[selinux-policy: 2418/3172] Qemu patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:34:34 UTC 2010
commit 72295e93e100539694d5d08ba8cf051ed33c5eed
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Fri Feb 19 10:15:19 2010 -0500
Qemu patch from Dan Walsh.
policy/modules/apps/qemu.fc | 4 +-
policy/modules/apps/qemu.if | 95 +++++++++++++++++++++++++++++++++++
policy/modules/apps/qemu.te | 71 +++++++++++++++++++++++++-
policy/modules/system/unconfined.fc | 1 -
policy/modules/system/unconfined.te | 2 +-
5 files changed, 166 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index 18bdc9d..3016944 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -1,2 +1,2 @@
-/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 71f2423..09483f6 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -1,5 +1,42 @@
## <summary>QEMU machine emulator and virtualizer</summary>
+#######################################
+## <summary>
+## The per role template for the qemu module.
+## </summary>
+## <desc>
+## <p>
+## This template creates a derived domains which are used
+## for qemu web browser.
+## </p>
+## <p>
+## This template is invoked automatically for each user, and
+## generally does not need to be invoked directly
+## by policy writers.
+## </p>
+## </desc>
+## <param name="user_role">
+## <summary>
+## The role associated with the user domain.
+## </summary>
+## </param>
+## <param name="user_domain">
+## <summary>
+## The type of the user domain.
+## </summary>
+## </param>
+#
+template(`qemu_role',`
+ gen_require(`
+ type qemu_t, qemu_exec_t;
+ ')
+
+ role $1 types { qemu_t qemu_config_t };
+
+ domtrans_pattern($2, qemu_exec_t, qemu_t)
+ domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+')
+
########################################
## <summary>
## Execute a domain transition to run qemu.
@@ -40,6 +77,10 @@ interface(`qemu_run',`
qemu_domtrans($1)
role $2 types qemu_t;
+
+ optional_policy(`
+ samba_run_smb(qemu_t, $2, $3)
+ ')
')
########################################
@@ -62,6 +103,24 @@ interface(`qemu_read_state',`
########################################
## <summary>
+## Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_setsched',`
+ gen_require(`
+ type qemu_t;
+ ')
+
+ allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
## Send a signal to qemu.
## </summary>
## <param name="domain">
@@ -211,3 +270,39 @@ template(`qemu_domain_template',`
# xserver_xdm_rw_shm($1_t)
')
')
+
+########################################
+## <summary>
+## Manage qemu temporary dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+## Manage qemu temporary files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`qemu_manage_tmp_files',`
+ gen_require(`
+ type qemu_tmp_t;
+ ')
+
+ manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index 1a8edea..b35084f 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -1,5 +1,5 @@
-policy_module(qemu, 1.3.0)
+policy_module(qemu, 1.3.1)
########################################
#
@@ -13,8 +13,36 @@ policy_module(qemu, 1.3.0)
## </desc>
gen_tunable(qemu_full_network, false)
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to user serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
type qemu_exec_t;
-qemu_domain_template(qemu)
+virt_domain_template(qemu)
application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;
@@ -23,6 +51,9 @@ role system_r types qemu_t;
# qemu local policy
#
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+
tunable_policy(`qemu_full_network',`
allow qemu_t self:udp_socket create_socket_perms;
@@ -35,6 +66,40 @@ tunable_policy(`qemu_full_network',`
corenet_tcp_connect_all_ports(qemu_t)
')
+tunable_policy(`qemu_use_cifs',`
+ fs_manage_cifs_dirs(qemu_t)
+ fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+ term_use_unallocated_ttys(qemu_t)
+ dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+ fs_manage_nfs_dirs(qemu_t)
+ fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+ dev_rw_usbfs(qemu_t)
+ fs_manage_dos_dirs(qemu_t)
+ fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+ samba_domtrans_smbd(qemu_t)
+')
+
+optional_policy(`
+ virt_manage_images(qemu_t)
+ virt_append_log(qemu_t)
+')
+
+optional_policy(`
+ xen_rw_image_files(qemu_t)
+')
+
########################################
#
# qemu_unconfined local policy
@@ -42,7 +107,7 @@ tunable_policy(`qemu_full_network',`
optional_policy(`
type qemu_unconfined_t;
- domain_type(qemu_unconfined_t)
+ application_type(qemu_unconfined_t)
unconfined_domain_noaudit(qemu_unconfined_t)
allow qemu_unconfined_t self:process { execstack execmem };
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index ce739b3..ce2fbb9 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -2,7 +2,6 @@
# e.g.:
# /usr/local/bin/appsrv -- gen_context(system_u:object_r:unconfined_exec_t,s0)
# For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.* -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/valgrind -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
/usr/bin/vncserver -- gen_context(system_u:object_r:unconfined_exec_t,s0)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 698ce2e..df25576 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
-policy_module(unconfined, 3.1.0)
+policy_module(unconfined, 3.1.1)
########################################
#
More information about the scm-commits
mailing list