Qemu patch from Dan Walsh.

Fix qemu labeling.

Additional qemu interfaces

Allow qemu to read/write removable devices

policy/modules/apps/qemu.fc

@@ -1,2 +1,4 @@
-/usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/libexec/qemu.* --	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)

policy/modules/apps/qemu.if

@@ -127,12 +127,14 @@ template(`qemu_domain_template',`
 template(`qemu_role',`
 	gen_require(`
 		type qemu_t, qemu_exec_t;
+		type qemu_config_t, qemu_config_exec_t;
 	')
 
 	role $1 types { qemu_t qemu_config_t };
 
 	domtrans_pattern($2, qemu_exec_t, qemu_t)
  	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+	allow qemu_t $2:process signull;
 ')
 
 ########################################

policy/modules/apps/qemu.te

@@ -1,4 +1,4 @@
-policy_module(qemu, 1.4.0)
+policy_module(qemu, 1.4.1)
 
 ########################################
 #
@@ -50,6 +50,9 @@ role system_r types qemu_t;
 # qemu local policy
 #
 
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
 userdom_search_user_home_content(qemu_t)
 userdom_read_user_tmpfs_files(qemu_t)
 
@@ -108,7 +111,8 @@ optional_policy(`
 	type unconfined_qemu_t;
 	typealias unconfined_qemu_t alias qemu_unconfined_t;
 	application_type(unconfined_qemu_t)
-	unconfined_domain_noaudit(unconfined_qemu_t)
+	unconfined_domain(unconfined_qemu_t)
 
 	allow unconfined_qemu_t self:process { execstack execmem };
+	allow unconfined_qemu_t qemu_exec_t:file execmod;
 ')