From: dwalsh <dwalsh@redhat.com>
Date: Thu, 10 Nov 2011 14:14:04 +0000 (-0500)
Subject: Remove need for qemu.te file altogether by moving qemu_exec_t to virt.te
X-Git-Tag: 000~145
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cff86dc3570e170995e7a77dc380833c0ff21e53;p=people%2Fstevee%2Fselinux-policy.git

Remove need for qemu.te file altogether by moving qemu_exec_t to virt.te
---

diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index 50a3a34f..606d712f 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -40,9 +40,7 @@ gen_tunable(qemu_use_nfs, true)
 ## </desc>
 gen_tunable(qemu_use_usb, true)
 
-type qemu_exec_t;
 virt_domain_template(qemu)
-application_domain(qemu_t, qemu_exec_t)
 role system_r types qemu_t;
 
 ########################################
diff --git a/policy/modules/services/virt.if b/policy/modules/services/virt.if
index 9f0c49b6..3fd8f12e 100644
--- a/policy/modules/services/virt.if
+++ b/policy/modules/services/virt.if
@@ -16,10 +16,11 @@ template(`virt_domain_template',`
 		attribute virt_image_type, virt_domain;
 		attribute virt_tmpfs_type;
 		attribute virt_ptynode;
+		type qemu_exec_t;
 	')
 
 	type $1_t, virt_domain;
-	domain_type($1_t)
+	application_domain($1_t, qemu_exec_t)
 	domain_user_exemption_target($1_t)
 	mls_rangetrans_target($1_t)
 	mcs_untrusted_proc($1_t)
@@ -850,3 +851,21 @@ template(`virt_lxc_domain_template',`
 	role system_r types $1_t;
 ')
 
+########################################
+## <summary>
+##	Execute a qemu_exec_t in the callers domain
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`virt_exec_qemu',`
+	gen_require(`
+		type qemu_exec_t;
+	')
+
+	can_exec($1, qemu_exec_t)
+')
+
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 334b676a..32092f09 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -73,11 +73,14 @@ gen_tunable(virt_use_usb, true)
 
 virt_domain_template(svirt)
 role system_r types svirt_t;
+typealias svirt_t alias qemu_t;
 
 attribute virt_domain;
 attribute virt_image_type;
 attribute virt_tmpfs_type;
 
+type qemu_exec_t;
+
 type virt_cache_t alias svirt_cache_t;
 files_type(virt_cache_t)
 
@@ -275,6 +278,9 @@ allow virtd_t virt_domain:process { getattr getsched setsched transition signal
 allow virt_domain virtd_t:fd use;
 dontaudit virt_domain virtd_t:unix_stream_socket { read write };
 
+can_exec(virtd_t, qemu_exec_t)
+can_exec(virt_domain, qemu_exec_t)
+
 allow virtd_t qemu_var_run_t:file relabel_file_perms;
 manage_dirs_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
 manage_files_pattern(virtd_t, qemu_var_run_t, qemu_var_run_t)
@@ -644,11 +650,6 @@ optional_policy(`
 	pulseaudio_dontaudit_exec(virt_domain)
 ')
 
-optional_policy(`
-    qemu_entry_type(virt_domain)
-    qemu_exec(virt_domain)
-')
-
 optional_policy(`
 	virt_read_config(virt_domain)
 	virt_read_lib_files(virt_domain)