LIBVIRT-SECURITY(7)03 entries
Security
SELinux, AppArmor, sVirt, and the policy knobs that commonly block guests.
- 01AppArmor and the sVirt isolation modelman
AppArmor and SELinux solve a similar problem for libvirt: they confine the hypervisor and protect guest resources with mandatory access control. sVirt is the broader model that binds guest execution to labeled or profile
- 02Libvirt access control and privilege boundariesman
Control of the system libvirt URI is close to root equivalent on many hosts. An authorized user can often define devices, attach host paths, alter networks, or influence privileged QEMU execution. Map the boundary Apply
- 03SELinux, virtd_t, and common denialsman
On SELinux enabled hosts, libvirt daemons run in controlled domains such as virtd t. Guest resources often carry svirt labels so the hypervisor can touch only what the policy allows. Why this breaks guest startup The gue