## </desc>
gen_tunable(qemu_use_usb, true)
-type qemu_exec_t;
virt_domain_template(qemu)
-application_domain(qemu_t, qemu_exec_t)
role system_r types qemu_t;
########################################
attribute virt_image_type, virt_domain;
attribute virt_tmpfs_type;
attribute virt_ptynode;
+ type qemu_exec_t;
')
type $1_t, virt_domain;
- domain_type($1_t)
+ application_domain($1_t, qemu_exec_t)
domain_user_exemption_target($1_t)
mls_rangetrans_target($1_t)
mcs_untrusted_proc($1_t)
role system_r types $1_t;
')
+########################################
+## <summary>
+## Execute a qemu_exec_t in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_exec_qemu',`
+ gen_require(`
+ type qemu_exec_t;
+ ')
+
+ can_exec($1, qemu_exec_t)
+')
+
virt_domain_template(svirt)
role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
attribute virt_domain;
attribute virt_image_type;
attribute virt_tmpfs_type;
+type qemu_exec_t;
+
type virt_cache_t alias svirt_cache_t;
files_type(virt_cache_t)
allow virt_domain virtd_t:fd use;
dontaudit virt_domain virtd_t:unix_stream_socket { read write };
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
+
allow virtd_t qemu_var_run_t:file relabel_file_perms;
manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
pulseaudio_dontaudit_exec(virt_domain)
')
-optional_policy(`
- qemu_entry_type(virt_domain)
- qemu_exec(virt_domain)
-')
-
optional_policy(`
virt_read_config(virt_domain)
virt_read_lib_files(virt_domain)
projects / people / stevee / selinux-policy.git / commitdiff
