From a75a591e52eb3587d87b39f4f7ad418f3a8c3ffb Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com>
Date: Sep 08 2010 19:05:08 +0000
Subject: Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x


---

diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 95bb89d..8d8d961 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -157,6 +157,24 @@ interface(`qemu_domtrans',`
 
 ########################################
 ## <summary>
+##	Execute a qemu in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_exec',`
+	gen_require(`
+		type qemu_exec_t;
+	')
+
+	can_exec($1, qemu_exec_t)
+')
+
+########################################
+## <summary>
 ##	Execute qemu in the qemu domain.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 8f0fac9..5a77c23 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -43,6 +43,13 @@ gen_tunable(virt_use_sysfs, false)
 
 ## <desc>
 ## <p>
+## Allow virtual machine to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
+## <desc>
+## <p>
 ## Allow virt to use usb devices
 ## </p>
 ## </desc>
@@ -178,6 +185,12 @@ tunable_policy(`virt_use_usb',`
 ')
 
 optional_policy(`
+	tunable_policy(`virt_use_xserver',`
+		xserver_stream_connect(svirt_t)
+	')
+')
+
+optional_policy(`
 	xen_rw_image_files(svirt_t)
 ')
 
@@ -426,6 +439,7 @@ optional_policy(`
 	qemu_kill(virtd_t)
 	qemu_setsched(virtd_t)
 	qemu_entry_type(virt_domain)
+	qemu_exec(virt_domain)
 ')
 
 optional_policy(`