[selinux-policy: 2418/3172] Qemu patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:34:34 UTC 2010 

commit 72295e93e100539694d5d08ba8cf051ed33c5eed
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Fri Feb 19 10:15:19 2010 -0500

    Qemu patch from Dan Walsh.

 policy/modules/apps/qemu.fc         |    4 +-
 policy/modules/apps/qemu.if         |   95 +++++++++++++++++++++++++++++++++++
 policy/modules/apps/qemu.te         |   71 +++++++++++++++++++++++++-
 policy/modules/system/unconfined.fc |    1 -
 policy/modules/system/unconfined.te |    2 +-
 5 files changed, 166 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index 18bdc9d..3016944 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -1,2 +1,2 @@
-/usr/bin/qemu	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/bin/qemu-kvm --	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* --	gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index 71f2423..09483f6 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -1,5 +1,42 @@
 ## <summary>QEMU machine emulator and virtualizer</summary>
 
+#######################################
+## <summary>
+##	The per role template for the qemu module.
+## </summary>
+## <desc>
+##	<p>
+##	This template creates a derived domains which are used
+##	for qemu web browser.
+##	</p>
+##	<p>
+##	This template is invoked automatically for each user, and
+##	generally does not need to be invoked directly
+##	by policy writers.
+##	</p>
+## </desc>
+## <param name="user_role">
+##	<summary>
+##	The role associated with the user domain.
+##	</summary>
+## </param>
+## <param name="user_domain">
+##	<summary>
+##	The type of the user domain.
+##	</summary>
+## </param>
+#
+template(`qemu_role',`
+	gen_require(`
+		type qemu_t, qemu_exec_t;
+	')
+
+	role $1 types { qemu_t qemu_config_t };
+
+	domtrans_pattern($2, qemu_exec_t, qemu_t)
+ 	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute a domain transition to run qemu.
@@ -40,6 +77,10 @@ interface(`qemu_run',`
 
 	qemu_domtrans($1)
 	role $2 types qemu_t;
+
+	optional_policy(`
+		samba_run_smb(qemu_t, $2, $3)
+	')
 ')
 
 ########################################
@@ -62,6 +103,24 @@ interface(`qemu_read_state',`
 
 ########################################
 ## <summary>
+##	Set the schedule on qemu.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_setsched',`
+	gen_require(`
+		type qemu_t;
+	')
+
+	allow $1 qemu_t:process setsched;
+')
+
+########################################
+## <summary>
 ##	Send a signal to qemu.
 ## </summary>
 ## <param name="domain">
@@ -211,3 +270,39 @@ template(`qemu_domain_template',`
 #		xserver_xdm_rw_shm($1_t)
 	')
 ')
+
+########################################
+## <summary>
+##	Manage qemu temporary dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_dirs',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
+
+	manage_dirs_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
+
+########################################
+## <summary>
+##	Manage qemu temporary files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qemu_manage_tmp_files',`
+	gen_require(`
+		type qemu_tmp_t;
+	')
+
+	manage_files_pattern($1, qemu_tmp_t, qemu_tmp_t)
+')
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index 1a8edea..b35084f 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -1,5 +1,5 @@
 
-policy_module(qemu, 1.3.0)
+policy_module(qemu, 1.3.1)
 
 ########################################
 #
@@ -13,8 +13,36 @@ policy_module(qemu, 1.3.0)
 ## </desc>
 gen_tunable(qemu_full_network, false)
 
+## <desc>
+## <p>
+## Allow qemu to use cifs/Samba file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_cifs, true)
+
+## <desc>
+## <p>
+## Allow qemu to user serial/parallel communication ports
+## </p>
+## </desc>
+gen_tunable(qemu_use_comm, false)
+
+## <desc>
+## <p>
+## Allow qemu to use nfs file systems
+## </p>
+## </desc>
+gen_tunable(qemu_use_nfs, true)
+
+## <desc>
+## <p>
+## Allow qemu to use usb devices
+## </p>
+## </desc>
+gen_tunable(qemu_use_usb, true)
+
 type qemu_exec_t;
-qemu_domain_template(qemu)
+virt_domain_template(qemu)
 application_domain(qemu_t, qemu_exec_t)
 role system_r types qemu_t;
 
@@ -23,6 +51,9 @@ role system_r types qemu_t;
 # qemu local policy
 #
 
+userdom_search_user_home_content(qemu_t)
+userdom_read_user_tmpfs_files(qemu_t)
+
 tunable_policy(`qemu_full_network',`
 	allow qemu_t self:udp_socket create_socket_perms;
 
@@ -35,6 +66,40 @@ tunable_policy(`qemu_full_network',`
 	corenet_tcp_connect_all_ports(qemu_t)
 ')
 
+tunable_policy(`qemu_use_cifs',`
+	fs_manage_cifs_dirs(qemu_t)
+	fs_manage_cifs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_comm',`
+	term_use_unallocated_ttys(qemu_t)
+	dev_rw_printer(qemu_t)
+')
+
+tunable_policy(`qemu_use_nfs',`
+	fs_manage_nfs_dirs(qemu_t)
+	fs_manage_nfs_files(qemu_t)
+')
+
+tunable_policy(`qemu_use_usb',`
+	dev_rw_usbfs(qemu_t)
+	fs_manage_dos_dirs(qemu_t)
+	fs_manage_dos_files(qemu_t)
+')
+
+optional_policy(`
+	samba_domtrans_smbd(qemu_t)
+')
+
+optional_policy(`
+	virt_manage_images(qemu_t)
+	virt_append_log(qemu_t)
+')
+
+optional_policy(`
+	xen_rw_image_files(qemu_t)
+')
+
 ########################################
 #
 # qemu_unconfined local policy
@@ -42,7 +107,7 @@ tunable_policy(`qemu_full_network',`
 
 optional_policy(`
 	type qemu_unconfined_t;
-	domain_type(qemu_unconfined_t)
+	application_type(qemu_unconfined_t)
 	unconfined_domain_noaudit(qemu_unconfined_t)
 
 	allow qemu_unconfined_t self:process { execstack execmem };
diff --git a/policy/modules/system/unconfined.fc b/policy/modules/system/unconfined.fc
index ce739b3..ce2fbb9 100644
--- a/policy/modules/system/unconfined.fc
+++ b/policy/modules/system/unconfined.fc
@@ -2,7 +2,6 @@
 # e.g.:
 # /usr/local/bin/appsrv		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 # For the time being until someone writes a sane policy, we need initrc to transition to unconfined_t
-/usr/bin/qemu.*			--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/valgrind 		--	gen_context(system_u:object_r:unconfined_execmem_exec_t,s0)
 /usr/bin/vncserver		--	gen_context(system_u:object_r:unconfined_exec_t,s0)
 
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 698ce2e..df25576 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -1,5 +1,5 @@
 
-policy_module(unconfined, 3.1.0)
+policy_module(unconfined, 3.1.1)
 
 ########################################
 #

More information about the scm-commits mailing list