From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Sat, 17 Nov 2012 21:58:55 +0100 Subject: [refpolicy] [PATCH v1 9/9] Running qemu with SDL support requires more xserver-related privileges In-Reply-To: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> References: <1353185935-17421-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1353185935-17421-10-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com When trying to start qemu with SDL, the qemu application just fails with the following denial in the logs: Nov 11 18:06:44 lain kernel: [20076.499347] type=1400 audit(1352653604.042:3987): avc: denied { read } for pid=28245 comm="qemu-system-x86" name=".Xauthority" dev="dm-0" ino=20709392 scontext=staff_u:staff_r:qemu_t tcontext=staff_u:object_r:xauth_home_t tclass=file Although the application seems to run with just xserver_read_user_xauth(qemu_t) set, it does still provide denials like the following: Nov 14 20:58:51 lain kernel: [39885.690744] type=1400 audit(1352923131.430:154): avc: denied { unix_read unix_write } for pid=1973 comm="X" key=0 scontext=staff_u:staff_r:xserver_t tcontext=staff_u:staff_r:qemu_t tclass=shm As qemu is acting as an X11 application (when build with SDL support), it makes sense to use xserver_user_x_domain_template. Signed-off-by: Sven Vermeulen --- qemu.te | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diff --git a/qemu.te b/qemu.te index ce0bf86..6d167d7 100644 --- a/qemu.te +++ b/qemu.te @@ -37,6 +37,10 @@ tunable_policy(`qemu_full_network',` corenet_tcp_connect_all_ports(qemu_t) ') +optional_policy(` + xserver_user_x_domain_template(qemu, qemu_t, qemu_tmpfs_t) +') + ######################################## # # Unconfined local policy -- 1.7.8.6