policy_module(qemu, 1.0.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow qemu to connect fully to the network
## </p>
## </desc>
gen_tunable(qemu_full_network, false)

type qemu_exec_t;
qemu_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;

########################################
#
# qemu local policy
#

tunable_policy(`qemu_full_network',`
	allow qemu_t self:udp_socket create_socket_perms;

	corenet_udp_sendrecv_all_if(qemu_t)
	corenet_udp_sendrecv_all_nodes(qemu_t)
	corenet_udp_sendrecv_all_ports(qemu_t)
	corenet_udp_bind_all_nodes(qemu_t)
	corenet_udp_bind_all_ports(qemu_t)
	corenet_tcp_bind_all_ports(qemu_t)
	corenet_tcp_connect_all_ports(qemu_t)
')

########################################
#
# qemu_unconfined local policy
#

optional_policy(`
	type qemu_unconfined_t;
	domain_type(qemu_unconfined_t)
	unconfined_domain_noaudit(qemu_unconfined_t)

	allow qemu_unconfined_t self:process { execstack execmem };
')