[selinux-policy: 2394/3172] Virt/svirt patch from Dan Walsh.

[Daniel J Walsh]

commit 3079cbceb1673b5dc7a83d3084b145411c6bda96
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Feb 9 10:28:17 2010 -0500

    Virt/svirt patch from Dan Walsh.

 policy/modules/kernel/corenetwork.te.in |    4 +-
 policy/modules/services/virt.fc         |   13 ++
 policy/modules/services/virt.if         |  175 ++++++++++++++++++++-
 policy/modules/services/virt.te         |  258 +++++++++++++++++++++++++++++--
 4 files changed, 427 insertions(+), 23 deletions(-)
---
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 1a98bba..261d7bd 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
 
-policy_module(corenetwork, 1.13.4)
+policy_module(corenetwork, 1.13.5)
 
 ########################################
 #
@@ -196,6 +196,8 @@ network_port(ups, tcp,3493,s0)
 type utcpserver_port_t, port_type; dnl network_port(utcpserver) # no defined portcon
 network_port(uucpd, tcp,540,s0)
 network_port(varnishd, tcp,6081,s0, tcp,6082,s0)
+network_port(virt, tcp,16509,s0, udp,16509,s0, tcp,16514,s0, udp,16514,s0)
+network_port(virt_migration, tcp,49152,s0)
 network_port(vnc, tcp,5900,s0)
 network_port(wccp, udp,2048,s0)
 network_port(whois, tcp,43,s0, udp,43,s0)
diff --git a/policy/modules/services/virt.fc b/policy/modules/services/virt.fc
index b6f5f5a..1116f4f 100644
--- a/policy/modules/services/virt.fc
+++ b/policy/modules/services/virt.fc
@@ -1,3 +1,7 @@
+HOME_DIR/.virtinst(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
+HOME_DIR/VirtualMachines(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
+HOME_DIR/VirtualMachines/isos(/.*)? gen_context(system_u:object_r:virt_content_t,s0)
+
 /etc/libvirt		-d	gen_context(system_u:object_r:virt_etc_t,s0)
 /etc/libvirt/[^/]*	--	gen_context(system_u:object_r:virt_etc_t,s0)
 /etc/libvirt/[^/]*	-d	gen_context(system_u:object_r:virt_etc_rw_t,s0)
@@ -6,7 +10,16 @@
 
 /usr/sbin/libvirtd	--	gen_context(system_u:object_r:virtd_exec_t,s0)
 
+/var/cache/libvirt(/.*)?	gen_context(system_u:object_r:svirt_cache_t,s0)
+
 /var/lib/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_lib_t,s0)
+/var/lib/libvirt/boot(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
 /var/lib/libvirt/images(/.*)? 	gen_context(system_u:object_r:virt_image_t,s0)
+/var/lib/libvirt/isos(/.*)? 	gen_context(system_u:object_r:virt_content_t,s0)
+/var/lib/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
+
 /var/log/libvirt(/.*)?		gen_context(system_u:object_r:virt_log_t,s0)
 /var/run/libvirt(/.*)?		gen_context(system_u:object_r:virt_var_run_t,s0)
+/var/run/libvirt/qemu(/.*)? 	gen_context(system_u:object_r:svirt_var_run_t,s0)
+
+/var/vdsm(/.*)?			gen_context(system_u:object_r:virt_var_run_t,s0)
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 4b6091f..92b6ca4 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -2,6 +2,70 @@
 
 ########################################
 ## <summary>
+##	Creates types and rules for a basic
+##	qemu process domain.
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Prefix for the domain.
+##	</summary>
+## </param>
+#
+template(`virt_domain_template',`
+	gen_require(`
+		type virtd_t;
+		attribute virt_image_type;
+		attribute virt_domain;
+	')
+
+	type $1_t, virt_domain;
+	domain_type($1_t)
+	role system_r types $1_t;
+
+	type $1_tmp_t;
+	files_tmp_file($1_tmp_t)
+
+	type $1_tmpfs_t;
+	files_tmpfs_file($1_tmpfs_t)
+
+	type $1_image_t, virt_image_type;
+	files_type($1_image_t)
+	dev_node($1_image_t)
+
+	type $1_var_run_t;
+	files_pid_file($1_var_run_t)
+
+	manage_dirs_pattern($1_t, $1_image_t, $1_image_t)
+	manage_files_pattern($1_t, $1_image_t, $1_image_t)
+	read_lnk_files_pattern($1_t, $1_image_t, $1_image_t)
+	rw_blk_files_pattern($1_t, $1_image_t, $1_image_t)
+
+	manage_dirs_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	manage_lnk_files_pattern($1_t, $1_tmp_t, $1_tmp_t)
+	files_tmp_filetrans($1_t, $1_tmp_t, { file dir })
+
+	manage_dirs_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	manage_lnk_files_pattern($1_t, $1_tmpfs_t, $1_tmpfs_t)
+	fs_tmpfs_filetrans($1_t, $1_tmpfs_t, { dir file lnk_file })
+
+	stream_connect_pattern(virtd_t, $1_var_run_t, $1_var_run_t, virt_domain)
+	manage_dirs_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+	manage_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+	manage_sock_files_pattern(virtd_t, $1_var_run_t, $1_var_run_t)
+
+	manage_dirs_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_sock_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	manage_lnk_files_pattern($1_t, $1_var_run_t, $1_var_run_t)
+	files_pid_filetrans($1_t, $1_var_run_t, { dir file })
+	stream_connect_pattern($1_t, $1_var_run_t, $1_var_run_t, virtd_t)
+
+')
+
+########################################
+## <summary>
 ##	Make the specified type usable as a virt image
 ## </summary>
 ## <param name="type">
@@ -122,6 +186,41 @@ interface(`virt_manage_config',`
 
 ########################################
 ## <summary>
+##	Allow domain to manage virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`virt_read_content',`
+	gen_require(`
+		type virt_content_t;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_content_t:dir list_dir_perms;
+	list_dirs_pattern($1, virt_content_t, virt_content_t)
+	read_files_pattern($1, virt_content_t, virt_content_t)
+	read_lnk_files_pattern($1, virt_content_t, virt_content_t)
+	read_blk_files_pattern($1, virt_content_t, virt_content_t)
+
+	tunable_policy(`virt_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+		fs_read_nfs_symlinks($1)
+	')
+
+	tunable_policy(`virt_use_samba',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+		fs_read_cifs_symlinks($1)
+	')
+')
+
+########################################
+## <summary>
 ##	Read virt PID files.
 ## </summary>
 ## <param name="domain">
@@ -136,7 +235,7 @@ interface(`virt_read_pid_files',`
 	')
 
 	files_search_pids($1)
-	allow $1 virt_var_run_t:file read_file_perms;
+	read_files_pattern($1, virt_var_run_t, virt_var_run_t)
 ')
 
 ########################################
@@ -154,6 +253,7 @@ interface(`virt_manage_pid_files',`
 		type virt_var_run_t;
 	')
 
+	files_search_pids($1)
 	manage_files_pattern($1, virt_var_run_t, virt_var_run_t)
 ')
 
@@ -277,6 +377,64 @@ interface(`virt_manage_log',`
 
 ########################################
 ## <summary>
+##	Allow domain to read virt image files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`virt_read_images',`
+	gen_require(`
+		type virt_var_lib_t;
+		attribute virt_image_type;
+	')
+
+	virt_search_lib($1)
+	allow $1 virt_image_type:dir list_dir_perms;
+	list_dirs_pattern($1, virt_image_type, virt_image_type)
+	read_files_pattern($1, virt_image_type, virt_image_type)
+	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+	read_blk_files_pattern($1, virt_image_type, virt_image_type)
+
+	tunable_policy(`virt_use_nfs',`
+		fs_list_nfs($1)
+		fs_read_nfs_files($1)
+		fs_read_nfs_symlinks($1)
+	')
+
+	tunable_policy(`virt_use_samba',`
+		fs_list_cifs($1)
+		fs_read_cifs_files($1)
+		fs_read_cifs_symlinks($1)
+	')
+')
+
+########################################
+## <summary>
+##	Create, read, write, and delete
+##	svirt cache files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`virt_manage_svirt_cache',`
+	gen_require(`
+		type svirt_cache_t;
+	')
+
+	files_search_var($1)
+	manage_dirs_pattern($1, svirt_cache_t, svirt_cache_t)
+	manage_files_pattern($1, svirt_cache_t, svirt_cache_t)
+	manage_lnk_files_pattern($1, svirt_cache_t, svirt_cache_t)
+')
+
+########################################
+## <summary>
 ##	Allow domain to manage virt image files
 ## </summary>
 ## <param name="domain">
@@ -287,15 +445,16 @@ interface(`virt_manage_log',`
 #
 interface(`virt_manage_images',`
 	gen_require(`
-		type virt_image_t, virt_var_lib_t;
+		type virt_var_lib_t;
+		attribute virt_image_type;
 	')
 
 	virt_search_lib($1)
-	allow $1 virt_image_t:dir list_dir_perms;
-	manage_dirs_pattern($1, virt_image_t, virt_image_t)
-	manage_files_pattern($1, virt_image_t, virt_image_t)
-	read_lnk_files_pattern($1, virt_image_t, virt_image_t)
-	rw_blk_files_pattern($1, virt_image_t, virt_image_t)
+	allow $1 virt_image_type:dir list_dir_perms;
+	manage_dirs_pattern($1, virt_image_type, virt_image_type)
+	manage_files_pattern($1, virt_image_type, virt_image_type)
+	read_lnk_files_pattern($1, virt_image_type, virt_image_type)
+	rw_blk_files_pattern($1, virt_image_type, virt_image_type)
 
 	tunable_policy(`virt_use_nfs',`
 		fs_manage_nfs_dirs($1)
@@ -304,7 +463,7 @@ interface(`virt_manage_images',`
 	')
 
 	tunable_policy(`virt_use_samba',`
-		fs_manage_nfs_files($1)
+		fs_manage_cifs_files($1)
 		fs_manage_cifs_files($1)
 		fs_read_cifs_symlinks($1)
 	')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 88fb140..b02d62c 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1,5 +1,5 @@
 
-policy_module(virt, 1.3.0)
+policy_module(virt, 1.3.1)
 
 ########################################
 #
@@ -8,6 +8,13 @@ policy_module(virt, 1.3.0)
 
 ## <desc>
 ## <p>
+## Allow virt to use serial/parallell communication ports
+## </p>
+## </desc>
+gen_tunable(virt_use_comm, false)
+
+## <desc>
+## <p>
 ## Allow virt to manage nfs files
 ## </p>
 ## </desc>
@@ -20,6 +27,27 @@ gen_tunable(virt_use_nfs, false)
 ## </desc>
 gen_tunable(virt_use_samba, false)
 
+## <desc>
+## <p>
+## Allow virt to manage device configuration, (pci)
+## </p>
+## </desc>
+gen_tunable(virt_use_sysfs, false)
+
+## <desc>
+## <p>
+## Allow virt to use usb devices
+## </p>
+## </desc>
+gen_tunable(virt_use_usb, true)
+
+virt_domain_template(svirt)
+role system_r types svirt_t;
+
+type svirt_cache_t;
+files_type(svirt_cache_t)
+
+attribute virt_domain;
 attribute virt_image_type;
 
 type virt_etc_t;
@@ -29,9 +57,14 @@ type virt_etc_rw_t;
 files_type(virt_etc_rw_t)
 
 # virt Image files
-type virt_image_t, virt_image_type; # customizable
+type virt_image_t; # customizable
 virt_image(virt_image_t)
 
+# virt Image files
+type virt_content_t; # customizable
+virt_image(virt_content_t)
+userdom_user_home_content(virt_content_t)
+
 type virt_log_t;
 logging_log_file(virt_log_t)
 
@@ -44,21 +77,102 @@ files_type(virt_var_lib_t)
 type virtd_t;
 type virtd_exec_t;
 init_daemon_domain(virtd_t, virtd_exec_t)
+domain_obj_id_change_exemption(virtd_t)
+domain_subj_id_change_exemption(virtd_t)
 
 type virtd_initrc_exec_t;
 init_script_file(virtd_initrc_exec_t)
 
+ifdef(`enable_mcs',`
+	init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mcs_systemhigh)
+')
+
+ifdef(`enable_mls',`
+	init_ranged_daemon_domain(virtd_t, virtd_exec_t,s0 - mls_systemhigh)
+')
+
+########################################
+#
+# svirt local policy
+#
+
+allow svirt_t self:udp_socket create_socket_perms;
+
+manage_dirs_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(svirt_t, svirt_cache_t, svirt_cache_t)
+files_var_filetrans(svirt_t, svirt_cache_t, { file dir })
+
+read_lnk_files_pattern(svirt_t, virt_image_t, virt_image_t)
+
+allow svirt_t svirt_image_t:dir search_dir_perms;
+manage_dirs_pattern(svirt_t, svirt_image_t, svirt_image_t)
+manage_files_pattern(svirt_t, svirt_image_t, svirt_image_t)
+
+list_dirs_pattern(svirt_t, virt_content_t, virt_content_t)
+read_files_pattern(svirt_t, virt_content_t, virt_content_t)
+dontaudit svirt_t virt_content_t:file write_file_perms;
+dontaudit svirt_t virt_content_t:dir write;
+
+corenet_udp_sendrecv_generic_if(svirt_t)
+corenet_udp_sendrecv_generic_node(svirt_t)
+corenet_udp_sendrecv_all_ports(svirt_t)
+corenet_udp_bind_generic_node(svirt_t)
+corenet_udp_bind_all_ports(svirt_t)
+
+dev_list_sysfs(svirt_t)
+
+userdom_search_user_home_content(svirt_t)
+userdom_read_all_users_state(svirt_t)
+
+tunable_policy(`virt_use_comm',`
+	term_use_unallocated_ttys(svirt_t)
+	dev_rw_printer(svirt_t)
+')
+
+tunable_policy(`virt_use_nfs',`
+	fs_manage_nfs_dirs(svirt_t)
+	fs_manage_nfs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_samba',`
+	fs_manage_cifs_dirs(svirt_t)
+	fs_manage_cifs_files(svirt_t)
+')
+
+tunable_policy(`virt_use_sysfs',`
+	dev_rw_sysfs(svirt_t)
+')
+
+tunable_policy(`virt_use_usb',`
+	dev_rw_usbfs(svirt_t)
+	fs_manage_dos_dirs(svirt_t)
+	fs_manage_dos_files(svirt_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(svirt_t)
+')
+
 ########################################
 #
 # virtd local policy
 #
 
-allow virtd_t self:capability { dac_override kill net_admin setgid sys_nice sys_ptrace };
-allow virtd_t self:process { getsched sigkill signal execmem };
-allow virtd_t self:fifo_file rw_file_perms;
+allow virtd_t self:capability { chown dac_override fowner ipc_lock kill mknod net_admin net_raw setpcap setuid setgid sys_admin sys_nice sys_ptrace };
+allow virtd_t self:process { getcap getsched setcap sigkill signal signull execmem setexec setfscreate setsched };
+
+allow virtd_t self:fifo_file rw_fifo_file_perms;
 allow virtd_t self:unix_stream_socket create_stream_socket_perms;
 allow virtd_t self:tcp_socket create_stream_socket_perms;
-allow virtd_t self:tun_socket create;
+allow virtd_t self:tun_socket create_socket_perms;
+
+manage_dirs_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+manage_files_pattern(virtd_t, svirt_cache_t, svirt_cache_t)
+
+manage_dirs_pattern(virtd_t, virt_content_t, virt_content_t)
+manage_files_pattern(virtd_t, virt_content_t, virt_content_t)
+
+allow virtd_t virt_domain:process { getattr getsched setsched transition signal signull sigkill };
 
 read_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
 read_lnk_files_pattern(virtd_t, virt_etc_t, virt_etc_t)
@@ -69,6 +183,9 @@ manage_lnk_files_pattern(virtd_t, virt_etc_rw_t, virt_etc_rw_t)
 filetrans_pattern(virtd_t, virt_etc_t, virt_etc_rw_t, dir)
 
 manage_files_pattern(virtd_t, virt_image_type, virt_image_type)
+manage_blk_files_pattern(virtd_t, virt_image_type, virt_image_type)
+allow virtd_t virt_image_type:file { relabelfrom relabelto };
+allow virtd_t virt_image_type:blk_file { relabelfrom relabelto };
 
 manage_dirs_pattern(virtd_t, virt_log_t, virt_log_t)
 manage_files_pattern(virtd_t, virt_log_t, virt_log_t)
@@ -76,6 +193,7 @@ logging_log_filetrans(virtd_t, virt_log_t, { file dir })
 
 manage_dirs_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
 manage_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
+manage_sock_files_pattern(virtd_t, virt_var_lib_t, virt_var_lib_t)
 files_var_lib_filetrans(virtd_t, virt_var_lib_t, { file dir })
 
 manage_dirs_pattern(virtd_t, virt_var_run_t, virt_var_run_t)
@@ -86,7 +204,8 @@ files_pid_filetrans(virtd_t, virt_var_run_t, { file dir })
 kernel_read_system_state(virtd_t)
 kernel_read_network_state(virtd_t)
 kernel_rw_net_sysctls(virtd_t)
-kernel_load_module(virtd_t)
+kernel_request_load_module(virtd_t)
+kernel_search_debugfs(virtd_t)
 
 corecmd_exec_bin(virtd_t)
 corecmd_exec_shell(virtd_t)
@@ -97,30 +216,43 @@ corenet_tcp_sendrecv_generic_if(virtd_t)
 corenet_tcp_sendrecv_generic_node(virtd_t)
 corenet_tcp_sendrecv_all_ports(virtd_t)
 corenet_tcp_bind_generic_node(virtd_t)
-#corenet_tcp_bind_virt_port(virtd_t)
+corenet_tcp_bind_virt_port(virtd_t)
 corenet_tcp_bind_vnc_port(virtd_t)
 corenet_tcp_connect_vnc_port(virtd_t)
 corenet_tcp_connect_soundd_port(virtd_t)
 corenet_rw_tun_tap_dev(virtd_t)
 
-dev_read_sysfs(virtd_t)
+dev_rw_sysfs(virtd_t)
 dev_read_rand(virtd_t)
+dev_rw_kvm(virtd_t)
+dev_getattr_all_chr_files(virtd_t)
 
 # Init script handling
 domain_use_interactive_fds(virtd_t)
+domain_read_all_domains_state(virtd_t)
 
 files_read_usr_files(virtd_t)
 files_read_etc_files(virtd_t)
 files_read_etc_runtime_files(virtd_t)
 files_search_all(virtd_t)
-files_list_kernel_modules(virtd_t)
+files_read_kernel_modules(virtd_t)
+files_read_usr_src_files(virtd_t)
+files_manage_etc_files(virtd_t)
 
 fs_list_auto_mountpoints(virtd_t)
+fs_getattr_xattr_fs(virtd_t)
+fs_rw_anon_inodefs_files(virtd_t)
+fs_list_inotifyfs(virtd_t)
+
+mcs_process_set_categories(virtd_t)
 
+storage_manage_fixed_disk(virtd_t)
+storage_relabel_fixed_disk(virtd_t)
 storage_raw_write_removable_device(virtd_t)
 storage_raw_read_removable_device(virtd_t)
 
 term_getattr_pty_fs(virtd_t)
+term_use_generic_ptys(virtd_t)
 term_use_ptmx(virtd_t)
 
 auth_use_nsswitch(virtd_t)
@@ -128,9 +260,20 @@ auth_use_nsswitch(virtd_t)
 miscfiles_read_localization(virtd_t)
 miscfiles_read_certs(virtd_t)
 
+modutils_read_module_deps(virtd_t)
+modutils_manage_module_config(virtd_t)
+
 logging_send_syslog_msg(virtd_t)
 
+seutil_read_default_contexts(virtd_t)
+
+sysnet_domtrans_ifconfig(virtd_t)
+sysnet_read_config(virtd_t)
+
+userdom_getattr_all_users(virtd_t)
+userdom_list_user_home_content(virtd_t)
 userdom_read_all_users_state(virtd_t)
+userdom_read_user_home_content_files(virtd_t)
 
 tunable_policy(`virt_use_nfs',`
 	fs_manage_nfs_dirs(virtd_t)
@@ -168,16 +311,32 @@ optional_policy(`
 	dnsmasq_domtrans(virtd_t)
 	dnsmasq_signal(virtd_t)
 	dnsmasq_kill(virtd_t)
+	dnsmasq_read_pid_files(virtd_t)
+	dnsmasq_signull(virtd_t)
 ')
 
 optional_policy(`
 	iptables_domtrans(virtd_t)
+	iptables_initrc_domtrans(virtd_t)
+
+	# Manages /etc/sysconfig/system-config-firewall
+	iptables_manage_config(virtd_t)
 ')
 
-#optional_policy(`
-#	polkit_domtrans_auth(virtd_t)
-#	polkit_domtrans_resolve(virtd_t)
-#')
+optional_policy(`
+	kerberos_keytab_template(virtd, virtd_t)
+')
+
+optional_policy(`
+	lvm_domtrans(virtd_t)
+')
+
+optional_policy(`
+        policykit_dbus_chat(virtd_t)
+	policykit_domtrans_auth(virtd_t)
+	policykit_domtrans_resolve(virtd_t)
+	policykit_read_lib(virtd_t)
+')
 
 optional_policy(`
 	qemu_domtrans(virtd_t)
@@ -196,8 +355,79 @@ optional_policy(`
 
 	xen_stream_connect(virtd_t)
 	xen_stream_connect_xenstore(virtd_t)
+	xen_read_image_files(virtd_t)
+')
+
+optional_policy(`
+	udev_domtrans(virtd_t)
 ')
 
 optional_policy(`
 	unconfined_domain(virtd_t)
 ')
+
+########################################
+#
+# virtual domains common policy
+#
+
+allow virt_domain self:capability { dac_read_search dac_override };
+allow virt_domain self:process { execmem signal getsched signull };
+allow virt_domain self:fifo_file rw_file_perms;
+allow virt_domain self:shm create_shm_perms;
+allow virt_domain self:unix_stream_socket create_stream_socket_perms;
+allow virt_domain self:unix_dgram_socket { create_socket_perms sendto };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
+
+append_files_pattern(virt_domain, virt_log_t, virt_log_t)
+
+append_files_pattern(virt_domain, virt_var_lib_t, virt_var_lib_t)
+
+kernel_read_system_state(virt_domain)
+
+corecmd_exec_bin(virt_domain)
+corecmd_exec_shell(virt_domain)
+
+corenet_all_recvfrom_unlabeled(virt_domain)
+corenet_all_recvfrom_netlabel(virt_domain)
+corenet_tcp_sendrecv_generic_if(virt_domain)
+corenet_tcp_sendrecv_generic_node(virt_domain)
+corenet_tcp_sendrecv_all_ports(virt_domain)
+corenet_tcp_bind_generic_node(virt_domain)
+corenet_tcp_bind_vnc_port(virt_domain)
+corenet_rw_tun_tap_dev(virt_domain)
+corenet_tcp_bind_virt_migration_port(virt_domain)
+corenet_tcp_connect_virt_migration_port(virt_domain)
+
+dev_read_sound(virt_domain)
+dev_write_sound(virt_domain)
+dev_rw_ksm(virt_domain)
+dev_rw_kvm(virt_domain)
+dev_rw_qemu(virt_domain)
+
+domain_use_interactive_fds(virt_domain)
+
+files_read_etc_files(virt_domain)
+files_read_usr_files(virt_domain)
+files_read_var_files(virt_domain)
+
+fs_getattr_tmpfs(virt_domain)
+fs_rw_anon_inodefs_files(virt_domain)
+fs_rw_tmpfs_files(virt_domain)
+
+auth_use_nsswitch(virt_domain)
+
+logging_send_syslog_msg(virt_domain)
+
+miscfiles_read_localization(virt_domain)
+
+optional_policy(`
+	ptchown_domtrans(virt_domain)
+')
+
+optional_policy(`
+	virt_read_config(virt_domain)
+	virt_read_lib_files(virt_domain)
+	virt_read_content(virt_domain)
+	virt_stream_connect(virt_domain)
+')