2018-07-01 15:02:33 +00:00
|
|
|
policy_module(qemu, 1.11.0)
|
2018-06-23 13:00:56 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Declarations
|
|
|
|
#
|
|
|
|
|
|
|
|
## <desc>
|
|
|
|
## <p>
|
|
|
|
## Determine whether qemu has full
|
|
|
|
## access to the network.
|
|
|
|
## </p>
|
|
|
|
## </desc>
|
|
|
|
gen_tunable(qemu_full_network, false)
|
|
|
|
|
|
|
|
attribute_role qemu_roles;
|
|
|
|
roleattribute system_r qemu_roles;
|
|
|
|
|
|
|
|
type qemu_exec_t;
|
|
|
|
application_executable_file(qemu_exec_t)
|
|
|
|
|
|
|
|
virt_domain_template(qemu)
|
|
|
|
role qemu_roles types qemu_t;
|
|
|
|
|
|
|
|
type qemu_unit_t;
|
|
|
|
init_unit_file(qemu_unit_t)
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
type qemu_runtime_t alias qemu_var_run_t;
|
|
|
|
files_pid_file(qemu_runtime_t)
|
2018-06-23 13:00:56 +00:00
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
kernel_read_crypto_sysctls(qemu_t)
|
|
|
|
|
|
|
|
dev_read_sysfs(qemu_t)
|
|
|
|
|
2019-09-08 20:55:02 +00:00
|
|
|
allow qemu_t qemu_runtime_t:sock_file create_sock_file_perms;
|
|
|
|
files_pid_filetrans(qemu_t, qemu_runtime_t, sock_file)
|
2018-06-23 13:00:56 +00:00
|
|
|
|
|
|
|
tunable_policy(`qemu_full_network',`
|
|
|
|
corenet_udp_sendrecv_generic_if(qemu_t)
|
|
|
|
corenet_udp_sendrecv_generic_node(qemu_t)
|
|
|
|
corenet_udp_sendrecv_all_ports(qemu_t)
|
|
|
|
corenet_udp_bind_generic_node(qemu_t)
|
|
|
|
corenet_udp_bind_all_ports(qemu_t)
|
|
|
|
corenet_tcp_bind_all_ports(qemu_t)
|
|
|
|
corenet_tcp_connect_all_ports(qemu_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
fs_manage_xenfs_files(qemu_t)
|
|
|
|
|
|
|
|
dev_rw_xen(qemu_t)
|
|
|
|
|
|
|
|
xen_stream_connect_xenstore(qemu_t)
|
|
|
|
xen_append_log(qemu_t)
|
2019-09-08 20:55:02 +00:00
|
|
|
xen_pid_filetrans(qemu_t, qemu_runtime_t, sock_file)
|
2018-06-23 13:00:56 +00:00
|
|
|
')
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t)
|
|
|
|
')
|
|
|
|
|
|
|
|
########################################
|
|
|
|
#
|
|
|
|
# Unconfined local policy
|
|
|
|
#
|
|
|
|
|
|
|
|
optional_policy(`
|
|
|
|
type unconfined_qemu_t;
|
|
|
|
typealias unconfined_qemu_t alias qemu_unconfined_t;
|
|
|
|
application_type(unconfined_qemu_t)
|
|
|
|
unconfined_domain(unconfined_qemu_t)
|
|
|
|
|
|
|
|
allow unconfined_qemu_t self:process { execstack execmem };
|
|
|
|
allow unconfined_qemu_t qemu_exec_t:file execmod;
|
|
|
|
')
|