diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index 3016944..64d877e 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -1,2 +1,4 @@
-/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index fab6940..255d869 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -127,12 +127,14 @@ template(`qemu_domain_template',`
template(`qemu_role',`
gen_require(`
type qemu_t, qemu_exec_t;
+ type qemu_config_t, qemu_config_exec_t;
')
role $1 types { qemu_t qemu_config_t };
domtrans_pattern($2, qemu_exec_t, qemu_t)
domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+ allow qemu_t $2:process signull;
')
########################################
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index 1739d59..a3225d4 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.4.0)
+policy_module(qemu, 1.4.1)
########################################
#
@@ -50,6 +50,9 @@ role system_r types qemu_t;
# qemu local policy
#
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
@@ -108,7 +111,8 @@ optional_policy(`
type unconfined_qemu_t;
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
- unconfined_domain_noaudit(unconfined_qemu_t)
+ unconfined_domain(unconfined_qemu_t)
allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
')