diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc index 3016944..64d877e 100644 --- a/policy/modules/apps/qemu.fc +++ b/policy/modules/apps/qemu.fc @@ -1,2 +1,4 @@ -/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index fab6940..255d869 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -127,12 +127,14 @@ template(`qemu_domain_template',` template(`qemu_role',` gen_require(` type qemu_t, qemu_exec_t; + type qemu_config_t, qemu_config_exec_t; ') role $1 types { qemu_t qemu_config_t }; domtrans_pattern($2, qemu_exec_t, qemu_t) domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) + allow qemu_t $2:process signull; ') ######################################## diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te index 1739d59..a3225d4 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -1,4 +1,4 @@ -policy_module(qemu, 1.4.0) +policy_module(qemu, 1.4.1) ######################################## # @@ -50,6 +50,9 @@ role system_r types qemu_t; # qemu local policy # +storage_raw_write_removable_device(qemu_t) +storage_raw_read_removable_device(qemu_t) + userdom_search_user_home_content(qemu_t) userdom_read_user_tmpfs_files(qemu_t) @@ -108,7 +111,8 @@ optional_policy(` type unconfined_qemu_t; typealias unconfined_qemu_t alias qemu_unconfined_t; application_type(unconfined_qemu_t) - unconfined_domain_noaudit(unconfined_qemu_t) + unconfined_domain(unconfined_qemu_t) allow unconfined_qemu_t self:process { execstack execmem }; + allow unconfined_qemu_t qemu_exec_t:file execmod; ')