diff --git a/policy/modules/apps/qemu.if b/policy/modules/apps/qemu.if
index e5ce6d32e4..f291ed721e 100644
--- a/policy/modules/apps/qemu.if
+++ b/policy/modules/apps/qemu.if
@@ -185,6 +185,25 @@ interface(`qemu_run',`
roleattribute $2 qemu_roles;
')
+########################################
+##
+## Allow a domain to be in the qemu role
+##
+##
+##
+## Domain allowed in the role
+##
+##
+##
+#
+interface(`qemu_domain',`
+ gen_require(`
+ attribute_role qemu_roles;
+ ')
+
+ role qemu_roles types $1;
+')
+
########################################
##
## Read qemu process state files.
diff --git a/policy/modules/apps/qemu.te b/policy/modules/apps/qemu.te
index efc5fc76cc..955db1b33f 100644
--- a/policy/modules/apps/qemu.te
+++ b/policy/modules/apps/qemu.te
@@ -43,9 +43,15 @@ init_unit_file(qemu_unit_t)
dev_read_sysfs(qemu_t)
+allow qemu_t self:anon_inode { create map read write };
+allow qemu_t self:io_uring allowed;
allow qemu_t qemu_runtime_t:sock_file create_sock_file_perms;
files_runtime_filetrans(qemu_t, qemu_runtime_t, sock_file)
+kernel_read_vm_sysctls(qemu_t)
+
+files_mmap_read_boot_files(qemu_t)
+
tunable_policy(`qemu_full_network',`
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 3a82425685..9a1f7d670b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -903,6 +903,10 @@ optional_policy(`
pyzor_role(sysadm, sysadm_t, sysadm_application_exec_domain, sysadm_r)
')
+optional_policy(`
+ qemu_role(sysadm_r, sysadm_t)
+')
+
optional_policy(`
qpidd_admin(sysadm_t, sysadm_r)
')
diff --git a/policy/modules/services/virt.te b/policy/modules/services/virt.te
index 0f6dc341e2..08ca14ecf4 100644
--- a/policy/modules/services/virt.te
+++ b/policy/modules/services/virt.te
@@ -1125,7 +1125,7 @@ optional_policy(`
# Bridgehelper local policy
#
-allow virt_bridgehelper_t self:process { getcap setcap };
+allow virt_bridgehelper_t self:process { getcap setcap getsched };
allow virt_bridgehelper_t self:capability { net_admin setgid setpcap setuid };
allow virt_bridgehelper_t self:tcp_socket create_stream_socket_perms;
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
@@ -1136,13 +1136,24 @@ allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
+kernel_getattr_proc(virt_bridgehelper_t)
+kernel_read_kernel_sysctls(virt_bridgehelper_t)
kernel_read_network_state(virt_bridgehelper_t)
+kernel_read_system_state(virt_bridgehelper_t)
+
+dev_read_sysfs(virt_bridgehelper_t)
corenet_rw_tun_tap_dev(virt_bridgehelper_t)
+domain_use_interactive_fds(virt_bridgehelper_t)
+
userdom_search_user_home_dirs(virt_bridgehelper_t)
userdom_use_user_ptys(virt_bridgehelper_t)
+optional_policy(`
+ qemu_domain(virt_bridgehelper_t)
+')
+
########################################
#
# Leaseshelper local policy