selinux-policy/policy/modules/apps/qemu.te

115 lines
2.1 KiB
Plaintext
Raw Normal View History

2008-06-16 18:59:07 +00:00
2010-02-19 15:15:19 +00:00
policy_module(qemu, 1.3.1)
2008-06-16 18:59:07 +00:00
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow qemu to connect fully to the network
## </p>
## </desc>
gen_tunable(qemu_full_network, false)
2010-02-19 15:15:19 +00:00
## <desc>
## <p>
## Allow qemu to use cifs/Samba file systems
## </p>
## </desc>
gen_tunable(qemu_use_cifs, true)
## <desc>
## <p>
## Allow qemu to user serial/parallel communication ports
## </p>
## </desc>
gen_tunable(qemu_use_comm, false)
## <desc>
## <p>
## Allow qemu to use nfs file systems
## </p>
## </desc>
gen_tunable(qemu_use_nfs, true)
## <desc>
## <p>
## Allow qemu to use usb devices
## </p>
## </desc>
gen_tunable(qemu_use_usb, true)
2008-06-16 18:59:07 +00:00
type qemu_exec_t;
2010-02-19 15:15:19 +00:00
virt_domain_template(qemu)
2008-06-16 18:59:07 +00:00
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;
########################################
#
# qemu local policy
#
2010-02-19 15:15:19 +00:00
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
2008-06-16 18:59:07 +00:00
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if(qemu_t)
corenet_udp_sendrecv_all_nodes(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
corenet_udp_bind_all_nodes(qemu_t)
corenet_udp_bind_all_ports(qemu_t)
corenet_tcp_bind_all_ports(qemu_t)
corenet_tcp_connect_all_ports(qemu_t)
')
2010-02-19 15:15:19 +00:00
tunable_policy(`qemu_use_cifs',`
fs_manage_cifs_dirs(qemu_t)
fs_manage_cifs_files(qemu_t)
')
tunable_policy(`qemu_use_comm',`
term_use_unallocated_ttys(qemu_t)
dev_rw_printer(qemu_t)
')
tunable_policy(`qemu_use_nfs',`
fs_manage_nfs_dirs(qemu_t)
fs_manage_nfs_files(qemu_t)
')
tunable_policy(`qemu_use_usb',`
dev_rw_usbfs(qemu_t)
fs_manage_dos_dirs(qemu_t)
fs_manage_dos_files(qemu_t)
')
optional_policy(`
samba_domtrans_smbd(qemu_t)
')
optional_policy(`
virt_manage_images(qemu_t)
virt_append_log(qemu_t)
')
optional_policy(`
xen_rw_image_files(qemu_t)
')
2008-06-16 18:59:07 +00:00
########################################
#
# qemu_unconfined local policy
#
optional_policy(`
type qemu_unconfined_t;
2010-02-19 15:15:19 +00:00
application_type(qemu_unconfined_t)
2008-06-16 18:59:07 +00:00
unconfined_domain_noaudit(qemu_unconfined_t)
allow qemu_unconfined_t self:process { execstack execmem };
')