policy_module(qemu, 1.7.0)

########################################
#
# Declarations
#

## <desc>
## <p>
## Allow qemu to connect fully to the network
## </p>
## </desc>
gen_tunable(qemu_full_network, false)

## <desc>
## <p>
## Allow qemu to use cifs/Samba file systems
## </p>
## </desc>
gen_tunable(qemu_use_cifs, true)

## <desc>
## <p>
## Allow qemu to use serial/parallel communication ports
## </p>
## </desc>
gen_tunable(qemu_use_comm, false)

## <desc>
## <p>
## Allow qemu to use nfs file systems
## </p>
## </desc>
gen_tunable(qemu_use_nfs, true)

## <desc>
## <p>
## Allow qemu to use usb devices
## </p>
## </desc>
gen_tunable(qemu_use_usb, true)

virt_domain_template(qemu)
role system_r types qemu_t;

########################################
#
# qemu local policy
#

storage_raw_write_removable_device(qemu_t)
storage_raw_read_removable_device(qemu_t)

userdom_search_user_home_content(qemu_t)
userdom_read_user_tmpfs_files(qemu_t)
userdom_stream_connect(qemu_t)

tunable_policy(`qemu_full_network',`
	allow qemu_t self:udp_socket create_socket_perms;

	corenet_udp_sendrecv_generic_if(qemu_t)
	corenet_udp_sendrecv_generic_node(qemu_t)
	corenet_udp_sendrecv_all_ports(qemu_t)
	corenet_udp_bind_generic_node(qemu_t)
	corenet_udp_bind_all_ports(qemu_t)
	corenet_tcp_bind_all_ports(qemu_t)
	corenet_tcp_connect_all_ports(qemu_t)
')

tunable_policy(`qemu_use_cifs',`
	fs_manage_cifs_dirs(qemu_t)
	fs_manage_cifs_files(qemu_t)
')

tunable_policy(`qemu_use_comm',`
	term_use_unallocated_ttys(qemu_t)
	dev_rw_printer(qemu_t)
')

tunable_policy(`qemu_use_nfs',`
	fs_manage_nfs_dirs(qemu_t)
	fs_manage_nfs_files(qemu_t)
')

tunable_policy(`qemu_use_usb',`
	dev_rw_usbfs(qemu_t)
	fs_manage_dos_dirs(qemu_t)
	fs_manage_dos_files(qemu_t)
')

optional_policy(`
	dbus_read_lib_files(qemu_t)
')

optional_policy(`
	pulseaudio_manage_home_files(qemu_t)
	pulseaudio_stream_connect(qemu_t)
')

optional_policy(`
	tunable_policy(`qemu_use_cifs',`
		samba_domtrans_smbd(qemu_t)
	')
')

optional_policy(`
	virt_domtrans_bridgehelper(qemu_t)
')

optional_policy(`
	virt_manage_home_files(qemu_t)
	virt_manage_images(qemu_t)
	virt_append_log(qemu_t)
')

optional_policy(`
	xen_rw_image_files(qemu_t)
')

optional_policy(`
	xserver_read_xdm_pid(qemu_t)
	xserver_stream_connect(qemu_t)
')