1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
policy_module(qemu, 1.7.1)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow qemu to connect fully to the network
## </p>
## </desc>
gen_tunable(qemu_full_network, false)
## <desc>
## <p>
## Allow qemu to use cifs/Samba file systems
## </p>
## </desc>
gen_tunable(qemu_use_cifs, false)
## <desc>
## <p>
## Allow qemu to use serial/parallel communication ports
## </p>
## </desc>
gen_tunable(qemu_use_comm, false)
## <desc>
## <p>
## Allow qemu to use nfs file systems
## </p>
## </desc>
gen_tunable(qemu_use_nfs, false)
## <desc>
## <p>
## Allow qemu to use usb devices
## </p>
## </desc>
gen_tunable(qemu_use_usb, false)
type qemu_exec_t;
virt_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;
########################################
#
# qemu local policy
#
can_exec(qemu_t, qemu_exec_t)
storage_raw_write_removable_device(qemu_t)
storage_raw_read_removable_device(qemu_t)
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
corenet_udp_bind_generic_node(qemu_t)
corenet_udp_bind_all_ports(qemu_t)
corenet_tcp_bind_all_ports(qemu_t)
corenet_tcp_connect_all_ports(qemu_t)
')
tunable_policy(`qemu_use_cifs',`
fs_manage_cifs_dirs(qemu_t)
fs_manage_cifs_files(qemu_t)
')
tunable_policy(`qemu_use_comm',`
term_use_unallocated_ttys(qemu_t)
dev_rw_printer(qemu_t)
')
tunable_policy(`qemu_use_nfs',`
fs_manage_nfs_dirs(qemu_t)
fs_manage_nfs_files(qemu_t)
')
tunable_policy(`qemu_use_usb',`
dev_rw_usbfs(qemu_t)
fs_manage_dos_dirs(qemu_t)
fs_manage_dos_files(qemu_t)
')
optional_policy(`
dbus_read_lib_files(qemu_t)
')
optional_policy(`
pulseaudio_manage_home_files(qemu_t)
pulseaudio_stream_connect(qemu_t)
')
optional_policy(`
vde_connect(qemu_t)
')
optional_policy(`
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
optional_policy(`
xen_rw_image_files(qemu_t)
')
optional_policy(`
xserver_read_xdm_pid(qemu_t)
xserver_stream_connect(qemu_t)
')
########################################
#
# Unconfined qemu local policy
#
optional_policy(`
type unconfined_qemu_t;
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
unconfined_domain(unconfined_qemu_t)
allow unconfined_qemu_t self:process { execstack execmem };
allow unconfined_qemu_t qemu_exec_t:file execmod;
')
|
GitWeb