policy_module(qemu, 1.3.1) ######################################## # # Declarations # ## ##

## Allow qemu to connect fully to the network ##

##
gen_tunable(qemu_full_network, false) ## ##

## Allow qemu to use cifs/Samba file systems ##

##
gen_tunable(qemu_use_cifs, true) ## ##

## Allow qemu to user serial/parallel communication ports ##

##
gen_tunable(qemu_use_comm, false) ## ##

## Allow qemu to use nfs file systems ##

##
gen_tunable(qemu_use_nfs, true) ## ##

## Allow qemu to use usb devices ##

##
gen_tunable(qemu_use_usb, true) type qemu_exec_t; virt_domain_template(qemu) application_domain(qemu_t, qemu_exec_t) role system_r types qemu_t; ######################################## # # qemu local policy # userdom_search_user_home_content(qemu_t) userdom_read_user_tmpfs_files(qemu_t) tunable_policy(`qemu_full_network',` allow qemu_t self:udp_socket create_socket_perms; corenet_udp_sendrecv_all_if(qemu_t) corenet_udp_sendrecv_all_nodes(qemu_t) corenet_udp_sendrecv_all_ports(qemu_t) corenet_udp_bind_all_nodes(qemu_t) corenet_udp_bind_all_ports(qemu_t) corenet_tcp_bind_all_ports(qemu_t) corenet_tcp_connect_all_ports(qemu_t) ') tunable_policy(`qemu_use_cifs',` fs_manage_cifs_dirs(qemu_t) fs_manage_cifs_files(qemu_t) ') tunable_policy(`qemu_use_comm',` term_use_unallocated_ttys(qemu_t) dev_rw_printer(qemu_t) ') tunable_policy(`qemu_use_nfs',` fs_manage_nfs_dirs(qemu_t) fs_manage_nfs_files(qemu_t) ') tunable_policy(`qemu_use_usb',` dev_rw_usbfs(qemu_t) fs_manage_dos_dirs(qemu_t) fs_manage_dos_files(qemu_t) ') optional_policy(` samba_domtrans_smbd(qemu_t) ') optional_policy(` virt_manage_images(qemu_t) virt_append_log(qemu_t) ') optional_policy(` xen_rw_image_files(qemu_t) ') ######################################## # # qemu_unconfined local policy # optional_policy(` type qemu_unconfined_t; application_type(qemu_unconfined_t) unconfined_domain_noaudit(qemu_unconfined_t) allow qemu_unconfined_t self:process { execstack execmem }; ')