[selinux-policy: 2750/3172] Qemu patch from Dan Walsh.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 23:04:41 UTC 2010
commit 2c207dfa49a2dfab6bb79ff532e38f5e0a789960
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Jun 22 09:32:35 2010 -0400
Qemu patch from Dan Walsh.
Fix qemu labeling.
Additional qemu interfaces
Allow qemu to read/write removable devices
policy/modules/apps/qemu.fc | 6 ++++--
policy/modules/apps/qemu.if | 2 ++
policy/modules/apps/qemu.te | 8 ++++++--
3 files changed, 12 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/apps/qemu.fc b/policy/modules/apps/qemu.fc
index 3016944..64d877e 100644
--- a/policy/modules/apps/qemu.fc
+++ b/policy/modules/apps/qemu.fc
@@ -1,2 +1,4 @@
-/usr/bin/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
-/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-system-.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/bin/qemu-kvm -- gen_context(system_u:object_r:qemu_exec_t,s0)
+/usr/libexec/qemu.* -- gen_context(system_u:object_r:qemu_exec_t,s0)
diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index fab6940..255d869 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -127,12 +127,14 @@ template(`qemu_domain_template',`
template(`qemu_role',`
gen_require(`
type qemu_t, qemu_exec_t;
+ type qemu_config_t, qemu_config_exec_t;
')
role $1 types { qemu_t qemu_config_t };
domtrans_pattern($2, qemu_exec_t, qemu_t)
domtrans_pattern($2, qemu_config_exec_t, qemu_config_t)
+ allow qemu_t $2:process signull;
')
########################################
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index 1739d59..a3225d4 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -1,4 +1,4 @@
-policy_module(qemu, 1.4.0)
+policy_module(qemu, 1.4.1)
########################################
#
@@ -50,6 +50,9 @@ role system_r types qemu_t;
# qemu local policy
#
+storage_raw_write_removable_device(qemu_t)
+storage_raw_read_removable_device(qemu_t)
+
userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
@@ -108,7 +111,8 @@ optional_policy(`
type unconfined_qemu_t;
typealias unconfined_qemu_t alias qemu_unconfined_t;
application_type(unconfined_qemu_t)
- unconfined_domain_noaudit(unconfined_qemu_t)
+ unconfined_domain(unconfined_qemu_t)
allow unconfined_qemu_t self:process { execstack execmem };
+ allow unconfined_qemu_t qemu_exec_t:file execmod;
')
More information about the scm-commits
mailing list