diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 8ee82de..926a9e3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add packet object class and support in corenetwork.
- Add a copy of genhomedircon for monolithic policy building, so that a
policycoreutils package update is not required for RHEL4 systems.
- Add appletalk sockets for use in cups.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 951ff40..ae36111 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -328,7 +328,7 @@ $(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/ke
@echo "# $(notdir $@).in or $(notdir $@).m4 file should be modified." >> $@
@echo "#" >> $@
$(verbose) cat $(MODDIR)/kernel/corenetwork.if.in >> $@
- $(verbose) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
+ $(verbose) egrep "^[[:blank:]]*network_(interface|node|port|packet)\(.*\)" $(@:.if=.te).in \
| m4 -D self_contained_policy $(M4PARAM) $(MODDIR)/kernel/corenetwork.if.m4 - \
| sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
index 86b525e..4b47d23 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -1331,6 +1331,75 @@ interface(`corenet_sendrecv_unlabeled_packets',`
########################################
##
+## Send all packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_send_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet send;
+')
+
+########################################
+##
+## Receive all packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_receive_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet recv;
+')
+
+########################################
+##
+## Send and receive all packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_sendrecv_all_packets',`
+ corenet_send_all_packets($1)
+ corenet_recveive_all_packets($1)
+')
+
+########################################
+##
+## Relabel packets to any packet type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_relabelto_all_packets',`
+ gen_require(`
+ attribute packet_type;
+ ')
+
+ allow $1 packet_type:packet relabelto;
+')
+
+########################################
+##
## Unconfined access to network objects.
##
##
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4
index 0e6608a..a5612bd 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.if.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@@ -18,7 +18,7 @@ define(`create_netif_interfaces',``
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -37,7 +37,7 @@ interface(`corenet_tcp_sendrecv_$1_if',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -56,7 +56,7 @@ interface(`corenet_udp_send_$1_if',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -75,7 +75,7 @@ interface(`corenet_udp_receive_$1_if',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -91,7 +91,7 @@ interface(`corenet_udp_sendrecv_$1_if',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -110,7 +110,7 @@ interface(`corenet_raw_send_$1_if',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -129,7 +129,7 @@ interface(`corenet_raw_receive_$1_if',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -153,7 +153,7 @@ define(`create_node_interfaces',``
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -172,7 +172,7 @@ interface(`corenet_tcp_sendrecv_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -191,7 +191,7 @@ interface(`corenet_udp_send_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -210,7 +210,7 @@ interface(`corenet_udp_receive_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -226,7 +226,7 @@ interface(`corenet_udp_sendrecv_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -245,7 +245,7 @@ interface(`corenet_raw_send_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -264,7 +264,7 @@ interface(`corenet_raw_receive_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -280,7 +280,7 @@ interface(`corenet_raw_sendrecv_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -299,7 +299,7 @@ interface(`corenet_tcp_bind_$1_node',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -326,7 +326,7 @@ define(`create_port_interfaces',``
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -345,7 +345,7 @@ interface(`corenet_tcp_sendrecv_$1_port',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -364,7 +364,7 @@ interface(`corenet_udp_send_$1_port',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -383,7 +383,7 @@ interface(`corenet_udp_receive_$1_port',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -399,7 +399,7 @@ interface(`corenet_udp_sendrecv_$1_port',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -419,7 +419,7 @@ interface(`corenet_tcp_bind_$1_port',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
##
@@ -439,7 +439,7 @@ interface(`corenet_udp_bind_$1_port',`
##
##
##
-## The type of the process performing this action.
+## Domain allowed access.
##
##
#
@@ -452,6 +452,80 @@ interface(`corenet_tcp_connect_$1_port',`
')
'') dnl end create_port_interfaces
+define(`create_packet_interfaces',``
+########################################
+##
+## Send $1 packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`corenet_send_$1_packets',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet send;
+')
+
+########################################
+##
+## Receive $1 packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`corenet_receive_$1_packets',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet recv;
+')
+
+########################################
+##
+## Send and receive $1 packets.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+#
+interface(`corenet_sendrecv_$1_packets',`
+ corenet_send_$1_packets(dollarsone)
+ corenet_receive_$1_packets(dollarsone)
+')
+
+########################################
+##
+## Relabel packets to $1 the packet type.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`corenet_relabelto_$1_packets',`
+ gen_require(`
+ type $1_t;
+ ')
+
+ allow dollarsone $1_packet_t:packet relabelto;
+')
+'') dnl end create_port_interfaces
+
#
# create_netif_*_interfaces(linux_interfacename)
#
@@ -507,3 +581,11 @@ define(`create_port_attrib_interfaces',`create_port_interfaces($1,port,attribute
define(`network_port',`
create_port_type_interfaces($*)
')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+create_packet_interfaces($1_client)
+create_packet_interfaces($1_server)
+')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
index d426539..be2e87e 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.in
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -166,7 +166,7 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
########################################
#
-# Network Interfaces:
+# Network Interfaces
#
#
@@ -181,6 +181,15 @@ network_interface(lo, lo,s0 - s15:c0.c255)
########################################
#
+# Network Packets
+#
+
+network_packet(dns)
+network_packet(ldap)
+network_packet(portmap)
+
+########################################
+#
# Unconfined access to this module
#
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.m4 b/refpolicy/policy/modules/kernel/corenetwork.te.m4
index 6665896..65bb847 100644
--- a/refpolicy/policy/modules/kernel/corenetwork.te.m4
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.m4
@@ -62,3 +62,11 @@ define(`network_port',`
type $1_port_t, port_type;
declare_ports($1_port_t,shift($*))
')
+
+#
+# network_packet(packet_name)
+#
+define(`network_packet',`
+type $1_client_packet_t, packet_type;
+type $1_server_packet_t, packet_type;
+')
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index a4c4fef..be11fc0 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -495,6 +495,7 @@ interface(`sysnet_dns_name_resolve',`
corenet_tcp_sendrecv_dns_port($1)
corenet_udp_sendrecv_dns_port($1)
corenet_tcp_connect_dns_port($1)
+ corenet_sendrecv_dns_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
@@ -522,6 +523,7 @@ interface(`sysnet_use_ldap',`
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
corenet_tcp_connect_ldap_port($1)
+ corenet_sendrecv_ldap_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;
@@ -553,6 +555,7 @@ interface(`sysnet_use_portmap',`
corenet_tcp_sendrecv_portmap_port($1)
corenet_udp_sendrecv_portmap_port($1)
corenet_tcp_connect_portmap_port($1)
+ corenet_sendrecv_portmap_client_packets($1)
files_search_etc($1)
allow $1 net_conf_t:file r_file_perms;