. |
| virt_sandbox_use_audit | Allow sandbox containers to send audit messages. |
| virt_sandbox_use_netlink | Allow sandbox containers to use netlink system calls. |
| virt_sandbox_use_sys_admin | Allow sandbox containers to use sys_admin system calls, such as mount. |
| virt_transition_userdomain | Allow virtual processes to run as user domains. |
| virt_use_comm | Allow virt to use serial/parallel communication ports. |
| virt_use_execmem | Allow confined virtual guests to use executable memory and executable stack. |
| virt_use_fusefs | Allow virt to read FUSE mounted files. |
| virt_use_nfs | Allow virt to manage NFS mounted files. |
| virt_use_rawip | Allow virt to interact with rawip sockets. |
| virt_use_samba | Allow virt to manage CIFS mounted files. |
| virt_use_sanlock | Allow confined virtual guests to interact with the sanlock. |
| virt_use_usb | Allow virt to use USB devices. |
| virt_use_xserver | Allow virtual machine to interact with the X Window System. |
Note
For more information on SELinux Booleans, refer to Red Hat Enterprise Linux Security Enhanced Linux.
