|
Chris PeBenito |
2c207d |
policy_module(qemu, 1.4.1)
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
########################################
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
# Declarations
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
## <desc>
|
|
Chris PeBenito |
eb4216 |
##
|
|
Chris PeBenito |
eb4216 |
## Allow qemu to connect fully to the network
|
|
Chris PeBenito |
eb4216 |
##
|
|
Chris PeBenito |
eb4216 |
## </desc>
|
|
Chris PeBenito |
eb4216 |
gen_tunable(qemu_full_network, false)
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
72295e |
## <desc>
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## Allow qemu to use cifs/Samba file systems
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## </desc>
|
|
Chris PeBenito |
72295e |
gen_tunable(qemu_use_cifs, true)
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
## <desc>
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## Allow qemu to user serial/parallel communication ports
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## </desc>
|
|
Chris PeBenito |
72295e |
gen_tunable(qemu_use_comm, false)
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
## <desc>
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## Allow qemu to use nfs file systems
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## </desc>
|
|
Chris PeBenito |
72295e |
gen_tunable(qemu_use_nfs, true)
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
## <desc>
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## Allow qemu to use usb devices
|
|
Chris PeBenito |
72295e |
##
|
|
Chris PeBenito |
72295e |
## </desc>
|
|
Chris PeBenito |
72295e |
gen_tunable(qemu_use_usb, true)
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
eb4216 |
type qemu_exec_t;
|
|
Chris PeBenito |
72295e |
virt_domain_template(qemu)
|
|
Chris PeBenito |
eb4216 |
application_domain(qemu_t, qemu_exec_t)
|
|
Chris PeBenito |
eb4216 |
role system_r types qemu_t;
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
########################################
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
# qemu local policy
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
2c207d |
storage_raw_write_removable_device(qemu_t)
|
|
Chris PeBenito |
2c207d |
storage_raw_read_removable_device(qemu_t)
|
|
Chris PeBenito |
2c207d |
|
|
Chris PeBenito |
72295e |
userdom_search_user_home_content(qemu_t)
|
|
Chris PeBenito |
72295e |
userdom_read_user_tmpfs_files(qemu_t)
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
eb4216 |
tunable_policy(`qemu_full_network',`
|
|
Chris PeBenito |
eb4216 |
allow qemu_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
corenet_udp_sendrecv_all_if(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_sendrecv_all_nodes(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_sendrecv_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_bind_all_nodes(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_bind_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_tcp_bind_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_tcp_connect_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
')
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
72295e |
tunable_policy(`qemu_use_cifs',`
|
|
Chris PeBenito |
72295e |
fs_manage_cifs_dirs(qemu_t)
|
|
Chris PeBenito |
72295e |
fs_manage_cifs_files(qemu_t)
|
|
Chris PeBenito |
72295e |
')
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
tunable_policy(`qemu_use_comm',`
|
|
Chris PeBenito |
72295e |
term_use_unallocated_ttys(qemu_t)
|
|
Chris PeBenito |
72295e |
dev_rw_printer(qemu_t)
|
|
Chris PeBenito |
72295e |
')
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
tunable_policy(`qemu_use_nfs',`
|
|
Chris PeBenito |
72295e |
fs_manage_nfs_dirs(qemu_t)
|
|
Chris PeBenito |
72295e |
fs_manage_nfs_files(qemu_t)
|
|
Chris PeBenito |
72295e |
')
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
tunable_policy(`qemu_use_usb',`
|
|
Chris PeBenito |
72295e |
dev_rw_usbfs(qemu_t)
|
|
Chris PeBenito |
72295e |
fs_manage_dos_dirs(qemu_t)
|
|
Chris PeBenito |
72295e |
fs_manage_dos_files(qemu_t)
|
|
Chris PeBenito |
72295e |
')
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
optional_policy(`
|
|
Chris PeBenito |
72295e |
samba_domtrans_smbd(qemu_t)
|
|
Chris PeBenito |
72295e |
')
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
optional_policy(`
|
|
Chris PeBenito |
72295e |
virt_manage_images(qemu_t)
|
|
Chris PeBenito |
72295e |
virt_append_log(qemu_t)
|
|
Chris PeBenito |
72295e |
')
|
|
Chris PeBenito |
72295e |
|
|
Chris PeBenito |
72295e |
optional_policy(`
|
|
Chris PeBenito |
72295e |
xen_rw_image_files(qemu_t)
|
|
Chris PeBenito |
72295e |
')
|
|
Chris PeBenito |
72295e |
|
|
Dan Walsh |
3eaa99 |
optional_policy(`
|
|
Dan Walsh |
3eaa99 |
xen_rw_image_files(qemu_t)
|
|
Dan Walsh |
3eaa99 |
')
|
|
Dan Walsh |
3eaa99 |
|
|
Chris PeBenito |
eb4216 |
########################################
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
a77795 |
# Unconfined qemu local policy
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
optional_policy(`
|
|
Chris PeBenito |
a77795 |
type unconfined_qemu_t;
|
|
Chris PeBenito |
a77795 |
typealias unconfined_qemu_t alias qemu_unconfined_t;
|
|
Chris PeBenito |
a77795 |
application_type(unconfined_qemu_t)
|
|
Chris PeBenito |
2c207d |
unconfined_domain(unconfined_qemu_t)
|
|
Dan Walsh |
3eaa99 |
userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t)
|
|
Dan Walsh |
3eaa99 |
userdom_unpriv_usertype(unconfined, unconfined_qemu_t)
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
a77795 |
allow unconfined_qemu_t self:process { execstack execmem };
|
|
Chris PeBenito |
2c207d |
allow unconfined_qemu_t qemu_exec_t:file execmod;
|
|
Chris PeBenito |
eb4216 |
')
|