diff --git a/Changelog b/Changelog
index 87d5be7..a919ef7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Unified labeled networking policy from Paul Moore.
+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
- Xen updates from Dan Walsh.
- Filesystem updates from Dan Walsh.
- Large samba update from Dan Walsh.
diff --git a/policy/mls b/policy/mls
index 16fbfcb..16bd1df 100644
--- a/policy/mls
+++ b/policy/mls
@@ -182,11 +182,12 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
-# used by netlabel to restrict normal domains to same level connections
+# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index b6ada7d..29d7835 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.5.0)
+policy_module(amanda,1.5.1)
#######################################
#
@@ -113,7 +113,8 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
# Added for targeted policy
term_use_unallocated_ttys(amanda_t)
-corenet_non_ipsec_sendrecv(amanda_t)
+corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_all_if(amanda_t)
corenet_udp_sendrecv_all_if(amanda_t)
corenet_raw_sendrecv_all_if(amanda_t)
@@ -200,7 +201,8 @@ files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
-corenet_non_ipsec_sendrecv(amanda_recover_t)
+corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_all_if(amanda_recover_t)
corenet_udp_sendrecv_all_if(amanda_recover_t)
corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 3a3ba9d..7c7272b 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt,1.1.0)
+policy_module(apt,1.1.1)
########################################
#
@@ -72,7 +72,8 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_non_ipsec_sendrecv(apt_t)
+corenet_all_recvfrom_unlabeled(apt_t)
+corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_all_if(apt_t)
corenet_udp_sendrecv_all_if(apt_t)
corenet_tcp_sendrecv_all_nodes(apt_t)
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
index 277c49a..fee5b9c 100644
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@@ -1,5 +1,5 @@
-policy_module(backup,1.1.0)
+policy_module(backup,1.1.1)
########################################
#
@@ -36,7 +36,8 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
-corenet_non_ipsec_sendrecv(backup_t)
+corenet_all_recvfrom_unlabeled(backup_t)
+corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
corenet_raw_sendrecv_generic_if(backup_t)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 932d12f..1808c88 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -1,5 +1,5 @@
-policy_module(dpkg,1.1.1)
+policy_module(dpkg,1.1.2)
########################################
#
@@ -90,7 +90,8 @@ kernel_read_kernel_sysctls(dpkg_t)
corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
-corenet_non_ipsec_sendrecv(dpkg_t)
+corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_all_if(dpkg_t)
corenet_raw_sendrecv_all_if(dpkg_t)
corenet_udp_sendrecv_all_if(dpkg_t)
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 0453cd8..3d016fc 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.4.0)
+policy_module(firstboot,1.4.1)
gen_require(`
class passwd rootok;
@@ -41,7 +41,8 @@ unconfined_domain(firstboot_t)
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-corenet_non_ipsec_sendrecv(firstboot_t)
+corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
corenet_tcp_sendrecv_all_if(firstboot_t)
corenet_tcp_sendrecv_all_nodes(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 5ec21f4..e1e202c 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
-policy_module(mrtg,1.1.0)
+policy_module(mrtg,1.1.1)
########################################
#
@@ -63,7 +63,8 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
-corenet_non_ipsec_sendrecv(mrtg_t)
+corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_all_nodes(mrtg_t)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index a7e9a1e..014b697 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils,1.4.1)
+policy_module(netutils,1.4.2)
########################################
#
@@ -53,7 +53,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
-corenet_non_ipsec_sendrecv(netutils_t)
+corenet_all_recvfrom_unlabeled(netutils_t)
+corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
@@ -114,7 +115,8 @@ allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
-corenet_non_ipsec_sendrecv(ping_t)
+corenet_all_recvfrom_unlabeled(ping_t)
+corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
@@ -184,7 +186,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
-corenet_non_ipsec_sendrecv(traceroute_t)
+corenet_all_recvfrom_unlabeled(traceroute_t)
+corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index f486c97..3fe9309 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -152,7 +152,8 @@ interface(`portage_compile_domain',`
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
@@ -242,7 +243,8 @@ interface(`portage_fetch_domain',`
corecmd_exec_bin($1)
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 4335d44..0540613 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage,1.2.0)
+policy_module(portage,1.2.1)
########################################
#
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index b1ccc1b..70f4ade 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm,1.6.1)
+policy_module(rpm,1.6.2)
########################################
#
@@ -91,7 +91,8 @@ kernel_read_kernel_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
-corenet_non_ipsec_sendrecv(rpm_t)
+corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index ea0bde2..1341a1b 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -1,5 +1,5 @@
-policy_module(sxid,1.1.0)
+policy_module(sxid,1.1.1)
########################################
#
@@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
-corenet_non_ipsec_sendrecv(sxid_t)
+corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_all_recvfrom_netlabel(sxid_t)
corenet_tcp_sendrecv_generic_if(sxid_t)
corenet_udp_sendrecv_generic_if(sxid_t)
corenet_tcp_sendrecv_all_nodes(sxid_t)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 2056403..51ddb35 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn,1.4.0)
+policy_module(vpn,1.4.1)
########################################
#
@@ -48,7 +48,8 @@ kernel_read_network_state(vpnc_t)
kernel_read_kernel_sysctls(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
-corenet_non_ipsec_sendrecv(vpnc_t)
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_all_if(vpnc_t)
corenet_udp_sendrecv_all_if(vpnc_t)
corenet_raw_sendrecv_all_if(vpnc_t)
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index 5bb18e3..674ca1d 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -1,5 +1,5 @@
-policy_module(calamaris,1.1.0)
+policy_module(calamaris,1.1.1)
########################################
#
@@ -40,7 +40,8 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
-corenet_non_ipsec_sendrecv(calamaris_t)
+corenet_all_recvfrom_unlabeled(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
corenet_tcp_sendrecv_generic_if(calamaris_t)
corenet_udp_sendrecv_generic_if(calamaris_t)
corenet_tcp_sendrecv_all_nodes(calamaris_t)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index b167857..0e22c03 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -188,7 +188,8 @@ template(`evolution_per_role_template',`
# Run various programs
corecmd_exec_bin($1_evolution_t)
- corenet_non_ipsec_sendrecv($1_evolution_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_t)
+ corenet_all_recvfrom_netlabel($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
corenet_udp_sendrecv_generic_if($1_evolution_t)
corenet_raw_sendrecv_generic_if($1_evolution_t)
@@ -681,7 +682,8 @@ template(`evolution_per_role_template',`
corecmd_exec_shell($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
- corenet_non_ipsec_sendrecv($1_evolution_server_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_server_t)
+ corenet_all_recvfrom_netlabel($1_evolution_server_t)
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
corenet_tcp_sendrecv_http_port($1_evolution_server_t)
@@ -758,7 +760,8 @@ template(`evolution_per_role_template',`
# Transition from user type
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
- corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
+ corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 1d92ee4..38d17a4 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,5 +1,5 @@
-policy_module(evolution,1.2.0)
+policy_module(evolution,1.2.1)
########################################
#
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 7aa39b3..ed79d9f 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -92,7 +92,8 @@ template(`games_per_role_template',`
corecmd_exec_bin($1_games_t)
- corenet_non_ipsec_sendrecv($1_games_t)
+ corenet_all_recvfrom_unlabeled($1_games_t)
+ corenet_all_recvfrom_netlabel($1_games_t)
corenet_tcp_sendrecv_generic_if($1_games_t)
corenet_udp_sendrecv_generic_if($1_games_t)
corenet_tcp_sendrecv_all_nodes($1_games_t)
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 851d90c..0a0fba8 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games,1.2.0)
+policy_module(games,1.2.1)
########################################
#
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index 1895947..1bdc35f 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -96,7 +96,8 @@ template(`gift_per_role_template',`
kernel_read_system_state($1_giftd_t)
# Connect to gift daemon
- corenet_non_ipsec_sendrecv($1_gift_t)
+ corenet_all_recvfrom_unlabeled($1_gift_t)
+ corenet_all_recvfrom_netlabel($1_gift_t)
corenet_tcp_sendrecv_generic_if($1_gift_t)
corenet_tcp_sendrecv_all_nodes($1_gift_t)
corenet_tcp_sendrecv_giftd_port($1_gift_t)
@@ -155,7 +156,8 @@ template(`gift_per_role_template',`
kernel_read_kernel_sysctls($1_giftd_t)
# Serve content on various p2p networks. Ports can be random.
- corenet_non_ipsec_sendrecv($1_giftd_t)
+ corenet_all_recvfrom_unlabeled($1_giftd_t)
+ corenet_all_recvfrom_netlabel($1_giftd_t)
corenet_tcp_sendrecv_generic_if($1_giftd_t)
corenet_udp_sendrecv_generic_if($1_giftd_t)
corenet_tcp_sendrecv_all_nodes($1_giftd_t)
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 55e3bca..bc6e328 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -1,5 +1,5 @@
-policy_module(gift,1.0.0)
+policy_module(gift,1.0.1)
########################################
#
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 07a4cbb..d2382c4 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -98,7 +98,8 @@ template(`gpg_per_role_template',`
# allow ps to show gpg
ps_process_pattern($2,$1_gpg_t)
- corenet_non_ipsec_sendrecv($1_gpg_t)
+ corenet_all_recvfrom_unlabeled($1_gpg_t)
+ corenet_all_recvfrom_netlabel($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
@@ -161,6 +162,8 @@ template(`gpg_per_role_template',`
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+ corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
+ corenet_all_recvfrom_netlabel($1_gpg_helper_t)
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
corenet_udp_sendrecv_all_if($1_gpg_helper_t)
@@ -169,7 +172,6 @@ template(`gpg_per_role_template',`
corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_non_ipsec_sendrecv($1_gpg_helper_t)
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
corenet_tcp_connect_all_ports($1_gpg_helper_t)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index de90c0f..7150d54 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
-policy_module(gpg, 1.2.0)
+policy_module(gpg, 1.2.1)
########################################
#
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 6debc0b..8fbbc04 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -90,7 +90,8 @@ template(`irc_per_role_template',`
kernel_read_proc_symlinks($1_irc_t)
- corenet_non_ipsec_sendrecv($1_irc_t)
+ corenet_all_recvfrom_unlabeled($1_irc_t)
+ corenet_all_recvfrom_netlabel($1_irc_t)
corenet_tcp_sendrecv_generic_if($1_irc_t)
corenet_udp_sendrecv_generic_if($1_irc_t)
corenet_tcp_sendrecv_all_nodes($1_irc_t)
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 419b695..67407d7 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -1,5 +1,5 @@
-policy_module(irc,1.1.0)
+policy_module(irc,1.1.1)
########################################
#
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 52426e3..80770b1 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -97,7 +97,8 @@ template(`java_per_role_template',`
# Search bin directory under javaplugin for javaplugin executable
corecmd_search_bin($1_javaplugin_t)
- corenet_non_ipsec_sendrecv($1_javaplugin_t)
+ corenet_all_recvfrom_unlabeled($1_javaplugin_t)
+ corenet_all_recvfrom_netlabel($1_javaplugin_t)
corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
corenet_udp_sendrecv_generic_if($1_javaplugin_t)
corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index ebeb70f..a998a18 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
-policy_module(java,1.4.0)
+policy_module(java,1.4.1)
########################################
#
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 207db69..7a1802e 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -126,7 +126,8 @@ template(`mozilla_per_role_template',`
corecmd_exec_bin($1_mozilla_t)
# Browse the web, connect to printer
- corenet_non_ipsec_sendrecv($1_mozilla_t)
+ corenet_all_recvfrom_unlabeled($1_mozilla_t)
+ corenet_all_recvfrom_netlabel($1_mozilla_t)
corenet_tcp_sendrecv_generic_if($1_mozilla_t)
corenet_raw_sendrecv_generic_if($1_mozilla_t)
corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 305c1cc..d89ebe3 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
-policy_module(mozilla,1.2.1)
+policy_module(mozilla,1.2.2)
########################################
#
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 79b57a2..73b396c 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -111,7 +111,8 @@ template(`screen_per_role_template',`
corecmd_shell_domtrans($1_screen_t,$2)
corecmd_bin_domtrans($1_screen_t,$2)
- corenet_non_ipsec_sendrecv($1_screen_t)
+ corenet_all_recvfrom_unlabeled($1_screen_t)
+ corenet_all_recvfrom_netlabel($1_screen_t)
corenet_tcp_sendrecv_generic_if($1_screen_t)
corenet_udp_sendrecv_generic_if($1_screen_t)
corenet_tcp_sendrecv_all_nodes($1_screen_t)
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 4e65b79..a94643f 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -1,5 +1,5 @@
-policy_module(screen,1.1.0)
+policy_module(screen,1.1.1)
########################################
#
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index fe9dcc5..fb1ab3f 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -105,7 +105,8 @@ template(`thunderbird_per_role_template',`
# Startup shellscript
corecmd_exec_shell($1_thunderbird_t)
- corenet_non_ipsec_sendrecv($1_thunderbird_t)
+ corenet_all_recvfrom_unlabeled($1_thunderbird_t)
+ corenet_all_recvfrom_netlabel($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index c45ad59..88adcd4 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -1,5 +1,5 @@
-policy_module(thunderbird,1.2.0)
+policy_module(thunderbird,1.2.1)
########################################
#
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 29dcf95..ac9cae1 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -152,7 +152,8 @@ template(`uml_per_role_template',`
# for xterm
corecmd_exec_bin($1_uml_t)
- corenet_non_ipsec_sendrecv($1_uml_t)
+ corenet_all_recvfrom_unlabeled($1_uml_t)
+ corenet_all_recvfrom_netlabel($1_uml_t)
corenet_tcp_sendrecv_generic_if($1_uml_t)
corenet_udp_sendrecv_generic_if($1_uml_t)
corenet_tcp_sendrecv_all_nodes($1_uml_t)
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index b3e3bce..1336a86 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
-policy_module(uml,1.2.0)
+policy_module(uml,1.2.1)
########################################
#
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 60a5977..3fa0b9f 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
-policy_module(vmware,1.1.0)
+policy_module(vmware,1.1.1)
########################################
#
@@ -45,7 +45,8 @@ kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
-corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
corenet_raw_sendrecv_generic_if(vmware_host_t)
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index ae68cff..fdc2d6c 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
-policy_module(webalizer,1.4.0)
+policy_module(webalizer,1.4.1)
########################################
#
@@ -61,7 +61,8 @@ files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
-corenet_non_ipsec_sendrecv(webalizer_t)
+corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
corenet_tcp_sendrecv_all_if(webalizer_t)
corenet_tcp_sendrecv_all_nodes(webalizer_t)
corenet_tcp_sendrecv_all_ports(webalizer_t)
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
index bd82b0d..a8c38fe 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@@ -1,5 +1,5 @@
-policy_module(yam,1.0.0)
+policy_module(yam,1.0.1)
########################################
#
@@ -60,7 +60,8 @@ corecmd_exec_bin(yam_t)
# Rsync and lftp need to network. They also set files attributes to
# match whats on the remote server.
-corenet_non_ipsec_sendrecv(yam_t)
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
corenet_tcp_sendrecv_generic_if(yam_t)
corenet_tcp_sendrecv_all_nodes(yam_t)
corenet_tcp_sendrecv_all_ports(yam_t)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index d433fa2..969da70 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1565,6 +1565,17 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
## non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## Send and receive messages on a
+## non-encrypted (no IPSEC) network
+## session. (Deprecated)
+## </p>
+## <p>
+## The corenet_all_recvfrom_unlabeled() interface should be used instead
+## of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -1572,7 +1583,8 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
## </param>
#
interface(`corenet_non_ipsec_sendrecv',`
- kernel_sendrecv_unlabeled_association($1)
+ refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+ corenet_all_recvfrom_unlabeled($1)
')
########################################
@@ -1581,6 +1593,17 @@ interface(`corenet_non_ipsec_sendrecv',`
## messages on a non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to send and receive
+## messages on a non-encrypted (no IPSEC) network
+## session.
+## </p>
+## <p>
+## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+## used instead of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
@@ -1588,7 +1611,8 @@ interface(`corenet_non_ipsec_sendrecv',`
## </param>
#
interface(`corenet_dontaudit_non_ipsec_sendrecv',`
- kernel_dontaudit_sendrecv_unlabeled_association($1)
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+ corenet_dontaudit_all_recvfrom_unlabeled($1)
')
########################################
@@ -1602,7 +1626,45 @@ interface(`corenet_dontaudit_non_ipsec_sendrecv',`
## </param>
#
interface(`corenet_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+ corenet_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1617,7 +1679,47 @@ interface(`corenet_tcp_recv_netlabel',`
## </param>
#
interface(`corenet_dontaudit_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+ corenet_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1631,7 +1733,45 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
## </param>
#
interface(`corenet_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+ corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
kernel_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1646,7 +1786,47 @@ interface(`corenet_udp_recv_netlabel',`
## </param>
#
interface(`corenet_dontaudit_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+ corenet_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
kernel_dontaudit_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1660,7 +1840,45 @@ interface(`corenet_dontaudit_udp_recv_netlabel',`
## </param>
#
interface(`corenet_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+ corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1675,7 +1893,126 @@ interface(`corenet_raw_recv_netlabel',`
## </param>
#
interface(`corenet_dontaudit_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
+ corenet_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+ kernel_tcp_recvfrom_unlabeled($1)
+ kernel_udp_recvfrom_unlabeled($1)
+ kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 199f7c9..bf24b64 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.9)
+policy_module(corenetwork,1.2.10)
########################################
#
@@ -37,6 +37,13 @@ dev_node(tun_tap_device_t)
type client_packet_t, packet_type, client_packet_type;
#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
# port_t is the default type of INET port numbers.
#
type port_t, port_type;
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 00c3cc0..2b96253 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2198,17 +2198,14 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
-## Receive TCP packets from a NetLabel connection.
+## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive TCP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive TCP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_tcp_recv_netlabel() should
+## The corenetwork interface corenet_tcp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2228,19 +2225,17 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_tcp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2259,17 +2254,14 @@ interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
########################################
## <summary>
-## Receive UDP packets from a NetLabel connection.
+## Receive UDP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive UDP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive UDP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_udp_recv_netlabel() should
+## The corenetwork interface corenet_udp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2289,19 +2281,17 @@ interface(`kernel_udp_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_udp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2320,17 +2310,14 @@ interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
########################################
## <summary>
-## Receive Raw IP packets from a NetLabel connection.
+## Receive Raw IP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive Raw IP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive Raw IP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_raw_recv_netlabel() should
+## The corenetwork interface corenet_raw_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2350,19 +2337,17 @@ interface(`kernel_raw_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_raw_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index cd5f366..3cc8516 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.6.1)
+policy_module(kernel,1.6.2)
########################################
#
@@ -153,7 +153,6 @@ sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
@@ -206,7 +205,8 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
-corenet_non_ipsec_sendrecv(kernel_t)
+corenet_all_recvfrom_unlabeled(kernel_t)
+corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index 6d44970..91f1359 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -1,5 +1,5 @@
-policy_module(afs,1.1.0)
+policy_module(afs,1.1.1)
########################################
#
@@ -89,7 +89,8 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
-corenet_non_ipsec_sendrecv(afs_bosserver_t)
+corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
@@ -153,7 +154,8 @@ corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-corenet_non_ipsec_sendrecv(afs_fsserver_t)
+corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_all_recvfrom_netlabel(afs_fsserver_t)
corenet_tcp_bind_all_nodes(afs_fsserver_t)
corenet_udp_bind_all_nodes(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -206,7 +208,8 @@ manage_files_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
-corenet_non_ipsec_sendrecv(afs_kaserver_t)
+corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
@@ -253,7 +256,8 @@ manage_files_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
-corenet_non_ipsec_sendrecv(afs_ptserver_t)
+corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
@@ -294,7 +298,8 @@ manage_files_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
-corenet_non_ipsec_sendrecv(afs_vlserver_t)
+corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index b46567b..994f10a 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis,1.2.2)
+policy_module(amavis,1.2.3)
########################################
#
@@ -100,7 +100,8 @@ kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
-corenet_non_ipsec_sendrecv(amavis_t)
+corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
corenet_tcp_bind_all_nodes(amavis_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 1dfbf35..932386f 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -181,7 +181,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
@@ -200,7 +201,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 554f963..3bc00ee 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
+policy_module(apache,1.6.1)
#
# NOTES:
@@ -298,7 +298,8 @@ kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
-corenet_non_ipsec_sendrecv(httpd_t)
+corenet_all_recvfrom_unlabeled(httpd_t)
+corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
corenet_udp_sendrecv_all_if(httpd_t)
corenet_tcp_sendrecv_all_nodes(httpd_t)
@@ -641,7 +642,8 @@ tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_suexec_t)
+ corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+ corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_all_if(httpd_suexec_t)
corenet_udp_sendrecv_all_if(httpd_suexec_t)
corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 206253b..ebd456f 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
-policy_module(apcupsd,1.0.1)
+policy_module(apcupsd,1.0.2)
########################################
#
@@ -39,7 +39,8 @@ logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
-corenet_non_ipsec_sendrecv(apcupsd_t)
+corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_all_nodes(apcupsd_t)
corenet_tcp_sendrecv_all_ports(apcupsd_t)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index b16908b..d607d70 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,5 +1,5 @@
-policy_module(arpwatch,1.3.1)
+policy_module(arpwatch,1.3.2)
########################################
#
@@ -47,7 +47,8 @@ kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
-corenet_non_ipsec_sendrecv(arpwatch_t)
+corenet_all_recvfrom_unlabeled(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
corenet_tcp_sendrecv_all_if(arpwatch_t)
corenet_udp_sendrecv_all_if(arpwatch_t)
corenet_raw_sendrecv_all_if(arpwatch_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 0d0bef0..a095248 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,5 +1,5 @@
-policy_module(asterisk,1.2.0)
+policy_module(asterisk,1.2.1)
########################################
#
@@ -82,7 +82,8 @@ kernel_read_kernel_sysctls(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_search_bin(asterisk_t)
-corenet_non_ipsec_sendrecv(asterisk_t)
+corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
corenet_tcp_sendrecv_all_nodes(asterisk_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 2cff097..495cf4d 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.5.0)
+policy_module(automount,1.5.1)
########################################
#
@@ -76,7 +76,8 @@ fs_unmount_all_fs(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-corenet_non_ipsec_sendrecv(automount_t)
+corenet_all_recvfrom_unlabeled(automount_t)
+corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
corenet_tcp_sendrecv_all_nodes(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index c760f9f..d4815b0 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.5.3)
+policy_module(avahi,1.5.4)
########################################
#
@@ -37,7 +37,8 @@ kernel_list_proc(avahi_t)
kernel_read_proc_symlinks(avahi_t)
kernel_read_network_state(avahi_t)
-corenet_non_ipsec_sendrecv(avahi_t)
+corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_all_if(avahi_t)
corenet_udp_sendrecv_all_if(avahi_t)
corenet_tcp_sendrecv_all_nodes(avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 993010a..e107053 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.4.0)
+policy_module(bind,1.4.1)
########################################
#
@@ -101,7 +101,8 @@ kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
-corenet_non_ipsec_sendrecv(named_t)
+corenet_all_recvfrom_unlabeled(named_t)
+corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_all_if(named_t)
corenet_udp_sendrecv_all_if(named_t)
corenet_tcp_sendrecv_all_nodes(named_t)
@@ -231,7 +232,8 @@ allow ndc_t named_zone_t:dir search;
kernel_read_kernel_sysctls(ndc_t)
-corenet_non_ipsec_sendrecv(ndc_t)
+corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_all_if(ndc_t)
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index d5c6d2d..e55617c 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.5.1)
+policy_module(bluetooth,1.5.2)
########################################
#
@@ -81,7 +81,8 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
-corenet_non_ipsec_sendrecv(bluetooth_t)
+corenet_all_recvfrom_unlabeled(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_all_if(bluetooth_t)
corenet_udp_sendrecv_all_if(bluetooth_t)
corenet_raw_sendrecv_all_if(bluetooth_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 0dfc33b..52c1560 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
-policy_module(canna,1.4.0)
+policy_module(canna,1.4.1)
########################################
#
@@ -47,7 +47,8 @@ files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
-corenet_non_ipsec_sendrecv(canna_t)
+corenet_all_recvfrom_unlabeled(canna_t)
+corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_all_if(canna_t)
corenet_tcp_sendrecv_all_nodes(canna_t)
corenet_tcp_sendrecv_all_ports(canna_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 6c7fae8..d3dd3c8 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -1,5 +1,5 @@
-policy_module(ccs,1.1.0)
+policy_module(ccs,1.1.1)
########################################
#
@@ -77,7 +77,8 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
-corenet_non_ipsec_sendrecv(ccs_t)
+corenet_all_recvfrom_unlabeled(ccs_t)
+corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_all_if(ccs_t)
corenet_udp_sendrecv_all_if(ccs_t)
corenet_tcp_sendrecv_all_nodes(ccs_t)
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
index 6101c3a..d7c66e7 100644
--- a/policy/modules/services/cipe.te
+++ b/policy/modules/services/cipe.te
@@ -1,5 +1,5 @@
-policy_module(cipe,1.2.0)
+policy_module(cipe,1.2.1)
########################################
#
@@ -29,7 +29,8 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corenet_non_ipsec_sendrecv(ciped_t)
+corenet_all_recvfrom_unlabeled(ciped_t)
+corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_all_nodes(ciped_t)
corenet_udp_sendrecv_all_ports(ciped_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 141cb6c..8dd71e0 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
-policy_module(clamav,1.3.1)
+policy_module(clamav,1.3.2)
########################################
#
@@ -86,7 +86,8 @@ files_pid_filetrans(clamd_t,clamd_var_run_t,file)
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-corenet_non_ipsec_sendrecv(clamd_t)
+corenet_all_recvfrom_unlabeled(clamd_t)
+corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
@@ -160,7 +161,8 @@ allow freshclam_t freshclam_var_log_t:dir setattr;
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
-corenet_non_ipsec_sendrecv(freshclam_t)
+corenet_all_recvfrom_unlabeled(freshclam_t)
+corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_all_if(freshclam_t)
corenet_tcp_sendrecv_all_nodes(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
index 1b22e77..b1b8192 100644
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@@ -1,5 +1,5 @@
-policy_module(clockspeed,1.1.0)
+policy_module(clockspeed,1.1.1)
########################################
#
@@ -28,7 +28,8 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
-corenet_non_ipsec_sendrecv(clockspeed_cli_t)
+corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
@@ -55,7 +56,8 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
-corenet_non_ipsec_sendrecv(clockspeed_srv_t)
+corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
index 97c376b..95f03af 100644
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@@ -1,5 +1,5 @@
-policy_module(comsat,1.2.0)
+policy_module(comsat,1.2.1)
########################################
#
@@ -40,7 +40,8 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
-corenet_non_ipsec_sendrecv(comsat_t)
+corenet_all_recvfrom_unlabeled(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
corenet_tcp_sendrecv_all_if(comsat_t)
corenet_udp_sendrecv_all_if(comsat_t)
corenet_tcp_sendrecv_all_nodes(comsat_t)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 84f3402..ee4a98e 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -48,7 +48,8 @@ template(`courier_domain_template',`
corecmd_exec_bin(courier_$1_t)
- corenet_non_ipsec_sendrecv(courier_$1_t)
+ corenet_all_recvfrom_unlabeled(courier_$1_t)
+ corenet_all_recvfrom_netlabel(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
corenet_tcp_sendrecv_all_nodes(courier_$1_t)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 7f1cdf1..1cc680d 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
-policy_module(courier,1.2.0)
+policy_module(courier,1.2.1)
########################################
#
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index b7fab36..765ffe6 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -94,7 +94,8 @@ template(`cron_per_role_template',`
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot($1_crond_t)
- corenet_non_ipsec_sendrecv($1_crond_t)
+ corenet_all_recvfrom_unlabeled($1_crond_t)
+ corenet_all_recvfrom_netlabel($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_udp_sendrecv_all_if($1_crond_t)
corenet_tcp_sendrecv_all_nodes($1_crond_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 74293df..2946f89 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.6.1)
+policy_module(cron,1.6.2)
gen_require(`
class passwd rootok;
@@ -327,7 +327,8 @@ ifdef(`targeted_policy',`
corecmd_exec_all_executables(system_crond_t)
- corenet_non_ipsec_sendrecv(system_crond_t)
+ corenet_all_recvfrom_unlabeled(system_crond_t)
+ corenet_all_recvfrom_netlabel(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
corenet_tcp_sendrecv_all_nodes(system_crond_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 30072d8..91f588f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.6.1)
+policy_module(cups,1.6.2)
########################################
#
@@ -133,7 +133,8 @@ kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
-corenet_non_ipsec_sendrecv(cupsd_t)
+corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
corenet_udp_sendrecv_all_if(cupsd_t)
corenet_raw_sendrecv_all_if(cupsd_t)
@@ -340,7 +341,8 @@ files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
-corenet_non_ipsec_sendrecv(cupsd_config_t)
+corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_all_if(cupsd_config_t)
corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -491,7 +493,8 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
+corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
corenet_udp_sendrecv_all_if(cupsd_lpd_t)
corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
@@ -564,7 +567,8 @@ files_pid_filetrans(hplip_t,hplip_var_run_t,file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-corenet_non_ipsec_sendrecv(hplip_t)
+corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_all_if(hplip_t)
corenet_udp_sendrecv_all_if(hplip_t)
corenet_raw_sendrecv_all_if(hplip_t)
@@ -661,7 +665,8 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
-corenet_non_ipsec_sendrecv(ptal_t)
+corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_all_if(ptal_t)
corenet_tcp_sendrecv_all_nodes(ptal_t)
corenet_tcp_sendrecv_all_ports(ptal_t)
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 3746a41..d8ca01f 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -1,5 +1,5 @@
-policy_module(cvs,1.4.0)
+policy_module(cvs,1.4.1)
########################################
#
@@ -54,7 +54,8 @@ kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)
-corenet_non_ipsec_sendrecv(cvs_t)
+corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_all_if(cvs_t)
corenet_udp_sendrecv_all_if(cvs_t)
corenet_tcp_sendrecv_all_nodes(cvs_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index a391144..2530b76 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.3.1)
+policy_module(cyrus,1.3.2)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
-corenet_non_ipsec_sendrecv(cyrus_t)
+corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_all_if(cyrus_t)
corenet_udp_sendrecv_all_if(cyrus_t)
corenet_tcp_sendrecv_all_nodes(cyrus_t)
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index 9a5cdd8..fe024ed 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -1,5 +1,5 @@
-policy_module(dante,1.2.0)
+policy_module(dante,1.2.1)
########################################
#
@@ -38,7 +38,8 @@ kernel_read_kernel_sysctls(dante_t)
kernel_list_proc(dante_t)
kernel_read_proc_symlinks(dante_t)
-corenet_non_ipsec_sendrecv(dante_t)
+corenet_all_recvfrom_unlabeled(dante_t)
+corenet_all_recvfrom_netlabel(dante_t)
corenet_tcp_sendrecv_generic_if(dante_t)
corenet_udp_sendrecv_generic_if(dante_t)
corenet_tcp_sendrecv_all_nodes(dante_t)
diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te
index 27b5d93..a809592 100644
--- a/policy/modules/services/dbskk.te
+++ b/policy/modules/services/dbskk.te
@@ -1,5 +1,5 @@
-policy_module(dbskk,1.2.0)
+policy_module(dbskk,1.2.1)
########################################
#
@@ -48,7 +48,8 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
-corenet_non_ipsec_sendrecv(dbskkd_t)
+corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_all_recvfrom_netlabel(dbskkd_t)
corenet_tcp_sendrecv_all_if(dbskkd_t)
corenet_udp_sendrecv_all_if(dbskkd_t)
corenet_tcp_sendrecv_all_nodes(dbskkd_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 12fdb09..a0a64a7 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -107,7 +107,8 @@ template(`dbus_per_role_template',`
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
- corenet_non_ipsec_sendrecv($1_dbusd_t)
+ corenet_all_recvfrom_unlabeled($1_dbusd_t)
+ corenet_all_recvfrom_netlabel($1_dbusd_t)
corenet_tcp_sendrecv_all_if($1_dbusd_t)
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
@@ -269,7 +270,6 @@ template(`dbus_send_user_bus',`
allow $2 $1_dbusd_t:dbus send_msg;
')
-
########################################
## <summary>
## Read dbus configuration.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4273b44..0b86e78 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
-policy_module(dbus,1.5.1)
+policy_module(dbus,1.5.2)
gen_require(`
class dbus { send_msg acquire_svc };
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index 4dceb2b..076534e 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
-policy_module(dcc,1.2.0)
+policy_module(dcc,1.2.1)
########################################
#
@@ -99,7 +99,8 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
-corenet_non_ipsec_sendrecv(cdcc_t)
+corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
corenet_udp_sendrecv_all_ports(cdcc_t)
@@ -141,7 +142,8 @@ allow dcc_client_t dcc_var_t:dir list_dir_perms;
read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
-corenet_non_ipsec_sendrecv(dcc_client_t)
+corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
@@ -183,7 +185,8 @@ manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
-corenet_non_ipsec_sendrecv(dcc_dbclean_t)
+corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
@@ -243,7 +246,8 @@ files_pid_filetrans(dccd_t,dccd_var_run_t,file)
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
-corenet_non_ipsec_sendrecv(dccd_t)
+corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_all_nodes(dccd_t)
corenet_udp_sendrecv_all_ports(dccd_t)
@@ -324,7 +328,8 @@ files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
-corenet_non_ipsec_sendrecv(dccifd_t)
+corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
corenet_udp_sendrecv_all_ports(dccifd_t)
@@ -401,7 +406,8 @@ files_pid_filetrans(dccm_t,dccm_var_run_t,file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
-corenet_non_ipsec_sendrecv(dccm_t)
+corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
corenet_udp_sendrecv_all_ports(dccm_t)
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 32606ae..cda24bb 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -1,5 +1,5 @@
-policy_module(ddclient,1.2.0)
+policy_module(ddclient,1.2.1)
########################################
#
@@ -64,7 +64,8 @@ kernel_read_kernel_sysctls(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
-corenet_non_ipsec_sendrecv(ddclient_t)
+corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_all_recvfrom_netlabel(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
corenet_tcp_sendrecv_all_nodes(ddclient_t)
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index cfa0300..cf534db 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
-policy_module(dhcp,1.3.0)
+policy_module(dhcp,1.3.1)
########################################
#
@@ -52,7 +52,8 @@ files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
-corenet_non_ipsec_sendrecv(dhcpd_t)
+corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_all_if(dhcpd_t)
corenet_udp_sendrecv_all_if(dhcpd_t)
corenet_raw_sendrecv_all_if(dhcpd_t)
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index ed1722d..5657ccf 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -1,5 +1,5 @@
-policy_module(dictd,1.3.0)
+policy_module(dictd,1.3.1)
########################################
#
@@ -37,7 +37,8 @@ allow dictd_t dictd_var_lib_t:file read_file_perms;
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-corenet_non_ipsec_sendrecv(dictd_t)
+corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_all_if(dictd_t)
corenet_raw_sendrecv_all_if(dictd_t)
corenet_udp_sendrecv_all_if(dictd_t)
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index d7a01c6..d2d422f 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -1,5 +1,5 @@
-policy_module(distcc,1.3.1)
+policy_module(distcc,1.3.2)
########################################
#
@@ -45,7 +45,8 @@ files_pid_filetrans(distccd_t,distccd_var_run_t,file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
-corenet_non_ipsec_sendrecv(distccd_t)
+corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_all_recvfrom_netlabel(distccd_t)
corenet_tcp_sendrecv_all_if(distccd_t)
corenet_udp_sendrecv_all_if(distccd_t)
corenet_tcp_sendrecv_all_nodes(distccd_t)
diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if
index ff1d505..7dd7b83 100644
--- a/policy/modules/services/djbdns.if
+++ b/policy/modules/services/djbdns.if
@@ -32,7 +32,8 @@ template(`djbdns_daemontools_domain_template',`
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
- corenet_non_ipsec_sendrecv(djbdns_$1_t)
+ corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
corenet_udp_sendrecv_all_if(djbdns_$1_t)
corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index c58a3a4..c4ccf7b 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -1,5 +1,5 @@
-policy_module(djbdns,1.1.0)
+policy_module(djbdns,1.1.1)
########################################
#
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 244384c..8abcd7d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
-policy_module(dnsmasq,1.3.0)
+policy_module(dnsmasq,1.3.1)
########################################
#
@@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(dnsmasq_t)
kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)
-corenet_non_ipsec_sendrecv(dnsmasq_t)
+corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index c81a948..2357a03 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.5.1)
+policy_module(dovecot,1.5.2)
########################################
#
@@ -70,7 +70,8 @@ files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-corenet_non_ipsec_sendrecv(dovecot_t)
+corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_all_if(dovecot_t)
corenet_tcp_sendrecv_all_nodes(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 02845bf..49985a8 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
-policy_module(fetchmail,1.3.0)
+policy_module(fetchmail,1.3.1)
########################################
#
@@ -46,7 +46,8 @@ kernel_getattr_proc_files(fetchmail_t)
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
-corenet_non_ipsec_sendrecv(fetchmail_t)
+corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_udp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_all_nodes(fetchmail_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index a344d30..baa1cd1 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
-policy_module(finger,1.3.0)
+policy_module(finger,1.3.1)
########################################
#
@@ -47,7 +47,8 @@ logging_log_filetrans(fingerd_t,fingerd_log_t,file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
-corenet_non_ipsec_sendrecv(fingerd_t)
+corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_all_recvfrom_netlabel(fingerd_t)
corenet_tcp_sendrecv_all_if(fingerd_t)
corenet_udp_sendrecv_all_if(fingerd_t)
corenet_tcp_sendrecv_all_nodes(fingerd_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 009b241..74da2aa 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.5.0)
+policy_module(ftp,1.5.1)
########################################
#
@@ -128,7 +128,8 @@ dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
-corenet_non_ipsec_sendrecv(ftpd_t)
+corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
corenet_tcp_sendrecv_all_nodes(ftpd_t)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index d5d3a0d..3dcaf5c 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -1,5 +1,5 @@
-policy_module(gatekeeper,1.2.0)
+policy_module(gatekeeper,1.2.1)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
-corenet_non_ipsec_sendrecv(gatekeeper_t)
+corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_all_recvfrom_netlabel(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 6dcf4a5..8d80a9a 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.6.2)
+policy_module(hal,1.6.3)
########################################
#
@@ -91,7 +91,8 @@ auth_read_pam_console_data(hald_t)
corecmd_exec_all_executables(hald_t)
-corenet_non_ipsec_sendrecv(hald_t)
+corenet_all_recvfrom_unlabeled(hald_t)
+corenet_all_recvfrom_netlabel(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
corenet_tcp_sendrecv_all_nodes(hald_t)
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index 33247fd..1e2f857 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -1,5 +1,5 @@
-policy_module(howl,1.3.0)
+policy_module(howl,1.3.1)
########################################
#
@@ -34,7 +34,8 @@ kernel_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-corenet_non_ipsec_sendrecv(howl_t)
+corenet_all_recvfrom_unlabeled(howl_t)
+corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_all_if(howl_t)
corenet_udp_sendrecv_all_if(howl_t)
corenet_tcp_sendrecv_all_nodes(howl_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index e45dba2..3ef9143 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -1,5 +1,5 @@
-policy_module(i18n_input,1.3.0)
+policy_module(i18n_input,1.3.1)
########################################
#
@@ -37,7 +37,8 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-corenet_non_ipsec_sendrecv(i18n_input_t)
+corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_udp_sendrecv_generic_if(i18n_input_t)
corenet_tcp_sendrecv_all_nodes(i18n_input_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index 41614dc..3b90bd1 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -1,5 +1,5 @@
-policy_module(imaze,1.2.0)
+policy_module(imaze,1.2.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(imazesrv_t)
kernel_list_proc(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
-corenet_non_ipsec_sendrecv(imazesrv_t)
+corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
corenet_tcp_sendrecv_all_nodes(imazesrv_t)
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index 8430861..939addd 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.3.0)
+policy_module(inetd,1.3.1)
########################################
#
@@ -60,7 +60,8 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
# base networking:
-corenet_non_ipsec_sendrecv(inetd_t)
+corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_all_recvfrom_netlabel(inetd_t)
corenet_tcp_sendrecv_all_if(inetd_t)
corenet_udp_sendrecv_all_if(inetd_t)
corenet_tcp_sendrecv_all_nodes(inetd_t)
@@ -81,7 +82,6 @@ corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
-corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rsh_port(inetd_t)
@@ -143,11 +143,6 @@ sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
-ifdef(`enable_mls',`
- corenet_tcp_recv_netlabel(inetd_t)
- corenet_udp_recv_netlabel(inetd_t)
-')
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(inetd_t)
term_dontaudit_use_generic_ptys(inetd_t)
@@ -200,7 +195,8 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_system_state(inetd_child_t)
kernel_read_network_state(inetd_child_t)
-corenet_non_ipsec_sendrecv(inetd_child_t)
+corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
corenet_tcp_sendrecv_all_if(inetd_child_t)
corenet_udp_sendrecv_all_if(inetd_child_t)
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 3745d9a..7d6a100 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
-policy_module(inn,1.3.0)
+policy_module(inn,1.3.1)
########################################
#
@@ -63,7 +63,8 @@ manage_lnk_files_pattern(innd_t,news_spool_t,news_spool_t)
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
-corenet_non_ipsec_sendrecv(innd_t)
+corenet_all_recvfrom_unlabeled(innd_t)
+corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_all_if(innd_t)
corenet_udp_sendrecv_all_if(innd_t)
corenet_tcp_sendrecv_all_nodes(innd_t)
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index 32d1c2d..ebdaaad 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -1,5 +1,5 @@
-policy_module(ircd,1.2.0)
+policy_module(ircd,1.2.1)
########################################
#
@@ -50,7 +50,8 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_search_bin(ircd_t)
-corenet_non_ipsec_sendrecv(ircd_t)
+corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_udp_sendrecv_generic_if(ircd_t)
corenet_tcp_sendrecv_all_nodes(ircd_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index dd92c08..d004ebb 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
-policy_module(jabber,1.2.0)
+policy_module(jabber,1.2.1)
########################################
#
@@ -44,7 +44,8 @@ kernel_read_kernel_sysctls(jabberd_t)
kernel_list_proc(jabberd_t)
kernel_read_proc_symlinks(jabberd_t)
-corenet_non_ipsec_sendrecv(jabberd_t)
+corenet_all_recvfrom_unlabeled(jabberd_t)
+corenet_all_recvfrom_netlabel(jabberd_t)
corenet_tcp_sendrecv_generic_if(jabberd_t)
corenet_udp_sendrecv_generic_if(jabberd_t)
corenet_tcp_sendrecv_all_nodes(jabberd_t)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 8c3fe02..4d0fce5 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -47,7 +47,8 @@ interface(`kerberos_use',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 784130d..85932e6 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos,1.4.0)
+policy_module(kerberos,1.4.1)
########################################
#
@@ -92,7 +92,8 @@ kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
-corenet_non_ipsec_sendrecv(kadmind_t)
+corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_all_if(kadmind_t)
corenet_udp_sendrecv_all_if(kadmind_t)
corenet_tcp_sendrecv_all_nodes(kadmind_t)
@@ -192,7 +193,8 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
-corenet_non_ipsec_sendrecv(krb5kdc_t)
+corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
corenet_udp_sendrecv_all_if(krb5kdc_t)
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
index b166af0..f04a84a 100644
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@@ -1,5 +1,5 @@
-policy_module(ktalk,1.4.0)
+policy_module(ktalk,1.4.1)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
-corenet_non_ipsec_sendrecv(ktalkd_t)
+corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_all_recvfrom_netlabel(ktalkd_t)
corenet_tcp_sendrecv_all_if(ktalkd_t)
corenet_udp_sendrecv_all_if(ktalkd_t)
corenet_tcp_sendrecv_all_nodes(ktalkd_t)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index abdc23d..f74f9cf 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap,1.4.0)
+policy_module(ldap,1.4.1)
########################################
#
@@ -77,7 +77,8 @@ files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-corenet_non_ipsec_sendrecv(slapd_t)
+corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t)
corenet_tcp_sendrecv_all_nodes(slapd_t)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index ce2b1f6..0214664 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -104,7 +104,8 @@ template(`lpd_per_role_template',`
kernel_read_kernel_sysctls($1_lpr_t)
- corenet_non_ipsec_sendrecv($1_lpr_t)
+ corenet_all_recvfrom_unlabeled($1_lpr_t)
+ corenet_all_recvfrom_netlabel($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 1235113..cde9f2d 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.5.0)
+policy_module(lpd,1.5.1)
########################################
#
@@ -72,7 +72,8 @@ allow checkpc_t printconf_t:dir { getattr search read };
kernel_read_system_state(checkpc_t)
-corenet_non_ipsec_sendrecv(checkpc_t)
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_all_if(checkpc_t)
corenet_udp_sendrecv_all_if(checkpc_t)
corenet_tcp_sendrecv_all_nodes(checkpc_t)
@@ -157,7 +158,8 @@ kernel_read_kernel_sysctls(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)
-corenet_non_ipsec_sendrecv(lpd_t)
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_all_if(lpd_t)
corenet_udp_sendrecv_all_if(lpd_t)
corenet_tcp_sendrecv_all_nodes(lpd_t)
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index eb26d54..d61cf18 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -48,7 +48,8 @@ template(`mailman_domain_template', `
kernel_read_kernel_sysctls(mailman_$1_t)
kernel_read_system_state(mailman_$1_t)
- corenet_non_ipsec_sendrecv(mailman_$1_t)
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
corenet_tcp_sendrecv_all_if(mailman_$1_t)
corenet_udp_sendrecv_all_if(mailman_$1_t)
corenet_raw_sendrecv_all_if(mailman_$1_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 7a8dfaa..3636b04 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.2.1)
+policy_module(mailman,1.2.2)
########################################
#
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index 55c6488..ca7a815 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -1,5 +1,5 @@
-policy_module(monop,1.2.0)
+policy_module(monop,1.2.1)
########################################
#
@@ -43,7 +43,8 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
-corenet_non_ipsec_sendrecv(monopd_t)
+corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_udp_sendrecv_generic_if(monopd_t)
corenet_tcp_sendrecv_all_nodes(monopd_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 5fc01ef..dd5d77d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -72,7 +72,8 @@ template(`mta_base_mail_template',`
kernel_read_kernel_sysctls($1_mail_t)
- corenet_non_ipsec_sendrecv($1_mail_t)
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+ corenet_all_recvfrom_netlabel($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 23254a3..6069222 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.6.1)
+policy_module(mta,1.6.2)
########################################
#
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 24a8887..c9e42c8 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
-policy_module(munin,1.2.1)
+policy_module(munin,1.2.2)
########################################
#
@@ -65,7 +65,8 @@ kernel_read_kernel_sysctls(munin_t)
corecmd_exec_bin(munin_t)
-corenet_non_ipsec_sendrecv(munin_t)
+corenet_all_recvfrom_unlabeled(munin_t)
+corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_udp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_all_nodes(munin_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index df689ee..9e8b8e6 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql,1.4.0)
+policy_module(mysql,1.4.1)
########################################
#
@@ -61,7 +61,8 @@ files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-corenet_non_ipsec_sendrecv(mysqld_t)
+corenet_all_recvfrom_unlabeled(mysqld_t)
+corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
corenet_tcp_sendrecv_all_nodes(mysqld_t)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index cb5bf91..6992bcb 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
-policy_module(nagios,1.2.1)
+policy_module(nagios,1.2.2)
########################################
#
@@ -66,7 +66,8 @@ kernel_read_kernel_sysctls(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-corenet_non_ipsec_sendrecv(nagios_t)
+corenet_all_recvfrom_unlabeled(nagios_t)
+corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_all_nodes(nagios_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index cd630c1..51150a4 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -1,5 +1,5 @@
-policy_module(nessus,1.2.0)
+policy_module(nessus,1.2.1)
########################################
#
@@ -57,7 +57,8 @@ kernel_read_kernel_sysctls(nessusd_t)
# for nmap etc
corecmd_exec_bin(nessusd_t)
-corenet_non_ipsec_sendrecv(nessusd_t)
+corenet_all_recvfrom_unlabeled(nessusd_t)
+corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
corenet_raw_sendrecv_generic_if(nessusd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 2bf2cfb..56c6967 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.6.1)
+policy_module(networkmanager,1.6.2)
########################################
#
@@ -41,7 +41,8 @@ kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
-corenet_non_ipsec_sendrecv(NetworkManager_t)
+corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
corenet_udp_sendrecv_all_if(NetworkManager_t)
corenet_raw_sendrecv_all_if(NetworkManager_t)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 0c8612f..2132e42 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -37,7 +37,8 @@ interface(`nis_use_ypbind_uncond',`
allow $1 var_yp_t:lnk_file { getattr read };
allow $1 var_yp_t:file read_file_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index b4841a5..167d566 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
-policy_module(nis,1.4.0)
+policy_module(nis,1.4.1)
########################################
#
@@ -69,7 +69,8 @@ kernel_read_kernel_sysctls(ypbind_t)
kernel_list_proc(ypbind_t)
kernel_read_proc_symlinks(ypbind_t)
-corenet_non_ipsec_sendrecv(ypbind_t)
+corenet_all_recvfrom_unlabeled(ypbind_t)
+corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
corenet_udp_sendrecv_all_if(ypbind_t)
corenet_tcp_sendrecv_all_nodes(ypbind_t)
@@ -112,7 +113,6 @@ sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
-
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(ypbind_t)
term_dontaudit_use_generic_ptys(ypbind_t)
@@ -152,7 +152,8 @@ kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
-corenet_non_ipsec_sendrecv(yppasswdd_t)
+corenet_all_recvfrom_unlabeled(yppasswdd_t)
+corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
corenet_tcp_sendrecv_all_nodes(yppasswdd_t)
@@ -199,7 +200,6 @@ sysnet_read_config(yppasswdd_t)
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(yppasswdd_t)
term_dontaudit_use_generic_ptys(yppasswdd_t)
@@ -247,7 +247,8 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
-corenet_non_ipsec_sendrecv(ypserv_t)
+corenet_all_recvfrom_unlabeled(ypserv_t)
+corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_all_if(ypserv_t)
corenet_udp_sendrecv_all_if(ypserv_t)
corenet_tcp_sendrecv_all_nodes(ypserv_t)
@@ -288,7 +289,6 @@ sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(ypserv_t)
term_dontaudit_use_generic_ptys(ypserv_t)
@@ -321,7 +321,8 @@ allow ypxfr_t ypserv_t:udp_socket { read write };
allow ypxfr_t ypserv_conf_t:file { getattr read };
-corenet_non_ipsec_sendrecv(ypxfr_t)
+corenet_all_recvfrom_unlabeled(ypxfr_t)
+corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
corenet_tcp_sendrecv_all_nodes(ypxfr_t)
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 9a94409..a7c72ad 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd,1.4.0)
+policy_module(nscd,1.4.1)
gen_require(`
class nscd all_nscd_perms;
@@ -65,7 +65,8 @@ fs_search_auto_mountpoints(nscd_t)
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
-corenet_non_ipsec_sendrecv(nscd_t)
+corenet_all_recvfrom_unlabeled(nscd_t)
+corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_all_if(nscd_t)
corenet_udp_sendrecv_all_if(nscd_t)
corenet_tcp_sendrecv_all_nodes(nscd_t)
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index ad229e6..f94a0bd 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -1,5 +1,5 @@
-policy_module(nsd,1.2.0)
+policy_module(nsd,1.2.1)
########################################
#
@@ -62,7 +62,8 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
-corenet_non_ipsec_sendrecv(nsd_t)
+corenet_all_recvfrom_unlabeled(nsd_t)
+corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
corenet_tcp_sendrecv_all_nodes(nsd_t)
@@ -148,7 +149,8 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
-corenet_non_ipsec_sendrecv(nsd_crond_t)
+corenet_all_recvfrom_unlabeled(nsd_crond_t)
+corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
corenet_udp_sendrecv_generic_if(nsd_crond_t)
corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index cc75818..7d4a8bd 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -1,5 +1,5 @@
-policy_module(ntop,1.2.0)
+policy_module(ntop,1.2.1)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
kernel_read_proc_symlinks(ntop_t)
-corenet_non_ipsec_sendrecv(ntop_t)
+corenet_all_recvfrom_unlabeled(ntop_t)
+corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_udp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 4a3f39f..a16e1b8 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp,1.3.0)
+policy_module(ntp,1.3.1)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
-corenet_non_ipsec_sendrecv(ntpd_t)
+corenet_all_recvfrom_unlabeled(ntpd_t)
+corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_all_if(ntpd_t)
corenet_udp_sendrecv_all_if(ntpd_t)
corenet_tcp_sendrecv_all_nodes(ntpd_t)
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ff9b491..a758874 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -1,5 +1,5 @@
-policy_module(nx,1.1.0)
+policy_module(nx,1.1.1)
########################################
#
@@ -51,7 +51,8 @@ kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
-corenet_non_ipsec_sendrecv(nx_server_t)
+corenet_all_recvfrom_unlabeled(nx_server_t)
+corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_all_nodes(nx_server_t)
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index 5b51b7c..83d2c4d 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -1,5 +1,5 @@
-policy_module(oav,1.2.0)
+policy_module(oav,1.2.1)
########################################
#
@@ -50,7 +50,8 @@ read_lnk_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
corecmd_exec_all_executables(oav_update_t)
-corenet_non_ipsec_sendrecv(oav_update_t)
+corenet_all_recvfrom_unlabeled(oav_update_t)
+corenet_all_recvfrom_netlabel(oav_update_t)
corenet_tcp_sendrecv_generic_if(oav_update_t)
corenet_udp_sendrecv_generic_if(oav_update_t)
corenet_tcp_sendrecv_all_nodes(oav_update_t)
@@ -104,7 +105,8 @@ kernel_read_kernel_sysctls(scannerdaemon_t)
# Can run kaffe
corecmd_exec_all_executables(scannerdaemon_t)
-corenet_non_ipsec_sendrecv(scannerdaemon_t)
+corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+corenet_all_recvfrom_netlabel(scannerdaemon_t)
corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
corenet_udp_sendrecv_generic_if(scannerdaemon_t)
corenet_tcp_sendrecv_all_nodes(scannerdaemon_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 28b6f76..a2591f4 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn,1.2.1)
+policy_module(openvpn,1.2.2)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_system_state(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-corenet_non_ipsec_sendrecv(openvpn_t)
+corenet_all_recvfrom_unlabeled(openvpn_t)
+corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_udp_sendrecv_all_if(openvpn_t)
corenet_tcp_sendrecv_generic_node(openvpn_t)
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index 681aa61..b0a1871 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -1,5 +1,5 @@
-policy_module(pcscd,1.1.0)
+policy_module(pcscd,1.1.1)
########################################
#
@@ -31,10 +31,11 @@ manage_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
+corenet_all_recvfrom_unlabeled(pcscd_t)
+corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_all_if(pcscd_t)
corenet_tcp_sendrecv_all_nodes(pcscd_t)
corenet_tcp_sendrecv_all_ports(pcscd_t)
-corenet_non_ipsec_sendrecv(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
dev_rw_generic_usb_dev(pcscd_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index a307720..a1fa4fa 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
-policy_module(pegasus,1.3.1)
+policy_module(pegasus,1.3.2)
########################################
#
@@ -66,7 +66,8 @@ kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
-corenet_non_ipsec_sendrecv(pegasus_t)
+corenet_all_recvfrom_unlabeled(pegasus_t)
+corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_all_if(pegasus_t)
corenet_tcp_sendrecv_all_nodes(pegasus_t)
corenet_tcp_sendrecv_all_ports(pegasus_t)
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index 8e3f11a..22b8b0f 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -1,5 +1,5 @@
-policy_module(perdition,1.2.0)
+policy_module(perdition,1.2.1)
########################################
#
@@ -37,7 +37,8 @@ kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
kernel_read_proc_symlinks(perdition_t)
-corenet_non_ipsec_sendrecv(perdition_t)
+corenet_all_recvfrom_unlabeled(perdition_t)
+corenet_all_recvfrom_netlabel(perdition_t)
corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_udp_sendrecv_generic_if(perdition_t)
corenet_tcp_sendrecv_all_nodes(perdition_t)
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index d2df243..971efd2 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
-policy_module(portmap,1.4.0)
+policy_module(portmap,1.4.1)
########################################
#
@@ -45,7 +45,8 @@ kernel_read_kernel_sysctls(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
-corenet_non_ipsec_sendrecv(portmap_t)
+corenet_all_recvfrom_unlabeled(portmap_t)
+corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
corenet_udp_sendrecv_all_if(portmap_t)
corenet_tcp_sendrecv_all_nodes(portmap_t)
@@ -123,6 +124,8 @@ allow portmap_helper_t self:udp_socket create_socket_perms;
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
+corenet_all_recvfrom_unlabeled(portmap_helper_t)
+corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_all_if(portmap_helper_t)
corenet_udp_sendrecv_all_if(portmap_helper_t)
corenet_raw_sendrecv_all_if(portmap_helper_t)
@@ -131,7 +134,6 @@ corenet_udp_sendrecv_all_nodes(portmap_helper_t)
corenet_raw_sendrecv_all_nodes(portmap_helper_t)
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
corenet_udp_sendrecv_all_ports(portmap_helper_t)
-corenet_non_ipsec_sendrecv(portmap_helper_t)
corenet_tcp_bind_all_nodes(portmap_helper_t)
corenet_udp_bind_all_nodes(portmap_helper_t)
corenet_tcp_bind_reserved_port(portmap_helper_t)
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 7dae3dd..d4d2f94 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -1,5 +1,5 @@
-policy_module(portslave,1.2.0)
+policy_module(portslave,1.2.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
-corenet_non_ipsec_sendrecv(portslave_t)
+corenet_all_recvfrom_unlabeled(portslave_t)
+corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
corenet_tcp_sendrecv_all_nodes(portslave_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index a40154a..97e9297 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -125,7 +125,8 @@ template(`postfix_server_domain_template',`
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
- corenet_non_ipsec_sendrecv(postfix_$1_t)
+ corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
corenet_tcp_sendrecv_all_if(postfix_$1_t)
corenet_udp_sendrecv_all_if(postfix_$1_t)
corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index dabea2d..51520bb 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.5.0)
+policy_module(postfix,1.5.1)
########################################
#
@@ -133,7 +133,8 @@ rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_mai
kernel_read_all_sysctls(postfix_master_t)
-corenet_non_ipsec_sendrecv(postfix_master_t)
+corenet_all_recvfrom_unlabeled(postfix_master_t)
+corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_all_if(postfix_master_t)
corenet_udp_sendrecv_all_if(postfix_master_t)
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
@@ -309,7 +310,8 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
-corenet_non_ipsec_sendrecv(postfix_map_t)
+corenet_all_recvfrom_unlabeled(postfix_map_t)
+corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index e5a6a25..799132e 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql,1.3.0)
+policy_module(postgresql,1.3.1)
#################################
#
@@ -82,7 +82,8 @@ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
-corenet_non_ipsec_sendrecv(postgresql_t)
+corenet_all_recvfrom_unlabeled(postgresql_t)
+corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
corenet_tcp_sendrecv_all_nodes(postgresql_t)
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index bfb365a..73fd224 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
-policy_module(postgrey,1.2.0)
+policy_module(postgrey,1.2.1)
########################################
#
@@ -46,7 +46,8 @@ kernel_read_kernel_sysctls(postgrey_t)
# for perl
corecmd_search_bin(postgrey_t)
-corenet_non_ipsec_sendrecv(postgrey_t)
+corenet_all_recvfrom_unlabeled(postgrey_t)
+corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_all_nodes(postgrey_t)
corenet_tcp_sendrecv_all_ports(postgrey_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 005af7b..5c865d7 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp,1.4.1)
+policy_module(ppp,1.4.2)
########################################
#
@@ -126,7 +126,8 @@ dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
-corenet_non_ipsec_sendrecv(pppd_t)
+corenet_all_recvfrom_unlabeled(pppd_t)
+corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_all_if(pppd_t)
corenet_raw_sendrecv_all_if(pppd_t)
corenet_udp_sendrecv_all_if(pppd_t)
@@ -261,7 +262,8 @@ kernel_read_proc_symlinks(pptp_t)
dev_read_sysfs(pptp_t)
-corenet_non_ipsec_sendrecv(pptp_t)
+corenet_all_recvfrom_unlabeled(pptp_t)
+corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_all_if(pptp_t)
corenet_raw_sendrecv_all_if(pptp_t)
corenet_tcp_sendrecv_all_nodes(pptp_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 10325d5..1ccb495 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy,1.3.0)
+policy_module(privoxy,1.3.1)
########################################
#
@@ -40,7 +40,8 @@ kernel_read_kernel_sysctls(privoxy_t)
kernel_list_proc(privoxy_t)
kernel_read_proc_symlinks(privoxy_t)
-corenet_non_ipsec_sendrecv(privoxy_t)
+corenet_all_recvfrom_unlabeled(privoxy_t)
+corenet_all_recvfrom_netlabel(privoxy_t)
corenet_tcp_sendrecv_all_if(privoxy_t)
corenet_tcp_sendrecv_all_nodes(privoxy_t)
corenet_tcp_sendrecv_all_ports(privoxy_t)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 1b9492d..5beb82e 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.5.1)
+policy_module(procmail,1.5.2)
########################################
#
@@ -34,7 +34,8 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-corenet_non_ipsec_sendrecv(procmail_t)
+corenet_all_recvfrom_unlabeled(procmail_t)
+corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_all_if(procmail_t)
corenet_udp_sendrecv_all_if(procmail_t)
corenet_tcp_sendrecv_all_nodes(procmail_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 137a111..046162a 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
-policy_module(pyzor,1.2.1)
+policy_module(pyzor,1.2.2)
########################################
#
@@ -112,7 +112,8 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
-corenet_non_ipsec_sendrecv(pyzord_t)
+corenet_all_recvfrom_unlabeled(pyzord_t)
+corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_all_if(pyzord_t)
corenet_udp_sendrecv_all_nodes(pyzord_t)
corenet_udp_sendrecv_all_ports(pyzord_t)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 67bfb6b..8a8d697 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -1,5 +1,5 @@
-policy_module(qmail,1.1.0)
+policy_module(qmail,1.1.1)
########################################
#
@@ -171,7 +171,8 @@ allow qmail_remote_t self:udp_socket create_socket_perms;
rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t)
-corenet_non_ipsec_sendrecv(qmail_remote_t)
+corenet_all_recvfrom_unlabeled(qmail_remote_t)
+corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index a77138a..8991af4 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.3.1)
+policy_module(radius,1.3.2)
########################################
#
@@ -58,7 +58,8 @@ files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
-corenet_non_ipsec_sendrecv(radiusd_t)
+corenet_all_recvfrom_unlabeled(radiusd_t)
+corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_all_if(radiusd_t)
corenet_udp_sendrecv_all_if(radiusd_t)
corenet_tcp_sendrecv_all_nodes(radiusd_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index d808771..df87097 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
-policy_module(radvd,1.3.0)
+policy_module(radvd,1.3.1)
########################################
#
@@ -38,7 +38,8 @@ kernel_read_net_sysctls(radvd_t)
kernel_read_network_state(radvd_t)
kernel_read_system_state(radvd_t)
-corenet_non_ipsec_sendrecv(radvd_t)
+corenet_all_recvfrom_unlabeled(radvd_t)
+corenet_all_recvfrom_netlabel(radvd_t)
corenet_tcp_sendrecv_all_if(radvd_t)
corenet_udp_sendrecv_all_if(radvd_t)
corenet_raw_sendrecv_all_if(radvd_t)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 5c5b99d..c8f24ac 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -67,7 +67,8 @@ template(`razor_common_domain_template',`
corecmd_exec_bin($1_t)
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index f88636d..27bae91 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -1,5 +1,5 @@
-policy_module(razor,1.2.0)
+policy_module(razor,1.2.1)
########################################
#
@@ -41,7 +41,8 @@ logging_log_filetrans(razor_t,razor_log_t,file)
manage_files_pattern(razor_t,razor_var_lib_t,razor_var_lib_t)
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
-corenet_non_ipsec_sendrecv(razor_t)
+corenet_all_recvfrom_unlabeled(razor_t)
+corenet_all_recvfrom_netlabel(razor_t)
corenet_tcp_sendrecv_generic_if(razor_t)
corenet_raw_sendrecv_generic_if(razor_t)
corenet_tcp_sendrecv_all_nodes(razor_t)
diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te
index 7ab6419..b90ae77 100644
--- a/policy/modules/services/rdisc.te
+++ b/policy/modules/services/rdisc.te
@@ -1,5 +1,5 @@
-policy_module(rdisc,1.3.0)
+policy_module(rdisc,1.3.1)
########################################
#
@@ -26,7 +26,8 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
-corenet_non_ipsec_sendrecv(rdisc_t)
+corenet_all_recvfrom_unlabeled(rdisc_t)
+corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
corenet_udp_sendrecv_all_nodes(rdisc_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index df66704..5707299 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
-policy_module(rhgb,1.3.0)
+policy_module(rhgb,1.3.1)
########################################
#
@@ -44,7 +44,8 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
-corenet_non_ipsec_sendrecv(rhgb_t)
+corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_all_recvfrom_netlabel(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
corenet_udp_sendrecv_generic_if(rhgb_t)
corenet_tcp_sendrecv_all_nodes(rhgb_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 674c7aa..40d07a6 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -1,5 +1,5 @@
-policy_module(ricci,1.1.0)
+policy_module(ricci,1.1.1)
########################################
#
@@ -120,7 +120,8 @@ kernel_read_kernel_sysctls(ricci_t)
corecmd_exec_bin(ricci_t)
-corenet_non_ipsec_sendrecv(ricci_t)
+corenet_all_recvfrom_unlabeled(ricci_t)
+corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_all_if(ricci_t)
corenet_tcp_sendrecv_all_nodes(ricci_t)
corenet_tcp_sendrecv_all_ports(ricci_t)
@@ -356,7 +357,6 @@ logging_read_generic_logs(ricci_modlog_t)
miscfiles_read_localization(ricci_modlog_t)
-
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index c38ec83..45e947e 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
-policy_module(rlogin,1.3.0)
+policy_module(rlogin,1.3.1)
########################################
#
@@ -50,7 +50,8 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
-corenet_non_ipsec_sendrecv(rlogind_t)
+corenet_all_recvfrom_unlabeled(rlogind_t)
+corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_all_if(rlogind_t)
corenet_udp_sendrecv_all_if(rlogind_t)
corenet_tcp_sendrecv_all_nodes(rlogind_t)
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index 92458ec..211f735 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -1,5 +1,5 @@
-policy_module(roundup,1.2.0)
+policy_module(roundup,1.2.1)
########################################
#
@@ -43,7 +43,8 @@ dev_read_sysfs(roundup_t)
# execute python
corecmd_exec_bin(roundup_t)
-corenet_non_ipsec_sendrecv(roundup_t)
+corenet_all_recvfrom_unlabeled(roundup_t)
+corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_udp_sendrecv_generic_if(roundup_t)
corenet_raw_sendrecv_generic_if(roundup_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 21d96f5..bbf5f41 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -70,7 +70,8 @@ template(`rpc_domain_template', `
dev_read_urand($1_t)
dev_read_rand($1_t)
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
@@ -80,7 +81,6 @@ template(`rpc_domain_template', `
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_reserved_port($1_t)
- corenet_tcp_bind_reserved_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_portmap_client_packets($1_t)
# do not log when it tries to bind to a port belonging to another domain
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 429f47f..a746392 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.5.0)
+policy_module(rpc,1.5.1)
########################################
#
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index 1dbe9c0..949859c 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -1,5 +1,5 @@
-policy_module(rshd,1.2.0)
+policy_module(rshd,1.2.1)
########################################
#
@@ -23,7 +23,8 @@ allow rshd_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(rshd_t)
-corenet_non_ipsec_sendrecv(rshd_t)
+corenet_all_recvfrom_unlabeled(rshd_t)
+corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
corenet_udp_sendrecv_generic_if(rshd_t)
corenet_tcp_sendrecv_all_nodes(rshd_t)
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 5096d24..c9de498 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync,1.4.0)
+policy_module(rsync,1.4.1)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-corenet_non_ipsec_sendrecv(rsync_t)
+corenet_all_recvfrom_unlabeled(rsync_t)
+corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_all_if(rsync_t)
corenet_udp_sendrecv_all_if(rsync_t)
corenet_tcp_sendrecv_all_nodes(rsync_t)
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index d47263a..4f74729 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -1,5 +1,5 @@
-policy_module(rwho,1.0.1)
+policy_module(rwho,1.0.2)
########################################
#
@@ -32,7 +32,8 @@ files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })
kernel_read_system_state(rwho_t)
-corenet_non_ipsec_sendrecv(rwho_t)
+corenet_all_recvfrom_unlabeled(rwho_t)
+corenet_all_recvfrom_netlabel(rwho_t)
corenet_udp_sendrecv_all_if(rwho_t)
corenet_udp_sendrecv_all_nodes(rwho_t)
corenet_udp_sendrecv_all_ports(rwho_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index bb9746e..2b0bf32 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.5.1)
+policy_module(samba,1.5.2)
#################################
#
@@ -170,6 +170,8 @@ manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
kernel_read_proc_symlinks(samba_net_t)
+corenet_all_recvfrom_unlabeled(samba_net_t)
+corenet_all_recvfrom_netlabel(samba_net_t)
corenet_tcp_sendrecv_all_if(samba_net_t)
corenet_udp_sendrecv_all_if(samba_net_t)
corenet_raw_sendrecv_all_if(samba_net_t)
@@ -178,7 +180,6 @@ corenet_udp_sendrecv_all_nodes(samba_net_t)
corenet_raw_sendrecv_all_nodes(samba_net_t)
corenet_tcp_sendrecv_all_ports(samba_net_t)
corenet_udp_sendrecv_all_ports(samba_net_t)
-corenet_non_ipsec_sendrecv(samba_net_t)
corenet_tcp_bind_all_nodes(samba_net_t)
corenet_udp_bind_all_nodes(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)
@@ -280,6 +281,8 @@ kernel_read_system_state(smbd_t)
corecmd_exec_shell(smbd_t)
corecmd_exec_bin(smbd_t)
+corenet_all_recvfrom_unlabeled(smbd_t)
+corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
@@ -288,7 +291,6 @@ corenet_udp_sendrecv_all_nodes(smbd_t)
corenet_raw_sendrecv_all_nodes(smbd_t)
corenet_tcp_sendrecv_all_ports(smbd_t)
corenet_udp_sendrecv_all_ports(smbd_t)
-corenet_non_ipsec_sendrecv(smbd_t)
corenet_tcp_bind_all_nodes(smbd_t)
corenet_udp_bind_all_nodes(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
@@ -444,7 +446,8 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
-corenet_non_ipsec_sendrecv(nmbd_t)
+corenet_all_recvfrom_unlabeled(nmbd_t)
+corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_all_if(nmbd_t)
corenet_udp_sendrecv_all_if(nmbd_t)
corenet_tcp_sendrecv_all_nodes(nmbd_t)
@@ -529,6 +532,8 @@ files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
+corenet_all_recvfrom_unlabeled(smbmount_t)
+corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_all_if(smbmount_t)
corenet_raw_sendrecv_all_if(smbmount_t)
corenet_udp_sendrecv_all_if(smbmount_t)
@@ -537,7 +542,6 @@ corenet_raw_sendrecv_all_nodes(smbmount_t)
corenet_udp_sendrecv_all_nodes(smbmount_t)
corenet_tcp_sendrecv_all_ports(smbmount_t)
corenet_udp_sendrecv_all_ports(smbmount_t)
-corenet_non_ipsec_sendrecv(smbmount_t)
corenet_tcp_bind_all_nodes(smbmount_t)
corenet_udp_bind_all_nodes(smbmount_t)
corenet_tcp_connect_all_ports(smbmount_t)
@@ -631,7 +635,8 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
-corenet_non_ipsec_sendrecv(swat_t)
+corenet_all_recvfrom_unlabeled(swat_t)
+corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
corenet_raw_sendrecv_generic_if(swat_t)
@@ -738,6 +743,8 @@ kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
+corenet_all_recvfrom_unlabeled(winbind_t)
+corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_all_if(winbind_t)
corenet_udp_sendrecv_all_if(winbind_t)
corenet_raw_sendrecv_all_if(winbind_t)
@@ -746,7 +753,6 @@ corenet_udp_sendrecv_all_nodes(winbind_t)
corenet_raw_sendrecv_all_nodes(winbind_t)
corenet_tcp_sendrecv_all_ports(winbind_t)
corenet_udp_sendrecv_all_ports(winbind_t)
-corenet_non_ipsec_sendrecv(winbind_t)
corenet_tcp_bind_all_nodes(winbind_t)
corenet_udp_bind_all_nodes(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index ce54944..be95079 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl,1.5.0)
+policy_module(sasl,1.5.1)
########################################
#
@@ -47,7 +47,8 @@ files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
-corenet_non_ipsec_sendrecv(saslauthd_t)
+corenet_all_recvfrom_unlabeled(saslauthd_t)
+corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_all_if(saslauthd_t)
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
corenet_tcp_sendrecv_all_ports(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 13bcb92..69d6671 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
-policy_module(sendmail,1.4.2)
+policy_module(sendmail,1.4.3)
########################################
#
@@ -49,7 +49,8 @@ kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
-corenet_non_ipsec_sendrecv(sendmail_t)
+corenet_all_recvfrom_unlabeled(sendmail_t)
+corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_tcp_sendrecv_all_nodes(sendmail_t)
corenet_tcp_sendrecv_all_ports(sendmail_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 99090db..0698cad 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.3.1)
+policy_module(setroubleshoot,1.3.2)
########################################
#
@@ -58,7 +58,8 @@ kernel_read_network_state(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-corenet_non_ipsec_sendrecv(setroubleshootd_t)
+corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 5bc4baa..f7ea4b1 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
-policy_module(smartmon,1.2.0)
+policy_module(smartmon,1.2.1)
########################################
#
@@ -42,7 +42,8 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
-corenet_non_ipsec_sendrecv(fsdaemon_t)
+corenet_all_recvfrom_unlabeled(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t)
corenet_udp_sendrecv_generic_if(fsdaemon_t)
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index f515d71..143a4c7 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp,1.4.3)
+policy_module(snmp,1.4.4)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_network_state(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-corenet_non_ipsec_sendrecv(snmpd_t)
+corenet_all_recvfrom_unlabeled(snmpd_t)
+corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_all_if(snmpd_t)
corenet_udp_sendrecv_all_if(snmpd_t)
corenet_tcp_sendrecv_all_nodes(snmpd_t)
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 86f8176..0af52e5 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
-policy_module(snort,1.2.0)
+policy_module(snort,1.2.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t)
-corenet_non_ipsec_sendrecv(snort_t)
+corenet_all_recvfrom_unlabeled(snort_t)
+corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
corenet_raw_sendrecv_generic_if(snort_t)
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index 8119ab2..250bbb7 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
-policy_module(soundserver,1.2.0)
+policy_module(soundserver,1.2.1)
########################################
#
@@ -62,7 +62,8 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
-corenet_non_ipsec_sendrecv(soundd_t)
+corenet_all_recvfrom_unlabeled(soundd_t)
+corenet_all_recvfrom_netlabel(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
corenet_udp_sendrecv_generic_if(soundd_t)
corenet_tcp_sendrecv_all_nodes(soundd_t)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 186838f..7a374fd 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -97,7 +97,8 @@ template(`spamassassin_per_role_template',`
kernel_read_kernel_sysctls($1_spamc_t)
- corenet_non_ipsec_sendrecv($1_spamc_t)
+ corenet_all_recvfrom_unlabeled($1_spamc_t)
+ corenet_all_recvfrom_netlabel($1_spamc_t)
corenet_tcp_sendrecv_generic_if($1_spamc_t)
corenet_udp_sendrecv_generic_if($1_spamc_t)
corenet_tcp_sendrecv_all_nodes($1_spamc_t)
@@ -267,7 +268,8 @@ template(`spamassassin_per_role_template',`
allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
allow $1_spamassassin_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1_spamassassin_t)
+ corenet_all_recvfrom_unlabeled($1_spamassassin_t)
+ corenet_all_recvfrom_netlabel($1_spamassassin_t)
corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
corenet_udp_sendrecv_generic_if($1_spamassassin_t)
corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 78f85ba..3152d7b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.6.1)
+policy_module(spamassassin,1.6.2)
########################################
#
@@ -93,7 +93,8 @@ files_pid_filetrans(spamd_t,spamd_var_run_t,file)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-corenet_non_ipsec_sendrecv(spamd_t)
+corenet_all_recvfrom_unlabeled(spamd_t)
+corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_all_if(spamd_t)
corenet_udp_sendrecv_all_if(spamd_t)
corenet_tcp_sendrecv_all_nodes(spamd_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 356f465..16d6bd4 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid,1.3.1)
+policy_module(squid,1.3.2)
########################################
#
@@ -75,7 +75,8 @@ kernel_read_system_state(squid_t)
files_dontaudit_getattr_boot_dirs(squid_t)
-corenet_non_ipsec_sendrecv(squid_t)
+corenet_all_recvfrom_unlabeled(squid_t)
+corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
corenet_udp_sendrecv_all_if(squid_t)
corenet_tcp_sendrecv_all_nodes(squid_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 86f393b..623cdd0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -109,7 +109,8 @@ template(`ssh_basic_client_template',`
kernel_read_kernel_sysctls($1_ssh_t)
- corenet_non_ipsec_sendrecv($1_ssh_t)
+ corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_all_recvfrom_netlabel($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
@@ -466,6 +467,8 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
@@ -474,7 +477,6 @@ template(`ssh_server_template', `
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
- corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5fff856..4e78a6c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.6.1)
+policy_module(ssh,1.6.2)
########################################
#
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index cee092b..24eb409 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel,1.3.0)
+policy_module(stunnel,1.3.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
-corenet_non_ipsec_sendrecv(stunnel_t)
+corenet_all_recvfrom_unlabeled(stunnel_t)
+corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_all_if(stunnel_t)
corenet_udp_sendrecv_all_if(stunnel_t)
corenet_tcp_sendrecv_all_nodes(stunnel_t)
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index a16ccc5..e0945ac 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -1,5 +1,5 @@
-policy_module(tcpd,1.1.0)
+policy_module(tcpd,1.1.1)
########################################
#
@@ -23,7 +23,8 @@ manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
-corenet_non_ipsec_sendrecv(tcpd_t)
+corenet_all_recvfrom_unlabeled(tcpd_t)
+corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_all_if(tcpd_t)
corenet_tcp_sendrecv_all_nodes(tcpd_t)
corenet_tcp_sendrecv_all_ports(tcpd_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index ea6993d..05e7cb1 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -1,5 +1,5 @@
-policy_module(telnet,1.4.0)
+policy_module(telnet,1.4.1)
########################################
#
@@ -49,7 +49,8 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
-corenet_non_ipsec_sendrecv(telnetd_t)
+corenet_all_recvfrom_unlabeled(telnetd_t)
+corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
corenet_tcp_sendrecv_all_nodes(telnetd_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 7e57399..56437d5 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp,1.4.1)
+policy_module(tftp,1.4.2)
########################################
#
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
-corenet_non_ipsec_sendrecv(tftpd_t)
+corenet_all_recvfrom_unlabeled(tftpd_t)
+corenet_all_recvfrom_netlabel(tftpd_t)
corenet_tcp_sendrecv_all_if(tftpd_t)
corenet_udp_sendrecv_all_if(tftpd_t)
corenet_tcp_sendrecv_all_nodes(tftpd_t)
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 4768d55..38f9dc6 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -1,5 +1,5 @@
-policy_module(timidity,1.3.0)
+policy_module(timidity,1.3.1)
# Note: You only need this policy if you want to run timidity as a server
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(timidity_t)
# read /proc/cpuinfo
kernel_read_system_state(timidity_t)
-corenet_non_ipsec_sendrecv(timidity_t)
+corenet_all_recvfrom_unlabeled(timidity_t)
+corenet_all_recvfrom_netlabel(timidity_t)
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
corenet_tcp_sendrecv_all_nodes(timidity_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index b54acb7..b96d6a0 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,5 +1,5 @@
-policy_module(tor,1.2.0)
+policy_module(tor,1.2.1)
########################################
#
@@ -63,7 +63,8 @@ files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
kernel_read_system_state(tor_t)
# networking basics
-corenet_non_ipsec_sendrecv(tor_t)
+corenet_all_recvfrom_unlabeled(tor_t)
+corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_all_if(tor_t)
corenet_tcp_sendrecv_all_nodes(tor_t)
corenet_tcp_sendrecv_all_ports(tor_t)
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index 680ce59..8e3e6f9 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -1,5 +1,5 @@
-policy_module(transproxy,1.2.0)
+policy_module(transproxy,1.2.1)
########################################
#
@@ -30,7 +30,8 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
-corenet_non_ipsec_sendrecv(transproxy_t)
+corenet_all_recvfrom_unlabeled(transproxy_t)
+corenet_all_recvfrom_netlabel(transproxy_t)
corenet_tcp_sendrecv_generic_if(transproxy_t)
corenet_tcp_sendrecv_all_nodes(transproxy_t)
corenet_tcp_sendrecv_all_ports(transproxy_t)
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index a93f147..251b160 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -1,5 +1,5 @@
-policy_module(ucspitcp,1.1.0)
+policy_module(ucspitcp,1.1.1)
########################################
#
@@ -25,13 +25,14 @@ ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
corecmd_search_bin(rblsmtpd_t)
+corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+corenet_all_recvfrom_netlabel(rblsmtpd_t)
corenet_tcp_sendrecv_all_if(rblsmtpd_t)
corenet_udp_sendrecv_all_if(rblsmtpd_t)
corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
corenet_udp_sendrecv_all_ports(rblsmtpd_t)
-corenet_non_ipsec_sendrecv(rblsmtpd_t)
corenet_tcp_bind_all_nodes(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
@@ -58,7 +59,8 @@ allow ucspitcp_t self:udp_socket create_socket_perms;
corecmd_search_bin(ucspitcp_t)
# base networking:
-corenet_non_ipsec_sendrecv(ucspitcp_t)
+corenet_all_recvfrom_unlabeled(ucspitcp_t)
+corenet_all_recvfrom_netlabel(ucspitcp_t)
corenet_tcp_sendrecv_all_if(ucspitcp_t)
corenet_udp_sendrecv_all_if(ucspitcp_t)
corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 415b610..d08f12f 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -1,5 +1,5 @@
-policy_module(uucp,1.3.0)
+policy_module(uucp,1.3.1)
########################################
#
@@ -70,7 +70,8 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
-corenet_non_ipsec_sendrecv(uucpd_t)
+corenet_all_recvfrom_unlabeled(uucpd_t)
+corenet_all_recvfrom_netlabel(uucpd_t)
corenet_tcp_sendrecv_all_if(uucpd_t)
corenet_udp_sendrecv_all_if(uucpd_t)
corenet_tcp_sendrecv_all_nodes(uucpd_t)
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index c0f923d..6f15a3f 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -1,5 +1,5 @@
-policy_module(uwimap,1.2.0)
+policy_module(uwimap,1.2.1)
########################################
#
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
-corenet_non_ipsec_sendrecv(imapd_t)
+corenet_all_recvfrom_unlabeled(imapd_t)
+corenet_all_recvfrom_netlabel(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_all_nodes(imapd_t)
corenet_tcp_sendrecv_all_ports(imapd_t)
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 45009a7..ca35daf 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,5 +1,5 @@
-policy_module(watchdog,1.2.0)
+policy_module(watchdog,1.2.1)
#################################
#
@@ -43,7 +43,8 @@ kernel_unmount_proc(watchdog_t)
corecmd_exec_shell(watchdog_t)
# cjp: why networking?
-corenet_non_ipsec_sendrecv(watchdog_t)
+corenet_all_recvfrom_unlabeled(watchdog_t)
+corenet_all_recvfrom_netlabel(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
corenet_udp_sendrecv_generic_if(watchdog_t)
corenet_tcp_sendrecv_all_nodes(watchdog_t)
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index 14f0599..7dd67c2 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -1,5 +1,5 @@
-policy_module(xprint,1.2.0)
+policy_module(xprint,1.2.1)
########################################
#
@@ -33,7 +33,8 @@ kernel_read_kernel_sysctls(xprint_t)
corecmd_exec_bin(xprint_t)
corecmd_exec_shell(xprint_t)
-corenet_non_ipsec_sendrecv(xprint_t)
+corenet_all_recvfrom_unlabeled(xprint_t)
+corenet_all_recvfrom_netlabel(xprint_t)
corenet_tcp_sendrecv_generic_if(xprint_t)
corenet_udp_sendrecv_generic_if(xprint_t)
corenet_tcp_sendrecv_all_nodes(xprint_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 39512fe..47faddf 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -94,7 +94,8 @@ template(`xserver_common_domain_template',`
corecmd_exec_bin($1_xserver_t)
corecmd_exec_shell($1_xserver_t)
- corenet_non_ipsec_sendrecv($1_xserver_t)
+ corenet_all_recvfrom_unlabeled($1_xserver_t)
+ corenet_all_recvfrom_netlabel($1_xserver_t)
corenet_tcp_sendrecv_generic_if($1_xserver_t)
corenet_udp_sendrecv_generic_if($1_xserver_t)
corenet_tcp_sendrecv_all_nodes($1_xserver_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 6493e17..bd0eea8 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.4.1)
+policy_module(xserver,1.4.2)
########################################
#
@@ -177,7 +177,8 @@ kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-corenet_non_ipsec_sendrecv(xdm_t)
+corenet_all_recvfrom_unlabeled(xdm_t)
+corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
corenet_tcp_sendrecv_all_nodes(xdm_t)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index c0e3924..6cfc28c 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra,1.4.0)
+policy_module(zebra,1.4.1)
########################################
#
@@ -67,7 +67,8 @@ kernel_read_system_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
-corenet_non_ipsec_sendrecv(zebra_t)
+corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_all_if(zebra_t)
corenet_udp_sendrecv_all_if(zebra_t)
corenet_raw_sendrecv_all_if(zebra_t)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 9ab1d39..d2450f3 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug,1.5.1)
+policy_module(hotplug,1.5.2)
########################################
#
@@ -51,7 +51,8 @@ kernel_read_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t)
-corenet_non_ipsec_sendrecv(hotplug_t)
+corenet_all_recvfrom_unlabeled(hotplug_t)
+corenet_all_recvfrom_netlabel(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_udp_sendrecv_all_if(hotplug_t)
corenet_tcp_sendrecv_all_nodes(hotplug_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c0c0b99..cf0c2ac 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.6.1)
+policy_module(init,1.6.2)
gen_require(`
class passwd rootok;
@@ -247,7 +247,8 @@ kernel_dontaudit_getattr_message_if(initrc_t)
files_read_kernel_symbol_table(initrc_t)
-corenet_non_ipsec_sendrecv(initrc_t)
+corenet_all_recvfrom_unlabeled(initrc_t)
+corenet_all_recvfrom_netlabel(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 06163e4..58e65bd 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec,1.3.0)
+policy_module(ipsec,1.3.1)
########################################
#
@@ -95,7 +95,7 @@ kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
# Pluto needs network access
-corenet_non_ipsec_sendrecv(ipsec_t)
+corenet_all_recvfrom_unlabeled(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
@@ -307,7 +307,7 @@ allow racoon_t ipsec_spd_t:association setcontext;
kernel_read_network_state(racoon_t)
-corenet_non_ipsec_sendrecv(racoon_t)
+corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index d91cba4..02c57fd 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -1,5 +1,5 @@
-policy_module(iscsid,1.1.0)
+policy_module(iscsid,1.1.1)
########################################
#
@@ -54,7 +54,8 @@ files_search_var_lib(iscsid_t)
manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t)
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
-corenet_non_ipsec_sendrecv(iscsid_t)
+corenet_all_recvfrom_unlabeled(iscsid_t)
+corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_all_if(iscsid_t)
corenet_tcp_sendrecv_all_nodes(iscsid_t)
corenet_tcp_sendrecv_all_ports(iscsid_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ab0e9a3..8e9b3e7 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.6.1)
+policy_module(logging,1.6.2)
########################################
#
@@ -303,7 +303,8 @@ init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t)
-corenet_non_ipsec_sendrecv(syslogd_t)
+corenet_all_recvfrom_unlabeled(syslogd_t)
+corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index e23daa8..7944156 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.6.0)
+policy_module(lvm,1.6.1)
########################################
#
@@ -69,7 +69,8 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
corecmd_exec_shell(clvmd_t)
corecmd_getattr_bin_files(clvmd_t)
-corenet_non_ipsec_sendrecv(clvmd_t)
+corenet_all_recvfrom_unlabeled(clvmd_t)
+corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
corenet_udp_sendrecv_all_if(clvmd_t)
corenet_raw_sendrecv_all_if(clvmd_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 3713d67..5b88bd8 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.6.0)
+policy_module(mount,1.6.1)
########################################
#
@@ -139,7 +139,8 @@ ifdef(`targeted_policy',`
optional_policy(`
# for nfs
- corenet_non_ipsec_sendrecv(mount_t)
+ corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_all_recvfrom_netlabel(mount_t)
corenet_tcp_sendrecv_all_if(mount_t)
corenet_raw_sendrecv_all_if(mount_t)
corenet_udp_sendrecv_all_if(mount_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 5b9c2cd..970e2cf 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -480,7 +480,8 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
@@ -511,7 +512,8 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
@@ -540,7 +542,8 @@ interface(`sysnet_use_portmap',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 285bc86..3422da9 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork,1.3.0)
+policy_module(sysnetwork,1.3.1)
########################################
#
@@ -84,7 +84,8 @@ kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
kernel_use_fds(dhcpc_t)
-corenet_non_ipsec_sendrecv(dhcpc_t)
+corenet_all_recvfrom_unlabeled(dhcpc_t)
+corenet_all_recvfrom_netlabel(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
corenet_raw_sendrecv_all_if(dhcpc_t)
corenet_udp_sendrecv_all_if(dhcpc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index fcd4572..6db2c1f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -537,7 +537,8 @@ template(`userdom_basic_networking_template',`
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
@@ -546,12 +547,6 @@ template(`userdom_basic_networking_template',`
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
-
- ifdef(`enable_mls',`
- # netlabel/CIPSO labeled networking
- corenet_tcp_recv_netlabel($1_t)
- corenet_udp_recv_netlabel($1_t)
- ')
')
#######################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 22ac2f2..1b7597c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.2.3)
+policy_module(userdomain,2.2.4)
gen_require(`
role sysadm_r, staff_r, user_r;
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 9d1d1ed..570613d 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.3.1)
+policy_module(xen,1.3.2)
########################################
#
@@ -142,7 +142,8 @@ kernel_read_network_state(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
-corenet_non_ipsec_sendrecv(xend_t)
+corenet_all_recvfrom_unlabeled(xend_t)
+corenet_all_recvfrom_netlabel(xend_t)
corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t)