selinux-policy/policy/modules/apps/qemu.te
2009-11-17 10:05:56 -05:00

50 lines
1011 B
Plaintext

policy_module(qemu, 1.3.0)
########################################
#
# Declarations
#
## <desc>
## <p>
## Allow qemu to connect fully to the network
## </p>
## </desc>
gen_tunable(qemu_full_network, false)
type qemu_exec_t;
qemu_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;
########################################
#
# qemu local policy
#
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
corenet_udp_sendrecv_all_if(qemu_t)
corenet_udp_sendrecv_all_nodes(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
corenet_udp_bind_all_nodes(qemu_t)
corenet_udp_bind_all_ports(qemu_t)
corenet_tcp_bind_all_ports(qemu_t)
corenet_tcp_connect_all_ports(qemu_t)
')
########################################
#
# qemu_unconfined local policy
#
optional_policy(`
type qemu_unconfined_t;
domain_type(qemu_unconfined_t)
unconfined_domain_noaudit(qemu_unconfined_t)
allow qemu_unconfined_t self:process { execstack execmem };
')