Blame policy/modules/apps/qemu.te
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
policy_module(qemu, 1.0.0)
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
########################################
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
# Declarations
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
## <desc>
|
|
Chris PeBenito |
eb4216 |
##
|
|
Chris PeBenito |
eb4216 |
## Allow qemu to connect fully to the network
|
|
Chris PeBenito |
eb4216 |
##
|
|
Chris PeBenito |
eb4216 |
## </desc>
|
|
Chris PeBenito |
eb4216 |
gen_tunable(qemu_full_network, false)
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
type qemu_exec_t;
|
|
Chris PeBenito |
eb4216 |
qemu_domain_template(qemu)
|
|
Chris PeBenito |
eb4216 |
application_domain(qemu_t, qemu_exec_t)
|
|
Chris PeBenito |
eb4216 |
role system_r types qemu_t;
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
########################################
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
# qemu local policy
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
tunable_policy(`qemu_full_network',`
|
|
Chris PeBenito |
eb4216 |
allow qemu_t self:udp_socket create_socket_perms;
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
corenet_udp_sendrecv_all_if(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_sendrecv_all_nodes(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_sendrecv_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_bind_all_nodes(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_udp_bind_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_tcp_bind_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
corenet_tcp_connect_all_ports(qemu_t)
|
|
Chris PeBenito |
eb4216 |
')
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
########################################
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
# qemu_unconfined local policy
|
|
Chris PeBenito |
eb4216 |
#
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
optional_policy(`
|
|
Chris PeBenito |
eb4216 |
type qemu_unconfined_t;
|
|
Chris PeBenito |
eb4216 |
domain_type(qemu_unconfined_t)
|
|
Chris PeBenito |
eb4216 |
unconfined_domain_noaudit(qemu_unconfined_t)
|
|
Chris PeBenito |
eb4216 |
|
|
Chris PeBenito |
eb4216 |
allow qemu_unconfined_t self:process { execstack execmem };
|
|
Chris PeBenito |
eb4216 |
')
|