diff --git a/modules-mls.conf b/modules-mls.conf
index 302837a..357039a 100644
--- a/modules-mls.conf
+++ b/modules-mls.conf
@@ -2082,3 +2082,10 @@ shorewall = base
# Policy for shutdown
#
shutdown = module
+
+# Layer: kernel
+# Module: unlabelednet
+#
+# The unlabelednet module.
+#
+unlabelednet = module
diff --git a/modules-targeted.conf b/modules-targeted.conf
index 208a158..26f50fa 100644
--- a/modules-targeted.conf
+++ b/modules-targeted.conf
@@ -1762,6 +1762,14 @@ userdomain = base
#
unconfined = module
+
+# Layer: kernel
+# Module: unconfined
+#
+# The unlabelednet module.
+#
+unlabelednet = module
+
# Layer: services
# Module: ulogd
#
diff --git a/policy-F15.patch b/policy-F15.patch
index ae8d5e9..e8e3b9b 100644
--- a/policy-F15.patch
+++ b/policy-F15.patch
@@ -7681,7 +7681,7 @@ index 82842a0..4111a1d 100644
dbus_system_bus_client($1_wm_t)
dbus_session_bus_client($1_wm_t)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
-index 34c9d01..4842e56 100644
+index 34c9d01..6e68bd2 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -72,7 +72,9 @@ ifdef(`distro_redhat',`
@@ -7705,7 +7705,16 @@ index 34c9d01..4842e56 100644
/lib/udev/scsi_id -- gen_context(system_u:object_r:bin_t,s0)
/lib/upstart(/.*)? gen_context(system_u:object_r:bin_t,s0)
-@@ -307,6 +309,7 @@ ifdef(`distro_redhat', `
+@@ -247,6 +249,8 @@ ifdef(`distro_gentoo',`
+ /usr/local/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/Brother(/.*)? gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/Printer(/.*)? gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/(.*/)?inf/brprintconf.* gen_context(system_u:object_r:bin_t,s0)
++/usr/local/Brother/(.*/)?inf/setup.* gen_context(system_u:object_r:bin_t,s0)
+ /usr/local/linuxprinter/filters(/.*)? gen_context(system_u:object_r:bin_t,s0)
+
+ /usr/sbin/scponlyc -- gen_context(system_u:object_r:shell_exec_t,s0)
+@@ -307,6 +311,7 @@ ifdef(`distro_redhat', `
/usr/lib64/.*/program(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib64/bluetooth(/.*)? -- gen_context(system_u:object_r:bin_t,s0)
@@ -7737,7 +7746,7 @@ index 9e5c83e..953e0e8 100644
+/lib/udev/devices/ppp -c gen_context(system_u:object_r:ppp_device_t,s0)
+/lib/udev/devices/net/.* -c gen_context(system_u:object_r:tun_tap_device_t,s0)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
-index b06df19..ae572ad 100644
+index b06df19..f20833d 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -86,6 +86,33 @@ interface(`corenet_rpc_port',`
@@ -7774,7 +7783,7 @@ index b06df19..ae572ad 100644
## Define type to be a network client packet type
## </summary>
## <desc>
-@@ -2149,13 +2176,18 @@ interface(`corenet_tcp_recvfrom_netlabel',`
+@@ -2149,9 +2176,14 @@ interface(`corenet_tcp_recvfrom_netlabel',`
## </param>
#
interface(`corenet_tcp_recvfrom_unlabeled',`
@@ -7789,13 +7798,8 @@ index b06df19..ae572ad 100644
# XXX - at some point the oubound/send access check will be removed
# but for right now we need to keep this in place so as not to break
# older systems
-- kernel_sendrecv_unlabeled_association($1)
-+# kernel_sendrecv_unlabeled_association($1)
- ')
-
- ########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
-index 36ba519..7be305d 100644
+index 36ba519..e2d8b49 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -15,6 +15,7 @@ attribute rpc_port_type;
@@ -8003,17 +8007,6 @@ index 36ba519..7be305d 100644
network_port(zookeeper_client, tcp,2181,s0)
network_port(zookeeper_election, tcp,3888,s0)
network_port(zookeeper_leader, tcp,2888,s0)
-@@ -262,6 +302,10 @@ network_interface(lo, lo, s0 - mls_systemhigh)
- typealias netif_t alias { lo_netif_t netif_lo_t };
- ')
-
-+optional_policy(`
-+ unlabelednet_sendrecv_packets(corenet_unlabeled_type)
-+')
-+
- ########################################
- #
- # Unconfined access to this module
diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 3b2da10..7c29e17 100644
--- a/policy/modules/kernel/devices.fc
@@ -10399,7 +10392,7 @@ index 6d21b3d..255b47a 100644
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
-index b4ad6d7..0937933 100644
+index b4ad6d7..67e89f0 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -716,6 +716,26 @@ interface(`kernel_dontaudit_write_debugfs_dirs',`
@@ -10463,6 +10456,15 @@ index b4ad6d7..0937933 100644
## Do not audit attempts by caller to get attributes for
## unlabeled character devices.
## </summary>
+@@ -2561,7 +2599,7 @@ interface(`kernel_sendrecv_unlabeled_association',`
+ allow $1 unlabeled_t:association { sendto recvfrom };
+
+ # temporary hack until labeling on packets is supported
+- allow $1 unlabeled_t:packet { send recv };
++# allow $1 unlabeled_t:packet { send recv };
+ ')
+
+ ########################################
@@ -2882,6 +2920,24 @@ interface(`kernel_relabelfrom_unlabeled_database',`
########################################
@@ -10922,38 +10924,24 @@ index 0000000..f310b9d
+# No unlabelednet file contexts.
diff --git a/policy/modules/kernel/unlabelednet.if b/policy/modules/kernel/unlabelednet.if
new file mode 100644
-index 0000000..ba2f0b8
+index 0000000..0ce0470
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.if
-@@ -0,0 +1,19 @@
-+## <summary> Policy for allowing confined domains to talk use unlabeled_t packets. </summary>
-+
-+########################################
-+## <summary>
-+## Allow specified type to send recv unlabeled packets
-+## </summary>
-+## <param name="domain">
-+## <summary>
-+## Domain allowed access.
-+## </summary>
-+## </param>
-+#
-+interface(`unlabelednet_sendrecv_packets',`
-+ gen_require(`
-+ attribute unlabelednet_domain;
-+ ')
-+
-+ kernel_sendrecv_unlabeled_association($1)
-+')
+@@ -0,0 +1 @@
++## <summary> Policy for allowing confined domains to use unlabeled_t packets</summary>
diff --git a/policy/modules/kernel/unlabelednet.te b/policy/modules/kernel/unlabelednet.te
new file mode 100644
-index 0000000..dee5ba8
+index 0000000..571c3b9
--- /dev/null
+++ b/policy/modules/kernel/unlabelednet.te
-@@ -0,0 +1,3 @@
+@@ -0,0 +1,7 @@
+policy_module(unlabelednet, 1.0)
+
-+attribute unlabelednet_domain;
++gen_require(`
++ attribute corenet_unlabeled_type;
++')
++
++kernel_sendrecv_unlabeled_association(corenet_unlabeled_type)
diff --git a/policy/modules/roles/auditadm.te b/policy/modules/roles/auditadm.te
index b0d5b27..a96f2e6 100644
--- a/policy/modules/roles/auditadm.te
@@ -20245,10 +20233,10 @@ index 0000000..60c81d6
+')
diff --git a/policy/modules/services/dirsrv-admin.te b/policy/modules/services/dirsrv-admin.te
new file mode 100644
-index 0000000..c88f611
+index 0000000..b4d0dd0
--- /dev/null
+++ b/policy/modules/services/dirsrv-admin.te
-@@ -0,0 +1,94 @@
+@@ -0,0 +1,95 @@
+policy_module(dirsrv-admin,1.0.0)
+
+########################################
@@ -20318,7 +20306,8 @@ index 0000000..c88f611
+
+kernel_read_kernel_sysctls(httpd_dirsrvadmin_script_t)
+
-+corenet_sendrecv_unlabeled_packets(httpd_dirsrvadmin_script_t)
++corenet_all_recvfrom_unlabeled(httpd_dirsrvadmin_script_t)
++corenet_all_recvfrom_netlabel(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_generic_port(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_ldap_port(httpd_dirsrvadmin_script_t)
+corenet_tcp_connect_http_port(httpd_dirsrvadmin_script_t)
@@ -26440,7 +26429,7 @@ index 8581040..cfcdf10 100644
allow $1 nagios_t:process { ptrace signal_perms };
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
-index da5b33d..3ce90f7 100644
+index da5b33d..8b56967 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -107,13 +107,11 @@ files_read_etc_files(nagios_t)
@@ -26494,7 +26483,17 @@ index da5b33d..3ce90f7 100644
domtrans_pattern(nrpe_t, nagios_checkdisk_plugin_exec_t, nagios_checkdisk_plugin_t)
read_files_pattern(nrpe_t, nagios_etc_t, nagios_etc_t)
-@@ -270,7 +271,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
+@@ -201,7 +202,8 @@ corecmd_exec_shell(nrpe_t)
+
+ corenet_tcp_bind_generic_node(nrpe_t)
+ corenet_tcp_bind_inetd_child_port(nrpe_t)
+-corenet_sendrecv_unlabeled_packets(nrpe_t)
++corenet_all_recvfrom_unlabeled(nrpe_t)
++corenet_all_recvfrom_netlabel(nrpe_t)
+
+ dev_read_sysfs(nrpe_t)
+ dev_read_urand(nrpe_t)
+@@ -270,7 +272,6 @@ files_getattr_all_file_type_fs(nagios_admin_plugin_t)
#
allow nagios_mail_plugin_t self:capability { setuid setgid dac_override };
@@ -26502,7 +26501,7 @@ index da5b33d..3ce90f7 100644
allow nagios_mail_plugin_t self:netlink_route_socket r_netlink_socket_perms;
allow nagios_mail_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_mail_plugin_t self:udp_socket create_socket_perms;
-@@ -299,7 +299,7 @@ optional_policy(`
+@@ -299,7 +300,7 @@ optional_policy(`
optional_policy(`
postfix_stream_connect_master(nagios_mail_plugin_t)
@@ -26511,7 +26510,7 @@ index da5b33d..3ce90f7 100644
')
######################################
-@@ -310,6 +310,9 @@ optional_policy(`
+@@ -310,6 +311,9 @@ optional_policy(`
# needed by ioctl()
allow nagios_checkdisk_plugin_t self:capability { sys_admin sys_rawio };
@@ -26521,7 +26520,7 @@ index da5b33d..3ce90f7 100644
files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
fs_getattr_all_fs(nagios_checkdisk_plugin_t)
-@@ -323,7 +326,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
+@@ -323,7 +327,6 @@ storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
allow nagios_services_plugin_t self:capability { net_bind_service net_raw };
allow nagios_services_plugin_t self:process { signal sigkill };
@@ -26529,7 +26528,7 @@ index da5b33d..3ce90f7 100644
allow nagios_services_plugin_t self:tcp_socket create_stream_socket_perms;
allow nagios_services_plugin_t self:udp_socket create_socket_perms;
-@@ -340,6 +342,8 @@ files_read_usr_files(nagios_services_plugin_t)
+@@ -340,6 +343,8 @@ files_read_usr_files(nagios_services_plugin_t)
optional_policy(`
netutils_domtrans_ping(nagios_services_plugin_t)
@@ -30160,7 +30159,7 @@ index 2316653..77ef768 100644
+ admin_pattern($1, prelude_lml_tmp_t)
')
diff --git a/policy/modules/services/prelude.te b/policy/modules/services/prelude.te
-index 7e84587..7a7310d 100644
+index 7e84587..febda2f 100644
--- a/policy/modules/services/prelude.te
+++ b/policy/modules/services/prelude.te
@@ -35,7 +35,6 @@ files_pid_file(prelude_audisp_var_run_t)
@@ -30182,6 +30181,20 @@ index 7e84587..7a7310d 100644
allow prelude_lml_t self:fifo_file rw_fifo_file_perms;
allow prelude_lml_t self:unix_stream_socket connectto;
+@@ -236,11 +235,12 @@ kernel_read_sysctl(prelude_lml_t)
+
+ corecmd_exec_bin(prelude_lml_t)
+
++corenet_all_recvfrom_unlabeled(prelude_lml_t)
++corenet_all_recvfrom_netlabel(prelude_lml_t)
+ corenet_tcp_sendrecv_generic_if(prelude_lml_t)
+ corenet_tcp_sendrecv_generic_node(prelude_lml_t)
+ corenet_tcp_recvfrom_netlabel(prelude_lml_t)
+ corenet_tcp_recvfrom_unlabeled(prelude_lml_t)
+-corenet_sendrecv_unlabeled_packets(prelude_lml_t)
+ corenet_tcp_connect_prelude_port(prelude_lml_t)
+
+ dev_read_rand(prelude_lml_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 6f1b2c3..3f1a3fe 100644
--- a/policy/modules/services/privoxy.te
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 625f0b6..d0fa960 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -21,7 +21,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 3.9.10
-Release: 8%{?dist}
+Release: 9%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: serefpolicy-%{version}.tgz
@@ -471,6 +471,10 @@ exit 0
%endif
%changelog
+* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-9
+- Push fixes to allow disabling of unlabeled_t packet access
+- Enable unlabelednet policy
+
* Tue Dec 7 2010 Miroslav Grepl <mgrepl@redhat.com> 3.9.9-8
- Fixes for lvm to work with systemd