From: dominick.grift@gmail.com (grift)
Date: Tue, 01 Jan 2013 11:35:37 +0100
Subject: [refpolicy] [PATCH 11/12] Allow qemu to create TCP sockets (VNC
 support)
In-Reply-To: <1356994351-29191-12-git-send-email-sven.vermeulen@siphos.be>
References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be>
	<1356994351-29191-12-git-send-email-sven.vermeulen@siphos.be>
Message-ID: <1357036537.2088.3.camel@localhost>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> To support binding to a VNC server (as well as GDB remote support), allow
> qemu_t to create a tcp_socket.

I added instead:

-allow virt_domain self:tcp_socket { accept listen };
+allow virt_domain self:tcp_socket create_stream_socket_perms;

This was indeed an issue that was introduced when i removed
auth_use_nsswitch support


> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  qemu.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/qemu.te b/qemu.te
> index 2e824eb..672acfb 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -28,6 +28,8 @@ role qemu_roles types qemu_t;
>  #
>  
>  tunable_policy(`qemu_full_network',`
> +	allow qemu_t self:tcp_socket create_stream_socket_perms;
> +
>  	corenet_udp_sendrecv_generic_if(qemu_t)
>  	corenet_udp_sendrecv_generic_node(qemu_t)
>  	corenet_udp_sendrecv_all_ports(qemu_t)