[selinux-policy: 2750/3172] Qemu patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 23:04:41 UTC 2010 

commit 2c207dfa49a2dfab6bb79ff532e38f5e0a789960
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jun 22 09:32:35 2010 -0400

    Qemu patch from Dan Walsh.
    
    Fix qemu labeling.
    
    Additional qemu interfaces
    
    Allow qemu to read/write removable devices

 policy/modules/apps/qemu.fc |    6 ++++--
 policy/modules/apps/qemu.if |    2 ++
 policy/modules/apps/qemu.te |    8 ++++++--
 3 files changed, 12 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index 3016944..64d877e 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -1,2 +1,4 @@
-/usr/bin/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/libexec/qemu.* --	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu		--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm	--	gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.*	--	gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index fab6940..255d869 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -127,12 +127,14 @@ template(`qemu_domain_template',`
 template(`qemu_role',`
 	gen_require(`
 		type qemu_t, qemu_exec_t;
+		type qemu_config_t, qemu_config_exec_t;
 	')
 
 	role $1 types { qemu_t qemu_config_t };
 
 	domtrans_pattern($2, qemu_exec_t, qemu_t)
  	domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+	allow qemu_t $2:process signull;
 ')
 
 ########################################
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index 1739d59..a3225d4 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.4.0)
+policy_module(qemu, 1.4.1)
 
 ########################################
 #
@@ -50,6 +50,9 @@ role system_r types qemu_t;
 # qemu local policy
 #
 
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
 userdom_search_user_home_content(qemu_t)
 userdom_read_user_tmpfs_files(qemu_t)
 
@@ -108,7 +111,8 @@ optional_policy(`
 	type unconfined_qemu_t;
 	typealias unconfined_qemu_t alias qemu_unconfined_t;
 	application_type(unconfined_qemu_t)
-	unconfined_domain_noaudit(unconfined_qemu_t)
+	unconfined_domain(unconfined_qemu_t)
 
 	allow unconfined_qemu_t self:process { execstack execmem };
+	allow unconfined_qemu_t qemu_exec_t:file execmod;
 ')

More information about the scm-commits mailing list