diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc index 18bdc9d..3016944 100644 --- a/policy/modules/apps/qemu.fc +++ b/policy/modules/apps/qemu.fc @@ -1,2 +1,2 @@ -/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0) -/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) +/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0) diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if index 71f2423..09483f6 100644 --- a/policy/modules/apps/qemu.if +++ b/policy/modules/apps/qemu.if @@ -1,5 +1,42 @@ ## QEMU machine emulator and virtualizer +####################################### +## +## The per role template for the qemu module. +## +## +##

+## This template creates a derived domains which are used +## for qemu web browser. +##

+##

+## This template is invoked automatically for each user, and +## generally does not need to be invoked directly +## by policy writers. +##

+##
+## +## +## The role associated with the user domain. +## +## +## +## +## The type of the user domain. +## +## +# +template(`qemu_role',` + gen_require(` + type qemu_t, qemu_exec_t; + ') + + role $1 types { qemu_t qemu_config_t }; + + domtrans_pattern($2, qemu_exec_t, qemu_t) + domtrans_pattern($2, qemu_config_exec_t, qemu_config_t) +') + ######################################## ## ## Execute a domain transition to run qemu. @@ -40,6 +77,10 @@ interface(`qemu_run',` qemu_domtrans($1) role $2 types qemu_t; + + optional_policy(` + samba_run_smb(qemu_t, $2, $3) + ') ') ######################################## @@ -62,6 +103,24 @@ interface(`qemu_read_state',` ######################################## ## +## Set the schedule on qemu. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_setsched',` + gen_require(` + type qemu_t; + ') + + allow $1 qemu_t:process setsched; +') + +######################################## +## ## Send a signal to qemu. ## ## @@ -211,3 +270,39 @@ template(`qemu_domain_template',` # xserver_xdm_rw_shm($1_t) ') ') + +######################################## +## +## Manage qemu temporary dirs. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_manage_tmp_dirs',` + gen_require(` + type qemu_tmp_t; + ') + + manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t) +') + +######################################## +## +## Manage qemu temporary files. +## +## +## +## Domain allowed access. +## +## +# +interface(`qemu_manage_tmp_files',` + gen_require(` + type qemu_tmp_t; + ') + + manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t) +') diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te index 1a8edea..b35084f 100644 --- a/policy/modules/apps/qemu.te +++ b/policy/modules/apps/qemu.te @@ -1,5 +1,5 @@ -policy_module(qemu, 1.3.0) +policy_module(qemu, 1.3.1) ######################################## # @@ -13,8 +13,36 @@ policy_module(qemu, 1.3.0) ## gen_tunable(qemu_full_network, false) +## +##

+## Allow qemu to use cifs/Samba file systems +##

+##
+gen_tunable(qemu_use_cifs, true) + +## +##

+## Allow qemu to user serial/parallel communication ports +##

+##
+gen_tunable(qemu_use_comm, false) + +## +##

+## Allow qemu to use nfs file systems +##

+##
+gen_tunable(qemu_use_nfs, true) + +## +##

+## Allow qemu to use usb devices +##

+##
+gen_tunable(qemu_use_usb, true) + type qemu_exec_t; -qemu_domain_template(qemu) +virt_domain_template(qemu) application_domain(qemu_t, qemu_exec_t) role system_r types qemu_t; @@ -23,6 +51,9 @@ role system_r types qemu_t; # qemu local policy # +userdom_search_user_home_content(qemu_t) +userdom_read_user_tmpfs_files(qemu_t) + tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; @@ -35,6 +66,40 @@ tunable_policy(`qemu_full_network',` corenet_tcp_connect_all_ports(qemu_t) ') +tunable_policy(`qemu_use_cifs',` + fs_manage_cifs_dirs(qemu_t) + fs_manage_cifs_files(qemu_t) +') + +tunable_policy(`qemu_use_comm',` + term_use_unallocated_ttys(qemu_t) + dev_rw_printer(qemu_t) +') + +tunable_policy(`qemu_use_nfs',` + fs_manage_nfs_dirs(qemu_t) + fs_manage_nfs_files(qemu_t) +') + +tunable_policy(`qemu_use_usb',` + dev_rw_usbfs(qemu_t) + fs_manage_dos_dirs(qemu_t) + fs_manage_dos_files(qemu_t) +') + +optional_policy(` + samba_domtrans_smbd(qemu_t) +') + +optional_policy(` + virt_manage_images(qemu_t) + virt_append_log(qemu_t) +') + +optional_policy(` + xen_rw_image_files(qemu_t) +') + ######################################## # # qemu_unconfined local policy @@ -42,7 +107,7 @@ tunable_policy(`qemu_full_network',` optional_policy(` type qemu_unconfined_t; - domain_type(qemu_unconfined_t) + application_type(qemu_unconfined_t) unconfined_domain_noaudit(qemu_unconfined_t) allow qemu_unconfined_t self:process { execstack execmem }; diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc index ce739b3..ce2fbb9 100644 --- a/policy/modules/system/unconfined.fc +++ b/policy/modules/system/unconfined.fc @@ -2,7 +2,6 @@ # e.g.: # /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0) # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t -/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) /usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0) diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te index 698ce2e..df25576 100644 --- a/policy/modules/system/unconfined.te +++ b/policy/modules/system/unconfined.te @@ -1,5 +1,5 @@ -policy_module(unconfined, 3.1.0) +policy_module(unconfined, 3.1.1) ######################################## #