Allow virt_domains to exec qumu_exec_t, add boolean to allow svirt_t to connect to x

policy/modules/apps/qemu.if

@@ -155,6 +155,24 @@ interface(`qemu_domtrans',`
 	domtrans_pattern($1, qemu_exec_t, qemu_t)
 ')
 
+########################################
+## <summary>
+##	Execute a qemu in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_exec',`
+	gen_require(`
+		type qemu_exec_t;
+	')
+
+	can_exec($1, qemu_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute qemu in the qemu domain.

policy/modules/services/virt.te

@@ -41,6 +41,13 @@ gen_tunable(virt_use_samba, false)
 ## </desc>
 gen_tunable(virt_use_sysfs, false)
 
+## <desc>
+## <p>
+## Allow virtual machine to interact with the xserver
+## </p>
+## </desc>
+gen_tunable(virt_use_xserver, false)
+
 ## <desc>
 ## <p>
 ## Allow virt to use usb devices
@@ -177,6 +184,12 @@ tunable_policy(`virt_use_usb',`
 	fs_manage_dos_files(svirt_t)
 ')
 
+optional_policy(`
+	tunable_policy(`virt_use_xserver',`
+		xserver_stream_connect(svirt_t)
+	')
+')
+
 optional_policy(`
 	xen_rw_image_files(svirt_t)
 ')
@@ -426,6 +439,7 @@ optional_policy(`
 	qemu_kill(virtd_t)
 	qemu_setsched(virtd_t)
 	qemu_entry_type(virt_domain)
+	qemu_exec(virt_domain)
 ')
 
 optional_policy(`