diff --git a/Changelog b/Changelog
index 9de9e4a..017d2ce 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Database labeled networking update from KaiGai Kohei.
- Several misc changes from the Fedora policy, cherry picked by David
Hrdeman.
- Large whitespace fix from Dominick Grift.
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index e590e67..630b5e3 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -189,10 +189,6 @@ template(`apache_content_template',`
corenet_udp_sendrecv_all_nodes(httpd_$1_script_t)
corenet_tcp_sendrecv_all_ports(httpd_$1_script_t)
corenet_udp_sendrecv_all_ports(httpd_$1_script_t)
- corenet_tcp_connect_postgresql_port(httpd_$1_script_t)
- corenet_tcp_connect_mysqld_port(httpd_$1_script_t)
- corenet_sendrecv_postgresql_client_packets(httpd_$1_script_t)
- corenet_sendrecv_mysqld_client_packets(httpd_$1_script_t)
sysnet_read_config(httpd_$1_script_t)
')
@@ -220,6 +216,12 @@ template(`apache_content_template',`
')
optional_policy(`
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ mysql_tcp_connect(httpd_$1_script_t)
+ ')
+ ')
+
+ optional_policy(`
tunable_policy(`httpd_enable_cgi && allow_ypbind',`
nis_use_ypbind_uncond(httpd_$1_script_t)
')
@@ -227,6 +229,10 @@ template(`apache_content_template',`
optional_policy(`
postgresql_unpriv_client(httpd_$1_script_t)
+
+ tunable_policy(`httpd_enable_cgi && httpd_can_network_connect_db',`
+ postgresql_tcp_connect(httpd_$1_script_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index be43195..f08dbee 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache, 1.10.0)
+policy_module(apache, 1.10.1)
#
# NOTES:
@@ -459,8 +459,7 @@ optional_policy(`
mysql_rw_db_sockets(httpd_t)
tunable_policy(`httpd_can_network_connect_db',`
- corenet_tcp_connect_mysqld_port(httpd_t)
- corenet_sendrecv_mysqld_client_packets(httpd_t)
+ mysql_tcp_connect(httpd_t)
')
')
diff --git a/policy/modules/services/mysql.if b/policy/modules/services/mysql.if
index 75b3476..ba21f5f 100644
--- a/policy/modules/services/mysql.if
+++ b/policy/modules/services/mysql.if
@@ -20,6 +20,27 @@ interface(`mysql_signal',`
########################################
##
+## Allow the specified domain to connect to postgresql with a tcp socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`mysql_tcp_connect',`
+ gen_require(`
+ type mysqld_t;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, mysqld_t)
+ corenet_tcp_sendrecv_mysqld_port($1)
+ corenet_tcp_connect_mysqld_port($1)
+ corenet_sendrecv_mysqld_client_packets($1)
+')
+
+########################################
+##
## Connect to MySQL using a unix domain stream socket.
##
##
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index e19ce51..5ec048a 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql, 1.8.0)
+policy_module(mysql, 1.8.1)
########################################
#
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index cb8974e..c923e6f 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1283,3 +1283,38 @@ interface(`init_manage_utmp',`
files_search_pids($1)
allow $1 initrc_var_run_t:file manage_file_perms;
')
+
+########################################
+##
+## Allow the specified domain to connect to daemon with a tcp socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_tcp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+
+ corenet_tcp_recvfrom_labeled($1, daemon)
+')
+
+########################################
+##
+## Allow the specified domain to connect to daemon with a udp socket
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`init_udp_recvfrom_all_daemons',`
+ gen_require(`
+ attribute daemon;
+ ')
+ corenet_udp_recvfrom_labeled($1, daemon)
+')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0e457dd..51b714c 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init, 1.11.1)
+policy_module(init, 1.11.2)
gen_require(`
class passwd rootok;
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d52771f..96d11e2 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -549,6 +549,13 @@ template(`userdom_basic_networking_template',`
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
+ corenet_all_recvfrom_labeled($1_t, $1_t)
+
+ optional_policy(`
+ init_tcp_recvfrom_all_daemons($1_t)
+ init_udp_recvfrom_all_daemons($1_t)
+ ')
+
optional_policy(`
ipsec_match_default_spd($1_t)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 1359791..8c29e89 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain, 3.1.0)
+policy_module(userdomain, 3.1.1)
########################################
#