policy_module(qemu, 1.4.1)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow qemu to connect fully to the network
## </p>
## </desc>
gen_tunable(qemu_full_network, false)

## <desc>
## <p>
## Allow qemu to use cifs/Samba file systems
## </p>
## </desc>
gen_tunable(qemu_use_cifs, true)

## <desc>
## <p>
## Allow qemu to user serial/parallel communication ports
## </p>
## </desc>
gen_tunable(qemu_use_comm, false)

## <desc>
## <p>
## Allow qemu to use nfs file systems
## </p>
## </desc>
gen_tunable(qemu_use_nfs, true)

## <desc>
## <p>
## Allow qemu to use usb devices
## </p>
## </desc>
gen_tunable(qemu_use_usb, true)

type qemu_exec_t;
virt_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;

########################################
#
# qemu local policy
#

storage_raw_write_removable_device(qemu_t)
storage_raw_read_removable_device(qemu_t)

userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)

tunable_policy(`qemu_full_network',`
	allow qemu_t self:udp_socket create_socket_perms;

	corenet_udp_sendrecv_all_if(qemu_t)
	corenet_udp_sendrecv_all_nodes(qemu_t)
	corenet_udp_sendrecv_all_ports(qemu_t)
	corenet_udp_bind_all_nodes(qemu_t)
	corenet_udp_bind_all_ports(qemu_t)
	corenet_tcp_bind_all_ports(qemu_t)
	corenet_tcp_connect_all_ports(qemu_t)
')

tunable_policy(`qemu_use_cifs',`
	fs_manage_cifs_dirs(qemu_t)
	fs_manage_cifs_files(qemu_t)
')

tunable_policy(`qemu_use_comm',`
	term_use_unallocated_ttys(qemu_t)
	dev_rw_printer(qemu_t)
')

tunable_policy(`qemu_use_nfs',`
	fs_manage_nfs_dirs(qemu_t)
	fs_manage_nfs_files(qemu_t)
')

tunable_policy(`qemu_use_usb',`
	dev_rw_usbfs(qemu_t)
	fs_manage_dos_dirs(qemu_t)
	fs_manage_dos_files(qemu_t)
')

optional_policy(`
	samba_domtrans_smbd(qemu_t)
')

optional_policy(`
	virt_manage_images(qemu_t)
	virt_append_log(qemu_t)
')

optional_policy(`
	xen_rw_image_files(qemu_t)
')

optional_policy(`
	xen_rw_image_files(qemu_t)
')

########################################
#
# Unconfined qemu local policy
#

optional_policy(`
	type unconfined_qemu_t;
	typealias unconfined_qemu_t alias qemu_unconfined_t;
	application_type(unconfined_qemu_t)
	unconfined_domain(unconfined_qemu_t)
	userdom_manage_tmpfs_role(unconfined_r, unconfined_qemu_t)
	userdom_unpriv_usertype(unconfined, unconfined_qemu_t)

	allow unconfined_qemu_t self:process { execstack execmem };
	allow unconfined_qemu_t qemu_exec_t:file execmod;
')