diff --git a/Changelog b/Changelog
index 597655e..2ded877 100644
--- a/Changelog
+++ b/Changelog
@@ -109,6 +109,7 @@
munin
nagios
nessus
+ netlabel (Paul Moore)
nsd
ntop
nx
diff --git a/policy/mls b/policy/mls
index 9398d84..26b3ef0 100644
--- a/policy/mls
+++ b/policy/mls
@@ -165,7 +165,7 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
( h1 dom h2 );
# the socket "read" ops (note the check is dominance of the low level)
-mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recvfrom recv_msg }
+mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { read getattr listen accept getopt recv_msg }
(( l1 dom l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
( t1 == mlsnetread ));
@@ -181,6 +181,12 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
+# used by netlabel to restrict normal domains to same level connections
+mlsconstrain { tcp_socket udp_socket } recvfrom
+ (( l1 eq l2 ) or
+ (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
+ ( t1 == mlsnetread ));
+
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
#
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 9f65efa..51492bb 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1436,6 +1436,64 @@ interface(`corenet_dontaudit_non_ipsec_sendrecv',`
########################################
##
+## Receive TCP packets from a NetLabel connection.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_tcp_recv_netlabel',`
+ kernel_tcp_recvfrom_unlabeled($1)
+')
+
+########################################
+##
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`corenet_dontaudit_tcp_recv_netlabel',`
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+')
+
+########################################
+##
+## Receive UDP packets from a NetLabel connection.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_udp_recv_netlabel',`
+ kernel_udp_recvfrom_unlabeled($1)
+')
+
+########################################
+##
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`corenet_dontaudit_udp_recv_netlabel',`
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
+')
+
+########################################
+##
## Send generic client packets.
##
##
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 610cd10..31e961f 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.18)
+policy_module(corenetwork,1.1.19)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 13da037..14194f2 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2205,6 +2205,128 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
##
+## Receive TCP packets from a NetLabel connection.
+##
+##
+##
+## Receive TCP packets from a NetLabel connection, NetLabel is an
+## explicit packet labeling framework which implements CIPSO and
+## similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_tcp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_tcp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+##
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+##
+##
+##
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection. NetLabel is an explicit packet labeling framework
+## which implements CIPSO and similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_dontaudit_tcp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+##
+## Receive UDP packets from a NetLabel connection.
+##
+##
+##
+## Receive UDP packets from a NetLabel connection, NetLabel is an
+## explicit packet labeling framework which implements CIPSO and
+## similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_udp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_udp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+##
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+##
+##
+##
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection. NetLabel is an explicit packet labeling framework
+## which implements CIPSO and similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_dontaudit_udp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+##
## Send and receive unlabeled packets.
##
##
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6a79f9a..b25eaac 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.17)
+policy_module(kernel,1.3.18)
########################################
#
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
new file mode 100644
index 0000000..b263a8a
--- /dev/null
+++ b/policy/modules/system/netlabel.fc
@@ -0,0 +1 @@
+/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
new file mode 100644
index 0000000..2cb4b55
--- /dev/null
+++ b/policy/modules/system/netlabel.if
@@ -0,0 +1,55 @@
+## NetLabel/CIPSO labeled networking management
+
+########################################
+##
+## Execute netlabel_mgmt in the netlabel_mgmt domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`netlabel_domtrans_mgmt',`
+ gen_require(`
+ type netlabel_mgmt_t, netlabel_mgmt_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
+ allow netlabel_mgmt_t $1:fd use;
+ allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
+ allow netlabel_mgmt_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute netlabel_mgmt in the netlabel_mgmt domain, and
+## allow the specified role the netlabel_mgmt domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the netlabel_mgmt domain.
+##
+##
+##
+##
+## The type of the terminal allow the netlabel_mgmt domain to use.
+##
+##
+##
+#
+interface(`netlabel_run_mgmt',`
+ gen_require(`
+ type netlabel_mgmt_t;
+ ')
+
+ netlabel_domtrans_mgmt($1)
+ role $2 types netlabel_mgmt_t;
+ allow netlabel_mgmt_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
new file mode 100644
index 0000000..464fb5b
--- /dev/null
+++ b/policy/modules/system/netlabel.te
@@ -0,0 +1,28 @@
+
+policy_module(netlabel,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabel_mgmt_t;
+type netlabel_mgmt_exec_t;
+domain_type(netlabel_mgmt_t)
+domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
+
+########################################
+#
+# NetLabel Management Tools Local policy
+#
+
+# modify the network subsystem configuration
+allow netlabel_mgmt_t self:capability net_admin;
+allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
+kernel_read_network_state(netlabel_mgmt_t)
+
+libs_use_ld_so(netlabel_mgmt_t)
+libs_use_shared_libs(netlabel_mgmt_t)
+
+seutil_use_newrole_fds(netlabel_mgmt_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6497d33..87137bc 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -514,6 +514,12 @@ template(`userdom_basic_networking_template',`
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
+
+ ifdef(`enable_mls',`
+ # netlabel/CIPSO labeled networking
+ corenet_tcp_recv_netlabel($1_t)
+ corenet_udp_recv_netlabel($1_t)
+ ')
')
#######################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b07abb6..1bbcaf1 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.36)
+policy_module(userdomain,1.3.37)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -155,6 +155,7 @@ ifdef(`strict_policy',`
logging_read_generic_logs(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+ netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)