diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 6451753..b4cb681 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -129,6 +129,8 @@ DISABLEMOD := $(foreach mod,$(shell egrep -v '^[[:blank:]]*\#' $(MOD_DISABLE)),$
DETECTED_DIRS := $(shell find $(wildcard policy/modules/*) -maxdepth 0 -type d)
ALL_LAYERS := $(filter-out CVS,$(DETECTED_DIRS))
DETECTED_MODS := $(foreach dir,$(ALL_LAYERS),$(wildcard ./$(dir)/*.te))
+GENERATED_MOD := $(basename $(foreach dir,$(ALL_LAYERS),$(wildcard ./$(dir)/*.te.in)))
+DETECTED_MODS += $(GENERATED_MOD)
ALL_MODULES := $(filter-out $(DISABLEMOD),$(DETECTED_MODS))
PRE_TE_FILES := $(addprefix $(FLASKDIR)/,security_classes initial_sids access_vectors) $(M4SUPPORT) $(POLDIR)/mls
@@ -226,9 +228,6 @@ tmp/generated_definitions.conf: $(ALL_LAYERS) $(ALL_TE_FILES) $(BASE_MODULE)/cor
$(QUIET) for i in $(notdir $(ALL_MODULES)); do \
echo "define(\`$$i')" >> $@ ;\
done
- $(QUIET) egrep "^network_(interface|node|port)\(.*\)" $(BASE_MODULE)/corenetwork.te \
- | m4 $(M4PARAM) -D monolithic_policy -D interface_pass $(M4SUPPORT) $(BASE_MODULE)/corenetwork.if - \
- | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
$(QUIET) $(SETTUN) $(TUNABLES) >> $@
tmp/all_interfaces.conf: $(ALL_INTERFACES)
@@ -257,6 +256,17 @@ tmp/all_attrs_types.conf tmp/only_te_rules.conf tmp/all_post.conf: tmp/all_te_fi
-e '/^sid /d' -e '/^fs_use_(xattr|task|trans)/d' \
< tmp/all_te_files.conf > tmp/only_te_rules.conf
+$(MODDIR)/kernel/corenetwork.if: $(MODDIR)/kernel/corenetwork.if.m4 $(MODDIR)/kernel/corenetwork.if.in
+ $(QUIET) cat $(MODDIR)/kernel/corenetwork.if.in > $@
+ $(QUIET) egrep "^[[:blank:]]*network_(interface|node|port)\(.*\)" $(@:.if=.te).in \
+ | m4 $(M4PARAM) -D monolithic_policy $(M4SUPPORT) $(MODDIR)/kernel/corenetwork.if.m4 - \
+ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+ $(QUIET) echo "## " >> $@
+
+$(MODDIR)/kernel/corenetwork.te: $(MODDIR)/kernel/corenetwork.te.m4 $(MODDIR)/kernel/corenetwork.te.in
+ $(QUIET) m4 $(M4PARAM) -D monolithic_policy $(M4SUPPORT) $^ \
+ | sed -e 's/dollarsone/\$$1/g' -e 's/dollarszero/\$$0/g' >> $@
+
########################################
#
# Remove the dontaudit rules from the policy.conf
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if b/refpolicy/policy/modules/kernel/corenetwork.if
deleted file mode 100644
index 885d0a3..0000000
--- a/refpolicy/policy/modules/kernel/corenetwork.if
+++ /dev/null
@@ -1,1438 +0,0 @@
-##
-## Policy controlling access to network objects
-
-ifdef(`interface_pass',`',`
-########################################
-##
-##
-## Send and receive TCP network traffic on the general interfaces.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_tcp_sendrecv_generic_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_t:netif { tcp_send tcp_recv };
-')
-
-define(`corenet_tcp_sendrecv_generic_if_depend',`
- type netif_t;
-
- class netif { tcp_send tcp_recv };
-')
-
-#######################################
-#
-# corenet_udp_send_generic_if(domain)
-#
-define(`corenet_udp_send_generic_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_t:netif udp_send;
-')
-
-define(`corenet_udp_send_generic_if_depend',`
- type netif_t;
-
- class netif udp_send;
-')
-
-#######################################
-#
-# corenet_udp_receive_generic_if(domain)
-#
-define(`corenet_udp_receive_generic_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_t:netif udp_recv;
-')
-
-define(`corenet_udp_receive_generic_if_depend',`
- type netif_t;
-
- class netif udp_recv;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_generic_if(domain)
-#
-define(`corenet_udp_sendrecv_generic_if',`
- corenet_udp_send_generic_if($1)
- corenet_udp_receive_generic_if($1)
-')
-
-#######################################
-#
-# corenet_raw_send_generic_if(domain)
-#
-define(`corenet_raw_send_generic_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_t:netif rawip_send;
- allow $1 self:capability net_raw;
-')
-
-define(`corenet_raw_send_generic_if_depend',`
- type netif_t;
-
- class netif rawip_send;
- class capability net_raw;
-')
-
-#######################################
-#
-# corenet_raw_receive_generic_if(domain)
-#
-define(`corenet_raw_receive_generic_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_t:netif rawip_recv;
-')
-
-define(`corenet_raw_receive_generic_if_depend',`
- type netif_t;
-
- class netif rawip_recv;
-')
-
-#######################################
-#
-# corenet_raw_sendrecv_generic_if(domain)
-#
-define(`corenet_raw_sendrecv_generic_if',`
- corenet_raw_send_generic_if($1)
- corenet_raw_receive_generic_if($1)
-')
-
-#######################################
-#
-# corenet_tcp_sendrecv_all_if(domain)
-#
-define(`corenet_tcp_sendrecv_all_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_type:netif { tcp_send tcp_recv };
-')
-
-define(`corenet_tcp_sendrecv_all_if_depend',`
- attribute netif_type;
-
- class netif { tcp_send tcp_recv };
-')
-
-#######################################
-#
-# corenet_udp_send_all_if(domain)
-#
-define(`corenet_udp_send_all_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_type:netif udp_send;
-')
-
-define(`corenet_udp_send_all_if_depend',`
- attribute netif_type;
-
- class netif udp_send;
-')
-
-#######################################
-#
-# corenet_udp_receive_all_if(domain)
-#
-define(`corenet_udp_receive_all_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_type:netif udp_recv;
-')
-
-define(`corenet_udp_receive_all_if_depend',`
- attribute netif_type;
-
- class netif udp_recv;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_all_if(domain)
-#
-define(`corenet_udp_sendrecv_all_if',`
- corenet_udp_send_all_if($1)
- corenet_udp_receive_all_if($1)
-')
-
-#######################################
-#
-# corenet_raw_send_all_if(domain)
-#
-define(`corenet_raw_send_all_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_type:netif rawip_send;
- allow $1 self:capability net_raw;
-')
-
-define(`corenet_raw_send_all_if_depend',`
- attribute netif_type;
-
- class netif rawip_send;
- class capability net_raw;
-')
-
-#######################################
-#
-# corenet_raw_receive_all_if(domain)
-#
-define(`corenet_raw_receive_all_if',`
- requires_block_template(`$0'_depend)
-
- allow $1 netif_type:netif rawip_recv;
-')
-
-define(`corenet_raw_receive_all_if_depend',`
- attribute netif_type;
-
- class netif rawip_recv;
-')
-
-#######################################
-#
-# corenet_raw_sendrecv_all_if(domain)
-#
-define(`corenet_raw_sendrecv_all_if',`
- corenet_raw_send_all_if($1)
- corenet_raw_receive_all_if($1)
-')
-
-#######################################
-#
-# corenet_tcp_sendrecv_generic_node(domain)
-#
-define(`corenet_tcp_sendrecv_generic_node',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_t:node { tcp_send tcp_recv };
-')
-
-define(`corenet_tcp_sendrecv_generic_node_depend',`
- type node_t;
-
- class node { tcp_send tcp_recv };
-')
-
-#######################################
-#
-# corenet_udp_send_generic_node(domain)
-#
-define(`corenet_udp_send_generic_node',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_t:node udp_send;
-')
-
-define(`corenet_udp_send_generic_node_depend',`
- type node_t;
-
- class node udp_send;
-')
-
-#######################################
-#
-# corenet_udp_receive_generic_node(domain)
-#
-define(`corenet_udp_receive_generic_node',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_t:node udp_recv;
-')
-
-define(`corenet_udp_receive_generic_node_depend',`
- type node_t;
-
- class node udp_recv;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_generic_node(domain)
-#
-define(`corenet_udp_sendrecv_generic_node',`
- corenet_udp_send_generic_node($1)
- corenet_udp_receive_generic_node($1)
-')
-
-#######################################
-#
-# corenet_raw_send_generic_node(domain)
-#
-define(`corenet_raw_send_generic_node',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_t:node rawip_send;
- allow $1 self:capability net_raw;
-')
-
-define(`corenet_raw_send_generic_node_depend',`
- type node_t;
-
- class node rawip_send;
- class capability net_raw;
-')
-
-#######################################
-#
-# corenet_raw_receive_generic_node(domain)
-#
-define(`corenet_raw_receive_generic_node',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_t:node rawip_recv;
-')
-
-define(`corenet_raw_receive_generic_node_depend',`
- type node_t;
-
- class node rawip_recv;
-')
-
-#######################################
-#
-# corenet_raw_sendrecv_generic_node(domain)
-#
-define(`corenet_raw_sendrecv_generic_node',`
- corenet_raw_send_generic_node($1)
- corenet_raw_receive_generic_node($1)
-')
-
-#######################################
-#
-# corenet_tcp_bind_generic_node(domain)
-#
-define(`corenet_tcp_bind_generic_node',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_t:tcp_socket node_bind;
-')
-
-define(`corenet_tcp_bind_generic_node_depend',`
- type node_t;
-
- class tcp_socket node_bind;
-')
-
-#######################################
-#
-# corenet_udp_bind_generic_node(domain)
-#
-define(`corenet_udp_bind_generic_node',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_t:udp_socket node_bind;
-')
-
-define(`corenet_udp_bind_generic_node_depend',`
- type node_t;
-
- class udp_socket node_bind;
-')
-
-#######################################
-#
-# corenet_tcp_sendrecv_all_nodes(domain)
-#
-define(`corenet_tcp_sendrecv_all_nodes',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_type:node { tcp_send tcp_recv };
-')
-
-define(`corenet_tcp_sendrecv_all_nodes_depend',`
- attribute node_type;
-
- class node { tcp_send tcp_recv };
-')
-
-#######################################
-#
-# corenet_udp_send_all_nodes(domain)
-#
-define(`corenet_udp_send_all_nodes',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_type:node udp_send;
-')
-
-define(`corenet_udp_send_all_nodes_depend',`
- attribute node_type;
-
- class node udp_send;
-')
-
-#######################################
-#
-# corenet_udp_receive_all_nodes(domain)
-#
-define(`corenet_udp_receive_all_nodes',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_type:node udp_recv;
-')
-
-define(`corenet_udp_receive_all_nodes_depend',`
- attribute node_type;
-
- class node udp_recv;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_all_nodes(domain)
-#
-define(`corenet_udp_sendrecv_all_nodes',`
- corenet_udp_send_all_nodes($1)
- corenet_udp_receive_all_nodes($1)
-')
-
-#######################################
-#
-# corenet_raw_send_all_nodes(domain)
-#
-define(`corenet_raw_send_all_nodes',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_type:node rawip_send;
- allow $1 self:capability net_raw;
-')
-
-define(`corenet_raw_send_all_nodes_depend',`
- attribute node_type;
-
- class node rawip_send;
- class capability net_raw;
-')
-
-#######################################
-#
-# corenet_raw_receive_all_nodes(domain)
-#
-define(`corenet_raw_receive_all_nodes',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_type:node rawip_recv;
-')
-
-define(`corenet_raw_receive_all_nodes_depend',`
- attribute node_type;
-
- class node rawip_recv;
-')
-
-#######################################
-#
-# corenet_raw_sendrecv_all_nodes(domain)
-#
-define(`corenet_raw_sendrecv_all_nodes',`
- corenet_raw_send_all_nodes($1)
- corenet_raw_receive_all_nodes($1)
-')
-
-#######################################
-#
-# corenet_tcp_bind_all_nodes(domain)
-#
-define(`corenet_tcp_bind_all_nodes',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_type:tcp_socket node_bind;
-')
-
-define(`corenet_tcp_bind_all_nodes_depend',`
- attribute node_type;
-
- class tcp_socket node_bind;
-')
-
-#######################################
-#
-# corenet_udp_bind_all_nodes(domain)
-#
-define(`corenet_udp_bind_all_nodes',`
- requires_block_template(`$0'_depend)
-
- allow $1 node_type:udp_socket node_bind;
-')
-
-define(`corenet_udp_bind_all_nodes_depend',`
- attribute node_type;
-
- class udp_socket node_bind;
-')
-
-#######################################
-#
-# corenet_tcp_sendrecv_generic_port(domain)
-#
-define(`corenet_tcp_sendrecv_generic_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_t:tcp_socket { send_msg recv_msg };
-')
-
-define(`corenet_tcp_sendrecv_generic_port_depend',`
- type port_t;
-
- class tcp_socket { send_msg recv_msg };
-')
-
-#######################################
-#
-# corenet_udp_send_generic_port(domain)
-#
-define(`corenet_udp_send_generic_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_t:udp_socket send_msg;
-')
-
-define(`corenet_udp_send_generic_port_depend',`
- type port_t;
-
- class udp_socket send_msg;
-')
-
-#######################################
-#
-# corenet_udp_receive_generic_port(domain)
-#
-define(`corenet_udp_receive_generic_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_t:udp_socket recv_msg;
-')
-
-define(`corenet_udp_receive_generic_port_depend',`
- type port_t;
-
- class udp_socket recv_msg;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_generic_port(domain)
-#
-define(`corenet_udp_sendrecv_generic_port',`
- corenet_udp_send_generic_port($1)
- corenet_udp_receive_generic_port($1)
-')
-
-#######################################
-#
-# corenet_tcp_bind_generic_port(domain)
-#
-define(`corenet_tcp_bind_generic_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_t:tcp_socket name_bind;
-')
-
-define(`corenet_tcp_bind_generic_port_depend',`
- type port_t;
-
- class tcp_socket name_bind;
-')
-
-#######################################
-#
-# corenet_udp_bind_generic_port(domain)
-#
-define(`corenet_udp_bind_generic_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_t:udp_socket name_bind;
-')
-
-define(`corenet_udp_bind_generic_port_depend',`
- type port_t;
-
- class udp_socket name_bind;
-')
-
-#######################################
-#
-# corenet_tcp_sendrecv_all_ports(domain)
-#
-define(`corenet_tcp_sendrecv_all_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_type:tcp_socket { send_msg recv_msg };
-')
-
-define(`corenet_tcp_sendrecv_all_ports_depend',`
- attribute port_type;
-
- class tcp_socket { send_msg recv_msg };
-')
-
-#######################################
-#
-# corenet_udp_send_all_ports(domain)
-#
-define(`corenet_udp_send_all_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_type:udp_socket send_msg;
-')
-
-define(`corenet_udp_send_all_ports_depend',`
- attribute port_type;
-
- class udp_socket send_msg;
-')
-
-#######################################
-#
-# corenet_udp_receive_all_ports(domain)
-#
-define(`corenet_udp_receive_all_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_type:udp_socket recv_msg;
-')
-
-define(`corenet_udp_receive_all_ports_depend',`
- attribute port_type;
-
- class udp_socket recv_msg;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_all_ports(domain)
-#
-define(`corenet_udp_sendrecv_all_ports',`
- corenet_udp_send_all_ports($1)
- corenet_udp_receive_all_ports($1)
-')
-
-#######################################
-#
-# corenet_tcp_bind_all_ports(domain)
-#
-define(`corenet_tcp_bind_all_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_type:tcp_socket name_bind;
-')
-
-define(`corenet_tcp_bind_all_ports_depend',`
- attribute port_type;
-
- class tcp_socket name_bind;
-')
-
-#######################################
-#
-# corenet_udp_bind_all_ports(domain)
-#
-define(`corenet_udp_bind_all_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 port_type:udp_socket name_bind;
-')
-
-define(`corenet_udp_bind_all_ports_depend',`
- attribute port_type;
-
- class udp_socket name_bind;
-')
-
-#######################################
-#
-# corenet_tcp_sendrecv_reserved_port(domain)
-#
-define(`corenet_tcp_sendrecv_reserved_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
-')
-
-define(`corenet_tcp_sendrecv_reserved_port_depend',`
- type reserved_port_t;
-
- class tcp_socket { send_msg recv_msg };
-')
-
-#######################################
-#
-# corenet_udp_send_reserved_port(domain)
-#
-define(`corenet_udp_send_reserved_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_t:udp_socket send_msg;
-')
-
-define(`corenet_udp_send_reserved_port_depend',`
- type reserved_port_t;
-
- class udp_socket send_msg;
-')
-
-#######################################
-#
-# corenet_udp_receive_reserved_port(domain)
-#
-define(`corenet_udp_receive_reserved_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_t:udp_socket recv_msg;
-')
-
-define(`corenet_udp_receive_reserved_port_depend',`
- type reserved_port_t;
-
- class udp_socket recv_msg;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_reserved_port(domain)
-#
-define(`corenet_udp_sendrecv_reserved_port',`
- corenet_udp_send_reserved_port($1)
- corenet_udp_receive_reserved_port($1)
-')
-
-#######################################
-#
-# corenet_tcp_bind_reserved_port(domain)
-#
-define(`corenet_tcp_bind_reserved_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_t:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-define(`corenet_tcp_bind_reserved_port_depend',`
- type reserved_port_t;
-
- class tcp_socket name_bind;
- class capability net_bind_service;
-')
-
-#######################################
-#
-# corenet_udp_bind_reserved_port(domain)
-#
-define(`corenet_udp_bind_reserved_port',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_t:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-define(`corenet_udp_bind_reserved_port_depend',`
- type reserved_port_t;
-
- class udp_socket name_bind;
- class capability net_bind_service;
-')
-
-#######################################
-#
-# corenet_tcp_sendrecv_all_reserved_ports(domain)
-#
-define(`corenet_tcp_sendrecv_all_reserved_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
-')
-
-define(`corenet_tcp_sendrecv_all_reserved_ports_depend',`
- attribute reserved_port_type;
-
- class tcp_socket { send_msg recv_msg };
-')
-
-#######################################
-#
-# corenet_udp_send_all_reserved_ports(domain)
-#
-define(`corenet_udp_send_all_reserved_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_type:udp_socket send_msg;
-')
-
-define(`corenet_udp_send_all_reserved_ports_depend',`
- attribute reserved_port_type;
-
- class udp_socket send_msg;
-')
-
-#######################################
-#
-# corenet_udp_receive_all_reserved_ports(domain)
-#
-define(`corenet_udp_receive_all_reserved_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_type:udp_socket recv_msg;
-')
-
-define(`corenet_udp_receive_all_reserved_ports_depend',`
- attribute reserved_port_type;
-
- class udp_socket recv_msg;
-')
-
-#######################################
-#
-# corenet_udp_sendrecv_all_reserved_ports(domain)
-#
-define(`corenet_udp_sendrecv_all_reserved_ports',`
- corenet_udp_send_all_reserved_ports($1)
- corenet_udp_receive_all_reserved_ports($1)
-')
-
-#######################################
-#
-# corenet_tcp_bind_all_reserved_ports(domain)
-#
-define(`corenet_tcp_bind_all_reserved_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_type:tcp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-define(`corenet_tcp_bind_all_reserved_ports_depend',`
- attribute reserved_port_type;
-
- class tcp_socket name_bind;
- class capability net_bind_service;
-')
-
-#######################################
-#
-# corenet_dontaudit_tcp_bind_all_reserved_ports(domain)
-#
-define(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
- requires_block_template(`$0'_depend)
-
- dontaudit $1 reserved_port_type:tcp_socket name_bind;
-')
-
-define(`corenet_dontaudit_tcp_bind_all_reserved_ports_depend',`
- attribute reserved_port_type;
-
- class tcp_socket name_bind;
-')
-
-#######################################
-#
-# corenet_udp_bind_all_reserved_ports(domain)
-#
-define(`corenet_udp_bind_all_reserved_ports',`
- requires_block_template(`$0'_depend)
-
- allow $1 reserved_port_type:udp_socket name_bind;
- allow $1 self:capability net_bind_service;
-')
-
-define(`corenet_udp_bind_all_reserved_ports_depend',`
- attribute reserved_port_type;
-
- class udp_socket name_bind;
- class self:capability net_bind_service;
-')
-
-#######################################
-#
-# corenet_dontaudit_udp_bind_all_reserved_ports(domain)
-#
-define(`corenet_dontaudit_udp_bind_all_reserved_ports',`
- requires_block_template(`$0'_depend)
-
- dontaudit $1 reserved_port_type:udp_socket name_bind;
-')
-
-define(`corenet_dontaudit_udp_bind_all_reserved_ports_depend',`
- attribute reserved_port_type;
-
- class udp_socket name_bind;
-')
-
-') dnl end if not interface_pass
-########################################
-#
-# This section is processed through m4 to create real interfaces
-#
-########################################
-
-########################################
-#
-# Network Interface generated macros
-#
-########################################
-
-define(`create_netif_interfaces',``
-########################################
-##
-##
-## Send and receive TCP network traffic on the $1 interface.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_tcp_sendrecv_$1',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_netif_t:netif { tcp_send tcp_recv };
-')
-
-define(`corenet_tcp_sendrecv_$1_depend',`
- type $1_netif_t;
-
- class netif { tcp_send tcp_recv };
-')
-
-########################################
-##
-##
-## Send UDP network traffic on the $1 interface.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_send_$1',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_netif_t:netif udp_send;
-')
-
-define(`corenet_udp_send_$1_depend',`
- type $1_netif_t;
-
- class netif udp_send;
-')
-
-########################################
-##
-##
-## Receive UDP network traffic on the $1 interface.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_receive_$1',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_netif_t:netif udp_recv;
-')
-
-define(`corenet_udp_receive_$1_depend',`
- type $1_netif_t;
-
- class netif udp_recv;
-')
-
-########################################
-##
-##
-## Send and receive UDP network traffic on the $1 interface.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_sendrecv_$1',`
- corenet_udp_send_$1(dollarsone)
- corenet_udp_receive_$1(dollarsone)
-')
-
-########################################
-##
-##
-## Send raw IP packets on the $1 interface.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_raw_send_$1',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_netif_t:netif rawip_send;
- allow dollarsone self:capability net_raw;
-')
-
-define(`corenet_raw_send_$1_depend',`
- type $1_netif_t;
-
- class netif rawip_send;
- class capability net_raw;
-')
-
-########################################
-##
-##
-## Receive raw IP packets on the $1 interface.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_raw_receive_$1',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_netif_t:netif rawip_recv;
-')
-
-define(`corenet_raw_receive_$1_depend',`
- type $1_netif_t;
-
- class netif rawip_recv;
-')
-
-########################################
-##
-##
-## Send and receive raw IP packets on the $1 interface.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_raw_sendrecv_$1',`
- corenet_raw_send_$1(dollarsone)
- corenet_raw_receive_$1(dollarsone)
-')
-'') dnl end create_netif_interfaces
-
-########################################
-#
-# Network node generated macros
-#
-########################################
-
-define(`create_node_interfaces',``
-########################################
-##
-##
-## Send and receive TCP traffic on the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_tcp_sendrecv_$1_node',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_node_t:node { tcp_send tcp_recv };
-')
-
-define(`corenet_tcp_sendrecv_$1_node_depend',`
- type $1_node_t;
-
- class node { tcp_send tcp_recv };
-')
-
-########################################
-##
-##
-## Send UDP traffic on the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_send_$1_node',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_node_t:node udp_send;
-')
-
-define(`corenet_udp_send_$1_node_depend',`
- type $1_node_t;
-
- class node udp_send;
-')
-
-########################################
-##
-##
-## Receive UDP traffic on the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_receive_$1_node',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_node_t:node udp_recv;
-')
-
-define(`corenet_udp_receive_$1_node_depend',`
- type $1_node_t;
-
- class node udp_recv;
-')
-
-########################################
-##
-##
-## Send and receive UDP traffic on the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_sendrecv_$1_node',`
- corenet_udp_send_$1_node(dollarsone)
- corenet_udp_receive_$1_node(dollarsone)
-')
-
-########################################
-##
-##
-## Send raw IP packets on the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_raw_send_$1_node',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_node_t:node rawip_send;
- allow dollarsone self:capability net_raw;
-')
-
-define(`corenet_raw_send_$1_node_depend',`
- type $1_node_t;
-
- class node rawip_send;
- class capability net_raw;
-')
-
-########################################
-##
-##
-## Receive raw IP packets on the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_raw_receive_$1_node',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_node_t:node rawip_recv;
-')
-
-define(`corenet_raw_receive_$1_node_depend',`
- type $1_node_t;
-
- class node rawip_recv;
-')
-
-########################################
-##
-##
-## Send and receive raw IP packets on the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_raw_sendrecv_$1_node',`
- corenet_raw_send_$1_node(dollarsone)
- corenet_raw_receive_$1_node(dollarsone)
-')
-
-########################################
-##
-##
-## Bind TCP sockets to node $1.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_tcp_bind_$1_node',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_node_t:tcp_socket node_bind;
-')
-
-define(`corenet_tcp_bind_$1_node_depend',`
- type $1_node_t;
-
- class tcp_socket node_bind;
-')
-
-########################################
-##
-##
-## Bind UDP sockets to the $1 node.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_bind_$1_node',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_node_t:udp_socket node_bind;
-')
-
-define(`corenet_udp_bind_$1_node_depend',`
- type $1_node_t;
-
- class udp_socket node_bind;
-')
-'') dnl end create_node_interfaces
-
-########################################
-#
-# Network port generated macros
-#
-########################################
-
-define(`create_port_interfaces',``
-########################################
-##
-##
-## Send and receive TCP traffic on the $1 port.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_tcp_sendrecv_$1_port',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg };
-')
-
-define(`corenet_tcp_sendrecv_$1_port_depend',`
- type $1_port_t;
-
- class tcp_socket { send_msg recv_msg };
-')
-
-########################################
-##
-##
-## Send UDP traffic on the $1 port.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_send_$1_port',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_port_t:udp_socket send_msg;
-')
-
-define(`corenet_udp_send_$1_port_depend',`
- type $1_port_t;
-
- class udp_socket send_msg;
-')
-
-########################################
-##
-##
-## Receive UDP traffic on the $1 port.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_receive_$1_port',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_port_t:udp_socket recv_msg;
-')
-
-define(`corenet_udp_receive_$1_port_depend',`
- type $1_port_t;
-
- class udp_socket recv_msg;
-')
-
-########################################
-##
-##
-## Send and receive UDP traffic on the $1 port.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_sendrecv_$1_port',`
- corenet_udp_send_$1_port(dollarsone)
- corenet_udp_receive_$1_port(dollarsone)
-')
-
-########################################
-##
-##
-## Bind TCP sockets to the $1 port.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_tcp_bind_$1_port',`
- requires_block_template(`dollarszero'_depend)
- allow dollarsone $1_port_t:tcp_socket name_bind;
- $2
-')
-
-define(`corenet_tcp_bind_$1_port_depend',`
- type $1_port_t;
-
- class tcp_socket name_bind;
- $3
-')
-
-########################################
-##
-##
-## Bind UDP sockets to the $1 port.
-##
-##
-## The type of the process performing this action.
-##
-##
-##
-#
-define(`corenet_udp_bind_$1_port',`
- requires_block_template(`dollarszero'_depend)
-
- allow dollarsone $1_port_t:udp_socket name_bind;
- $2
-')
-
-define(`corenet_udp_bind_$1_port_depend',`
- type $1_port_t;
-
- class udp_socket name_bind;
- $3
-')
-'') dnl end create_port_interfaces
-
-#
-# network_interface(linux_interfacename,mls_sensitivity)
-#
-define(`network_interface',`
-ifdef(`interface_pass',`
-create_netif_interfaces($1)
-',`
-type $1_netif_t alias netif_$1_t, netif_type;
-requires_block_template(`type unlabeled_t')
-netifcon $1 context_template(system_u:object_r:$1_netif_t,$2) context_template(system_u:object_r:unlabeled_t,$2)
-')
-')
-
-#
-# network_node(node_name,mls_sensitivity,address,netmask)
-#
-define(`network_node',`
-ifdef(`interface_pass',`
-create_node_interfaces($1)
-',`
-type $1_node_t alias node_$1_t, node_type;
-nodecon $3 $4 context_template(system_u:object_r:$1_node_t,$2)
-')
-')
-
-define(`determine_reserved_capability',`dnl
-ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
-ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse
-')dnl end outer ifelse
-') dnl end determine reserved capability
-
-define(`determine_reserved_capability_depend',`dnl
-ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl
-ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse
-')dnl end outer ifelse
-') dnl end determine reserved capability depend
-
-define(`declare_ports',`dnl
-ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
-portcon $2 $3 context_template(system_u:object_r:$1,$4)
-ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
-')
-
-#
-# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
-#
-define(`network_port',`
-ifdef(`interface_pass',`
-create_port_interfaces($1,determine_reserved_capability(shift($*)),determine_reserved_capability_depend(shift($*)))
-',`
-type $1_port_t, port_type;
-declare_ports($1_port_t,shift($*))
-')
-')
-
-ifdef(`interface_pass',`',`
-##
-')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.in b/refpolicy/policy/modules/kernel/corenetwork.if.in
new file mode 100644
index 0000000..7b00bd3
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.in
@@ -0,0 +1,869 @@
+##
+## Policy controlling access to network objects
+
+########################################
+##
+##
+## Send and receive TCP network traffic on the general interfaces.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_tcp_sendrecv_generic_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_t:netif { tcp_send tcp_recv };
+')
+
+define(`corenet_tcp_sendrecv_generic_if_depend',`
+ type netif_t;
+
+ class netif { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenet_udp_send_generic_if(domain)
+#
+define(`corenet_udp_send_generic_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_t:netif udp_send;
+')
+
+define(`corenet_udp_send_generic_if_depend',`
+ type netif_t;
+
+ class netif udp_send;
+')
+
+#######################################
+#
+# corenet_udp_receive_generic_if(domain)
+#
+define(`corenet_udp_receive_generic_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_t:netif udp_recv;
+')
+
+define(`corenet_udp_receive_generic_if_depend',`
+ type netif_t;
+
+ class netif udp_recv;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_generic_if(domain)
+#
+define(`corenet_udp_sendrecv_generic_if',`
+ corenet_udp_send_generic_if($1)
+ corenet_udp_receive_generic_if($1)
+')
+
+#######################################
+#
+# corenet_raw_send_generic_if(domain)
+#
+define(`corenet_raw_send_generic_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_t:netif rawip_send;
+ allow $1 self:capability net_raw;
+')
+
+define(`corenet_raw_send_generic_if_depend',`
+ type netif_t;
+
+ class netif rawip_send;
+ class capability net_raw;
+')
+
+#######################################
+#
+# corenet_raw_receive_generic_if(domain)
+#
+define(`corenet_raw_receive_generic_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_t:netif rawip_recv;
+')
+
+define(`corenet_raw_receive_generic_if_depend',`
+ type netif_t;
+
+ class netif rawip_recv;
+')
+
+#######################################
+#
+# corenet_raw_sendrecv_generic_if(domain)
+#
+define(`corenet_raw_sendrecv_generic_if',`
+ corenet_raw_send_generic_if($1)
+ corenet_raw_receive_generic_if($1)
+')
+
+#######################################
+#
+# corenet_tcp_sendrecv_all_if(domain)
+#
+define(`corenet_tcp_sendrecv_all_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_type:netif { tcp_send tcp_recv };
+')
+
+define(`corenet_tcp_sendrecv_all_if_depend',`
+ attribute netif_type;
+
+ class netif { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenet_udp_send_all_if(domain)
+#
+define(`corenet_udp_send_all_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_type:netif udp_send;
+')
+
+define(`corenet_udp_send_all_if_depend',`
+ attribute netif_type;
+
+ class netif udp_send;
+')
+
+#######################################
+#
+# corenet_udp_receive_all_if(domain)
+#
+define(`corenet_udp_receive_all_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_type:netif udp_recv;
+')
+
+define(`corenet_udp_receive_all_if_depend',`
+ attribute netif_type;
+
+ class netif udp_recv;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_all_if(domain)
+#
+define(`corenet_udp_sendrecv_all_if',`
+ corenet_udp_send_all_if($1)
+ corenet_udp_receive_all_if($1)
+')
+
+#######################################
+#
+# corenet_raw_send_all_if(domain)
+#
+define(`corenet_raw_send_all_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_type:netif rawip_send;
+ allow $1 self:capability net_raw;
+')
+
+define(`corenet_raw_send_all_if_depend',`
+ attribute netif_type;
+
+ class netif rawip_send;
+ class capability net_raw;
+')
+
+#######################################
+#
+# corenet_raw_receive_all_if(domain)
+#
+define(`corenet_raw_receive_all_if',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 netif_type:netif rawip_recv;
+')
+
+define(`corenet_raw_receive_all_if_depend',`
+ attribute netif_type;
+
+ class netif rawip_recv;
+')
+
+#######################################
+#
+# corenet_raw_sendrecv_all_if(domain)
+#
+define(`corenet_raw_sendrecv_all_if',`
+ corenet_raw_send_all_if($1)
+ corenet_raw_receive_all_if($1)
+')
+
+#######################################
+#
+# corenet_tcp_sendrecv_generic_node(domain)
+#
+define(`corenet_tcp_sendrecv_generic_node',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_t:node { tcp_send tcp_recv };
+')
+
+define(`corenet_tcp_sendrecv_generic_node_depend',`
+ type node_t;
+
+ class node { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenet_udp_send_generic_node(domain)
+#
+define(`corenet_udp_send_generic_node',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_t:node udp_send;
+')
+
+define(`corenet_udp_send_generic_node_depend',`
+ type node_t;
+
+ class node udp_send;
+')
+
+#######################################
+#
+# corenet_udp_receive_generic_node(domain)
+#
+define(`corenet_udp_receive_generic_node',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_t:node udp_recv;
+')
+
+define(`corenet_udp_receive_generic_node_depend',`
+ type node_t;
+
+ class node udp_recv;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_generic_node(domain)
+#
+define(`corenet_udp_sendrecv_generic_node',`
+ corenet_udp_send_generic_node($1)
+ corenet_udp_receive_generic_node($1)
+')
+
+#######################################
+#
+# corenet_raw_send_generic_node(domain)
+#
+define(`corenet_raw_send_generic_node',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_t:node rawip_send;
+ allow $1 self:capability net_raw;
+')
+
+define(`corenet_raw_send_generic_node_depend',`
+ type node_t;
+
+ class node rawip_send;
+ class capability net_raw;
+')
+
+#######################################
+#
+# corenet_raw_receive_generic_node(domain)
+#
+define(`corenet_raw_receive_generic_node',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_t:node rawip_recv;
+')
+
+define(`corenet_raw_receive_generic_node_depend',`
+ type node_t;
+
+ class node rawip_recv;
+')
+
+#######################################
+#
+# corenet_raw_sendrecv_generic_node(domain)
+#
+define(`corenet_raw_sendrecv_generic_node',`
+ corenet_raw_send_generic_node($1)
+ corenet_raw_receive_generic_node($1)
+')
+
+#######################################
+#
+# corenet_tcp_bind_generic_node(domain)
+#
+define(`corenet_tcp_bind_generic_node',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_t:tcp_socket node_bind;
+')
+
+define(`corenet_tcp_bind_generic_node_depend',`
+ type node_t;
+
+ class tcp_socket node_bind;
+')
+
+#######################################
+#
+# corenet_udp_bind_generic_node(domain)
+#
+define(`corenet_udp_bind_generic_node',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_t:udp_socket node_bind;
+')
+
+define(`corenet_udp_bind_generic_node_depend',`
+ type node_t;
+
+ class udp_socket node_bind;
+')
+
+#######################################
+#
+# corenet_tcp_sendrecv_all_nodes(domain)
+#
+define(`corenet_tcp_sendrecv_all_nodes',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_type:node { tcp_send tcp_recv };
+')
+
+define(`corenet_tcp_sendrecv_all_nodes_depend',`
+ attribute node_type;
+
+ class node { tcp_send tcp_recv };
+')
+
+#######################################
+#
+# corenet_udp_send_all_nodes(domain)
+#
+define(`corenet_udp_send_all_nodes',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_type:node udp_send;
+')
+
+define(`corenet_udp_send_all_nodes_depend',`
+ attribute node_type;
+
+ class node udp_send;
+')
+
+#######################################
+#
+# corenet_udp_receive_all_nodes(domain)
+#
+define(`corenet_udp_receive_all_nodes',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_type:node udp_recv;
+')
+
+define(`corenet_udp_receive_all_nodes_depend',`
+ attribute node_type;
+
+ class node udp_recv;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_all_nodes(domain)
+#
+define(`corenet_udp_sendrecv_all_nodes',`
+ corenet_udp_send_all_nodes($1)
+ corenet_udp_receive_all_nodes($1)
+')
+
+#######################################
+#
+# corenet_raw_send_all_nodes(domain)
+#
+define(`corenet_raw_send_all_nodes',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_type:node rawip_send;
+ allow $1 self:capability net_raw;
+')
+
+define(`corenet_raw_send_all_nodes_depend',`
+ attribute node_type;
+
+ class node rawip_send;
+ class capability net_raw;
+')
+
+#######################################
+#
+# corenet_raw_receive_all_nodes(domain)
+#
+define(`corenet_raw_receive_all_nodes',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_type:node rawip_recv;
+')
+
+define(`corenet_raw_receive_all_nodes_depend',`
+ attribute node_type;
+
+ class node rawip_recv;
+')
+
+#######################################
+#
+# corenet_raw_sendrecv_all_nodes(domain)
+#
+define(`corenet_raw_sendrecv_all_nodes',`
+ corenet_raw_send_all_nodes($1)
+ corenet_raw_receive_all_nodes($1)
+')
+
+#######################################
+#
+# corenet_tcp_bind_all_nodes(domain)
+#
+define(`corenet_tcp_bind_all_nodes',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_type:tcp_socket node_bind;
+')
+
+define(`corenet_tcp_bind_all_nodes_depend',`
+ attribute node_type;
+
+ class tcp_socket node_bind;
+')
+
+#######################################
+#
+# corenet_udp_bind_all_nodes(domain)
+#
+define(`corenet_udp_bind_all_nodes',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 node_type:udp_socket node_bind;
+')
+
+define(`corenet_udp_bind_all_nodes_depend',`
+ attribute node_type;
+
+ class udp_socket node_bind;
+')
+
+#######################################
+#
+# corenet_tcp_sendrecv_generic_port(domain)
+#
+define(`corenet_tcp_sendrecv_generic_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_t:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenet_tcp_sendrecv_generic_port_depend',`
+ type port_t;
+
+ class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenet_udp_send_generic_port(domain)
+#
+define(`corenet_udp_send_generic_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_t:udp_socket send_msg;
+')
+
+define(`corenet_udp_send_generic_port_depend',`
+ type port_t;
+
+ class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenet_udp_receive_generic_port(domain)
+#
+define(`corenet_udp_receive_generic_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_t:udp_socket recv_msg;
+')
+
+define(`corenet_udp_receive_generic_port_depend',`
+ type port_t;
+
+ class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_generic_port(domain)
+#
+define(`corenet_udp_sendrecv_generic_port',`
+ corenet_udp_send_generic_port($1)
+ corenet_udp_receive_generic_port($1)
+')
+
+#######################################
+#
+# corenet_tcp_bind_generic_port(domain)
+#
+define(`corenet_tcp_bind_generic_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_t:tcp_socket name_bind;
+')
+
+define(`corenet_tcp_bind_generic_port_depend',`
+ type port_t;
+
+ class tcp_socket name_bind;
+')
+
+#######################################
+#
+# corenet_udp_bind_generic_port(domain)
+#
+define(`corenet_udp_bind_generic_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_t:udp_socket name_bind;
+')
+
+define(`corenet_udp_bind_generic_port_depend',`
+ type port_t;
+
+ class udp_socket name_bind;
+')
+
+#######################################
+#
+# corenet_tcp_sendrecv_all_ports(domain)
+#
+define(`corenet_tcp_sendrecv_all_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_type:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenet_tcp_sendrecv_all_ports_depend',`
+ attribute port_type;
+
+ class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenet_udp_send_all_ports(domain)
+#
+define(`corenet_udp_send_all_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_type:udp_socket send_msg;
+')
+
+define(`corenet_udp_send_all_ports_depend',`
+ attribute port_type;
+
+ class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenet_udp_receive_all_ports(domain)
+#
+define(`corenet_udp_receive_all_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_type:udp_socket recv_msg;
+')
+
+define(`corenet_udp_receive_all_ports_depend',`
+ attribute port_type;
+
+ class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_all_ports(domain)
+#
+define(`corenet_udp_sendrecv_all_ports',`
+ corenet_udp_send_all_ports($1)
+ corenet_udp_receive_all_ports($1)
+')
+
+#######################################
+#
+# corenet_tcp_bind_all_ports(domain)
+#
+define(`corenet_tcp_bind_all_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_type:tcp_socket name_bind;
+')
+
+define(`corenet_tcp_bind_all_ports_depend',`
+ attribute port_type;
+
+ class tcp_socket name_bind;
+')
+
+#######################################
+#
+# corenet_udp_bind_all_ports(domain)
+#
+define(`corenet_udp_bind_all_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 port_type:udp_socket name_bind;
+')
+
+define(`corenet_udp_bind_all_ports_depend',`
+ attribute port_type;
+
+ class udp_socket name_bind;
+')
+
+#######################################
+#
+# corenet_tcp_sendrecv_reserved_port(domain)
+#
+define(`corenet_tcp_sendrecv_reserved_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_t:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenet_tcp_sendrecv_reserved_port_depend',`
+ type reserved_port_t;
+
+ class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenet_udp_send_reserved_port(domain)
+#
+define(`corenet_udp_send_reserved_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_t:udp_socket send_msg;
+')
+
+define(`corenet_udp_send_reserved_port_depend',`
+ type reserved_port_t;
+
+ class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenet_udp_receive_reserved_port(domain)
+#
+define(`corenet_udp_receive_reserved_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_t:udp_socket recv_msg;
+')
+
+define(`corenet_udp_receive_reserved_port_depend',`
+ type reserved_port_t;
+
+ class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_reserved_port(domain)
+#
+define(`corenet_udp_sendrecv_reserved_port',`
+ corenet_udp_send_reserved_port($1)
+ corenet_udp_receive_reserved_port($1)
+')
+
+#######################################
+#
+# corenet_tcp_bind_reserved_port(domain)
+#
+define(`corenet_tcp_bind_reserved_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_t:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+define(`corenet_tcp_bind_reserved_port_depend',`
+ type reserved_port_t;
+
+ class tcp_socket name_bind;
+ class capability net_bind_service;
+')
+
+#######################################
+#
+# corenet_udp_bind_reserved_port(domain)
+#
+define(`corenet_udp_bind_reserved_port',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_t:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+define(`corenet_udp_bind_reserved_port_depend',`
+ type reserved_port_t;
+
+ class udp_socket name_bind;
+ class capability net_bind_service;
+')
+
+#######################################
+#
+# corenet_tcp_sendrecv_all_reserved_ports(domain)
+#
+define(`corenet_tcp_sendrecv_all_reserved_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_type:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenet_tcp_sendrecv_all_reserved_ports_depend',`
+ attribute reserved_port_type;
+
+ class tcp_socket { send_msg recv_msg };
+')
+
+#######################################
+#
+# corenet_udp_send_all_reserved_ports(domain)
+#
+define(`corenet_udp_send_all_reserved_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_type:udp_socket send_msg;
+')
+
+define(`corenet_udp_send_all_reserved_ports_depend',`
+ attribute reserved_port_type;
+
+ class udp_socket send_msg;
+')
+
+#######################################
+#
+# corenet_udp_receive_all_reserved_ports(domain)
+#
+define(`corenet_udp_receive_all_reserved_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_type:udp_socket recv_msg;
+')
+
+define(`corenet_udp_receive_all_reserved_ports_depend',`
+ attribute reserved_port_type;
+
+ class udp_socket recv_msg;
+')
+
+#######################################
+#
+# corenet_udp_sendrecv_all_reserved_ports(domain)
+#
+define(`corenet_udp_sendrecv_all_reserved_ports',`
+ corenet_udp_send_all_reserved_ports($1)
+ corenet_udp_receive_all_reserved_ports($1)
+')
+
+#######################################
+#
+# corenet_tcp_bind_all_reserved_ports(domain)
+#
+define(`corenet_tcp_bind_all_reserved_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_type:tcp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+define(`corenet_tcp_bind_all_reserved_ports_depend',`
+ attribute reserved_port_type;
+
+ class tcp_socket name_bind;
+ class capability net_bind_service;
+')
+
+#######################################
+#
+# corenet_dontaudit_tcp_bind_all_reserved_ports(domain)
+#
+define(`corenet_dontaudit_tcp_bind_all_reserved_ports',`
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 reserved_port_type:tcp_socket name_bind;
+')
+
+define(`corenet_dontaudit_tcp_bind_all_reserved_ports_depend',`
+ attribute reserved_port_type;
+
+ class tcp_socket name_bind;
+')
+
+#######################################
+#
+# corenet_udp_bind_all_reserved_ports(domain)
+#
+define(`corenet_udp_bind_all_reserved_ports',`
+ requires_block_template(`$0'_depend)
+
+ allow $1 reserved_port_type:udp_socket name_bind;
+ allow $1 self:capability net_bind_service;
+')
+
+define(`corenet_udp_bind_all_reserved_ports_depend',`
+ attribute reserved_port_type;
+
+ class udp_socket name_bind;
+ class self:capability net_bind_service;
+')
+
+#######################################
+#
+# corenet_dontaudit_udp_bind_all_reserved_ports(domain)
+#
+define(`corenet_dontaudit_udp_bind_all_reserved_ports',`
+ requires_block_template(`$0'_depend)
+
+ dontaudit $1 reserved_port_type:udp_socket name_bind;
+')
+
+define(`corenet_dontaudit_udp_bind_all_reserved_ports_depend',`
+ attribute reserved_port_type;
+
+ class udp_socket name_bind;
+')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.if.m4 b/refpolicy/policy/modules/kernel/corenetwork.if.m4
new file mode 100644
index 0000000..192e6a9
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corenetwork.if.m4
@@ -0,0 +1,541 @@
+########################################
+#
+# Network Interface generated macros
+#
+########################################
+
+define(`create_netif_interfaces',``
+########################################
+##
+##
+## Send and receive TCP network traffic on the $1 interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_tcp_sendrecv_$1',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_netif_t:netif { tcp_send tcp_recv };
+')
+
+define(`corenet_tcp_sendrecv_$1_depend',`
+ type $1_netif_t;
+
+ class netif { tcp_send tcp_recv };
+')
+
+########################################
+##
+##
+## Send UDP network traffic on the $1 interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_send_$1',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_netif_t:netif udp_send;
+')
+
+define(`corenet_udp_send_$1_depend',`
+ type $1_netif_t;
+
+ class netif udp_send;
+')
+
+########################################
+##
+##
+## Receive UDP network traffic on the $1 interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_receive_$1',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_netif_t:netif udp_recv;
+')
+
+define(`corenet_udp_receive_$1_depend',`
+ type $1_netif_t;
+
+ class netif udp_recv;
+')
+
+########################################
+##
+##
+## Send and receive UDP network traffic on the $1 interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_sendrecv_$1',`
+ corenet_udp_send_$1(dollarsone)
+ corenet_udp_receive_$1(dollarsone)
+')
+
+########################################
+##
+##
+## Send raw IP packets on the $1 interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_raw_send_$1',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_netif_t:netif rawip_send;
+ allow dollarsone self:capability net_raw;
+')
+
+define(`corenet_raw_send_$1_depend',`
+ type $1_netif_t;
+
+ class netif rawip_send;
+ class capability net_raw;
+')
+
+########################################
+##
+##
+## Receive raw IP packets on the $1 interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_raw_receive_$1',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_netif_t:netif rawip_recv;
+')
+
+define(`corenet_raw_receive_$1_depend',`
+ type $1_netif_t;
+
+ class netif rawip_recv;
+')
+
+########################################
+##
+##
+## Send and receive raw IP packets on the $1 interface.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_raw_sendrecv_$1',`
+ corenet_raw_send_$1(dollarsone)
+ corenet_raw_receive_$1(dollarsone)
+')
+'') dnl end create_netif_interfaces
+
+########################################
+#
+# Network node generated macros
+#
+########################################
+
+define(`create_node_interfaces',``
+########################################
+##
+##
+## Send and receive TCP traffic on the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_tcp_sendrecv_$1_node',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_node_t:node { tcp_send tcp_recv };
+')
+
+define(`corenet_tcp_sendrecv_$1_node_depend',`
+ type $1_node_t;
+
+ class node { tcp_send tcp_recv };
+')
+
+########################################
+##
+##
+## Send UDP traffic on the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_send_$1_node',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_node_t:node udp_send;
+')
+
+define(`corenet_udp_send_$1_node_depend',`
+ type $1_node_t;
+
+ class node udp_send;
+')
+
+########################################
+##
+##
+## Receive UDP traffic on the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_receive_$1_node',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_node_t:node udp_recv;
+')
+
+define(`corenet_udp_receive_$1_node_depend',`
+ type $1_node_t;
+
+ class node udp_recv;
+')
+
+########################################
+##
+##
+## Send and receive UDP traffic on the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_sendrecv_$1_node',`
+ corenet_udp_send_$1_node(dollarsone)
+ corenet_udp_receive_$1_node(dollarsone)
+')
+
+########################################
+##
+##
+## Send raw IP packets on the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_raw_send_$1_node',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_node_t:node rawip_send;
+ allow dollarsone self:capability net_raw;
+')
+
+define(`corenet_raw_send_$1_node_depend',`
+ type $1_node_t;
+
+ class node rawip_send;
+ class capability net_raw;
+')
+
+########################################
+##
+##
+## Receive raw IP packets on the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_raw_receive_$1_node',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_node_t:node rawip_recv;
+')
+
+define(`corenet_raw_receive_$1_node_depend',`
+ type $1_node_t;
+
+ class node rawip_recv;
+')
+
+########################################
+##
+##
+## Send and receive raw IP packets on the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_raw_sendrecv_$1_node',`
+ corenet_raw_send_$1_node(dollarsone)
+ corenet_raw_receive_$1_node(dollarsone)
+')
+
+########################################
+##
+##
+## Bind TCP sockets to node $1.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_tcp_bind_$1_node',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_node_t:tcp_socket node_bind;
+')
+
+define(`corenet_tcp_bind_$1_node_depend',`
+ type $1_node_t;
+
+ class tcp_socket node_bind;
+')
+
+########################################
+##
+##
+## Bind UDP sockets to the $1 node.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_bind_$1_node',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_node_t:udp_socket node_bind;
+')
+
+define(`corenet_udp_bind_$1_node_depend',`
+ type $1_node_t;
+
+ class udp_socket node_bind;
+')
+'') dnl end create_node_interfaces
+
+########################################
+#
+# Network port generated macros
+#
+########################################
+
+define(`create_port_interfaces',``
+########################################
+##
+##
+## Send and receive TCP traffic on the $1 port.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_tcp_sendrecv_$1_port',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_port_t:tcp_socket { send_msg recv_msg };
+')
+
+define(`corenet_tcp_sendrecv_$1_port_depend',`
+ type $1_port_t;
+
+ class tcp_socket { send_msg recv_msg };
+')
+
+########################################
+##
+##
+## Send UDP traffic on the $1 port.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_send_$1_port',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_port_t:udp_socket send_msg;
+')
+
+define(`corenet_udp_send_$1_port_depend',`
+ type $1_port_t;
+
+ class udp_socket send_msg;
+')
+
+########################################
+##
+##
+## Receive UDP traffic on the $1 port.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_receive_$1_port',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_port_t:udp_socket recv_msg;
+')
+
+define(`corenet_udp_receive_$1_port_depend',`
+ type $1_port_t;
+
+ class udp_socket recv_msg;
+')
+
+########################################
+##
+##
+## Send and receive UDP traffic on the $1 port.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_sendrecv_$1_port',`
+ corenet_udp_send_$1_port(dollarsone)
+ corenet_udp_receive_$1_port(dollarsone)
+')
+
+########################################
+##
+##
+## Bind TCP sockets to the $1 port.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_tcp_bind_$1_port',`
+ requires_block_template(`dollarszero'_depend)
+ allow dollarsone $1_port_t:tcp_socket name_bind;
+ $2
+')
+
+define(`corenet_tcp_bind_$1_port_depend',`
+ type $1_port_t;
+
+ class tcp_socket name_bind;
+ $3
+')
+
+########################################
+##
+##
+## Bind UDP sockets to the $1 port.
+##
+##
+## The type of the process performing this action.
+##
+##
+##
+#
+define(`corenet_udp_bind_$1_port',`
+ requires_block_template(`dollarszero'_depend)
+
+ allow dollarsone $1_port_t:udp_socket name_bind;
+ $2
+')
+
+define(`corenet_udp_bind_$1_port_depend',`
+ type $1_port_t;
+
+ class udp_socket name_bind;
+ $3
+')
+'') dnl end create_port_interfaces
+
+#
+# network_interface(linux_interfacename,mls_sensitivity)
+#
+define(`network_interface',`
+create_netif_interfaces($1)
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask)
+#
+define(`network_node',`
+create_node_interfaces($1)
+')
+
+# These next three macros have formatting, and should not me indented
+define(`determine_reserved_capability',`dnl
+ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
+ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability
+
+define(`determine_reserved_capability_depend',`dnl
+ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl
+ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability depend
+
+define(`declare_ports',`dnl
+ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
+portcon $2 $3 context_template(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+#
+define(`network_port',`
+create_port_interfaces($1,determine_reserved_capability(shift($*)),determine_reserved_capability_depend(shift($*)))
+')
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te b/refpolicy/policy/modules/kernel/corenetwork.te
deleted file mode 100644
index 57e90d9..0000000
--- a/refpolicy/policy/modules/kernel/corenetwork.te
+++ /dev/null
@@ -1,128 +0,0 @@
-
-policy_module(corenetwork,1.0)
-
-attribute netif_type;
-attribute node_type;
-attribute port_type;
-attribute reserved_port_type;
-
-type ppp_device_t;
-devices_make_device_node(ppp_device_t)
-
-#
-# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
-#
-type tun_tap_device_t;
-devices_make_device_node(tun_tap_device_t)
-
-########################################
-#
-# Ports
-#
-
-#
-# port_t is the default type of INET port numbers.
-#
-type port_t, port_type;
-sid port context_template(system_u:object_r:port_t,s0)
-
-#
-# reserved_port_t is the type of INET port numbers below 1024.
-#
-type reserved_port_t, port_type, reserved_port_type;
-
-network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
-dnl network_port(biff) # no defined portcon in current strict
-network_port(dbskkd, tcp,1178,s0)
-network_port(dhcpc, udp,68,s0)
-network_port(dhcpd, udp,67,s0)
-network_port(dict, tcp,2628,s0)
-network_port(dns, udp,53,s0, tcp,53,s0)
-network_port(fingerd, tcp,79,s0)
-network_port(ftp_data, tcp,20,s0)
-network_port(ftp, tcp,21,s0)
-network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
-network_port(http, tcp,80,s0, tcp,443,s0)
-network_port(howl, tcp,5335,s0, udp,5353,s0)
-dnl network_port(i18n_input) # no defined portcon in current strict
-network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,113,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
-network_port(innd, tcp,119,s0)
-network_port(ipp, tcp,631,s0, udp,631,s0)
-network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
-network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
-network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
-network_port(ktalkd, udp,517,s0, udp,518,s0)
-network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
-network_port(mail, tcp,2000,s0)
-network_port(mysqld, tcp,3306,s0)
-network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
-network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0)
-network_port(portmap, udp,111,s0, tcp,111,s0)
-network_port(postgresql, tcp,5432,s0)
-network_port(printer, tcp,515,s0)
-network_port(pxe, udp,4011,s0)
-network_port(radacct, udp,1646,s0, udp,1813,s0)
-network_port(radius, udp,1645,s0, udp,1812,s0)
-network_port(rsh, tcp,514,s0)
-network_port(rsync, tcp,873,s0, udp,873,s0)
-network_port(smbd, tcp,137-139,s0, tcp,445,s0)
-network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
-network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
-network_port(ssh, tcp,22,s0)
-dnl network_port(stunnel) # no defined portcon in current strict
-network_port(swat, tcp,901,s0)
-network_port(syslogd, udp,514,s0)
-network_port(telnetd, tcp,23,s0)
-network_port(tftp, udp,69,s0)
-network_port(vnc, tcp,5900,s0)
-network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
-network_port(zebra, tcp,2601,s0)
-
-# Defaults for reserved ports. Earlier portcon entries take precedence;
-# these entries just cover any remaining reserved ports not otherwise
-# declared or omitted due to removal of a domain.
-portcon tcp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
-portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
-
-########################################
-#
-# Network nodes
-#
-
-#
-# node_t is the default type of network nodes.
-# The node_*_t types are used for specific network
-# nodes in net_contexts or net_contexts.mls.
-#
-type node_t, node_type;
-sid node context_template(system_u:object_r:node_t,s0)
-
-network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
-network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
-dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
-network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
-network_node(lo, s0, 127.0.0.1, 255.255.255.255)
-network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
-network_node(multicast, s0, ff00::, ff00::)
-network_node(site_local, s0, fec0::, ffc0::)
-network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
-
-########################################
-#
-# Network Interfaces:
-#
-
-#
-# netif_t is the default type of network interfaces.
-#
-type netif_t, netif_type;
-sid netif context_template(system_u:object_r:netif_t,s0)
-
-network_interface(lo, s0)
-network_interface(eth0, s0)
-network_interface(eth1, s0)
-network_interface(eth2, s0)
-network_interface(ippp0, s0)
-network_interface(ipsec0, s0)
-network_interface(ipsec1, s0)
-network_interface(ipsec2, s0)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.in b/refpolicy/policy/modules/kernel/corenetwork.te.in
new file mode 100644
index 0000000..57e90d9
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.in
@@ -0,0 +1,128 @@
+
+policy_module(corenetwork,1.0)
+
+attribute netif_type;
+attribute node_type;
+attribute port_type;
+attribute reserved_port_type;
+
+type ppp_device_t;
+devices_make_device_node(ppp_device_t)
+
+#
+# tun_tap_device_t is the type of /dev/net/tun/* and /dev/net/tap/*
+#
+type tun_tap_device_t;
+devices_make_device_node(tun_tap_device_t)
+
+########################################
+#
+# Ports
+#
+
+#
+# port_t is the default type of INET port numbers.
+#
+type port_t, port_type;
+sid port context_template(system_u:object_r:port_t,s0)
+
+#
+# reserved_port_t is the type of INET port numbers below 1024.
+#
+type reserved_port_t, port_type, reserved_port_type;
+
+network_port(amanda, udp,10080,s0, tcp,10080,s0, udp,10081,s0, tcp,10081,s0, tcp,10082,s0, tcp,10083,s0)
+dnl network_port(biff) # no defined portcon in current strict
+network_port(dbskkd, tcp,1178,s0)
+network_port(dhcpc, udp,68,s0)
+network_port(dhcpd, udp,67,s0)
+network_port(dict, tcp,2628,s0)
+network_port(dns, udp,53,s0, tcp,53,s0)
+network_port(fingerd, tcp,79,s0)
+network_port(ftp_data, tcp,20,s0)
+network_port(ftp, tcp,21,s0)
+network_port(http_cache, tcp,3128,s0, udp,3130,s0, tcp,8080,s0)
+network_port(http, tcp,80,s0, tcp,443,s0)
+network_port(howl, tcp,5335,s0, udp,5353,s0)
+dnl network_port(i18n_input) # no defined portcon in current strict
+network_port(inetd_child, tcp,7,s0, udp,7,s0, tcp,9,s0, udp,9,s0, tcp,13,s0, udp,13,s0, tcp,19,s0, udp,19,s0, tcp,37,s0, udp,37,s0, tcp,113,s0, tcp,512,s0, tcp,543,s0, tcp,544,s0, tcp,891,s0, udp,891,s0, tcp,892,s0, udp,892,s0, tcp,2105,s0)
+network_port(innd, tcp,119,s0)
+network_port(ipp, tcp,631,s0, udp,631,s0)
+network_port(kerberos_admin, tcp,464,s0, udp,464,s0, tcp,749,s0)
+network_port(kerberos_master, tcp,4444,s0, udp,4444,s0)
+network_port(kerberos, tcp,88,s0, udp,88,s0, tcp,750,s0, udp,750,s0)
+network_port(ktalkd, udp,517,s0, udp,518,s0)
+network_port(ldap, tcp,389,s0, udp,389,s0, tcp,636,s0, udp,636,s0)
+network_port(mail, tcp,2000,s0)
+network_port(mysqld, tcp,3306,s0)
+network_port(nmbd, udp,137,s0, udp,138,s0, udp,139,s0)
+network_port(pop, tcp,106,s0, tcp,109,s0, tcp,110,s0)
+network_port(portmap, udp,111,s0, tcp,111,s0)
+network_port(postgresql, tcp,5432,s0)
+network_port(printer, tcp,515,s0)
+network_port(pxe, udp,4011,s0)
+network_port(radacct, udp,1646,s0, udp,1813,s0)
+network_port(radius, udp,1645,s0, udp,1812,s0)
+network_port(rsh, tcp,514,s0)
+network_port(rsync, tcp,873,s0, udp,873,s0)
+network_port(smbd, tcp,137-139,s0, tcp,445,s0)
+network_port(smtp, tcp,25,s0, tcp,465,s0, tcp,587,s0)
+network_port(snmp, udp,161,s0, udp,162,s0, tcp,199,s0)
+network_port(ssh, tcp,22,s0)
+dnl network_port(stunnel) # no defined portcon in current strict
+network_port(swat, tcp,901,s0)
+network_port(syslogd, udp,514,s0)
+network_port(telnetd, tcp,23,s0)
+network_port(tftp, udp,69,s0)
+network_port(vnc, tcp,5900,s0)
+network_port(xserver, tcp,6001,s0, tcp,6002,s0, tcp,6003,s0, tcp,6004,s0, tcp,6005,s0, tcp,6006,s0, tcp,6007,s0, tcp,6008,s0, tcp,6009,s0, tcp,6010,s0, tcp,6011,s0, tcp,6012,s0, tcp,6013,s0, tcp,6014,s0, tcp,6015,s0, tcp,6016,s0, tcp,6017,s0, tcp,6018,s0, tcp,6019,s0)
+network_port(zebra, tcp,2601,s0)
+
+# Defaults for reserved ports. Earlier portcon entries take precedence;
+# these entries just cover any remaining reserved ports not otherwise
+# declared or omitted due to removal of a domain.
+portcon tcp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
+portcon udp 1-1023 context_template(system_u:object_r:reserved_port_t, s0)
+
+########################################
+#
+# Network nodes
+#
+
+#
+# node_t is the default type of network nodes.
+# The node_*_t types are used for specific network
+# nodes in net_contexts or net_contexts.mls.
+#
+type node_t, node_type;
+sid node context_template(system_u:object_r:node_t,s0)
+
+network_node(compat_ipv4, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(inaddr_any, s0, 0.0.0.0, 255.255.255.255)
+dnl network_node(internal, s0, , ) # no nodecon for this in current strict policy
+network_node(link_local, s0, fe80::, ffff:ffff:ffff:ffff::, )
+network_node(lo, s0, 127.0.0.1, 255.255.255.255)
+network_node(mapped_ipv4, s0, ::ffff:0000:0000, ffff:ffff:ffff:ffff:ffff:ffff::)
+network_node(multicast, s0, ff00::, ff00::)
+network_node(site_local, s0, fec0::, ffc0::)
+network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
+
+########################################
+#
+# Network Interfaces:
+#
+
+#
+# netif_t is the default type of network interfaces.
+#
+type netif_t, netif_type;
+sid netif context_template(system_u:object_r:netif_t,s0)
+
+network_interface(lo, s0)
+network_interface(eth0, s0)
+network_interface(eth1, s0)
+network_interface(eth2, s0)
+network_interface(ippp0, s0)
+network_interface(ipsec0, s0)
+network_interface(ipsec1, s0)
+network_interface(ipsec2, s0)
diff --git a/refpolicy/policy/modules/kernel/corenetwork.te.m4 b/refpolicy/policy/modules/kernel/corenetwork.te.m4
new file mode 100644
index 0000000..f591654
--- /dev/null
+++ b/refpolicy/policy/modules/kernel/corenetwork.te.m4
@@ -0,0 +1,43 @@
+#
+# network_interface(linux_interfacename,mls_sensitivity)
+#
+define(`network_interface',`
+requires_block_template(`type unlabeled_t')
+type $1_netif_t alias netif_$1_t, netif_type;
+netifcon $1 context_template(system_u:object_r:$1_netif_t,$2) context_template(system_u:object_r:unlabeled_t,$2)
+')
+
+#
+# network_node(node_name,mls_sensitivity,address,netmask)
+#
+define(`network_node',`
+type $1_node_t alias node_$1_t, node_type;
+nodecon $3 $4 context_template(system_u:object_r:$1_node_t,$2)
+')
+
+# These next three macros have formatting, and should not me indented
+define(`determine_reserved_capability',`dnl
+ifelse(eval($2 < 1024),1,``allow' dollarsone self:capability net_bind_service;',`dnl
+ifelse($4,`',`',`determine_reserved_capability(shiftn(3,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability
+
+define(`determine_reserved_capability_depend',`dnl
+ifelse(eval($2 < 1024),1,`class capability net_bind_service;',`dnl
+ifelse($4,`',`',`determine_reserved_capability_depend(shiftn(3,$*))')dnl end inner ifelse
+')dnl end outer ifelse
+') dnl end determine reserved capability depend
+
+define(`declare_ports',`dnl
+ifelse(eval($3 < 1024),1,`typeattribute $1 reserved_port_type;',`dnl')
+portcon $2 $3 context_template(system_u:object_r:$1,$4)
+ifelse(`$5',`',`',`declare_ports($1,shiftn(4,$*))')dnl
+')
+
+#
+# network_port(port_name,protocol portnum mls_sensitivity [,protocol portnum mls_sensitivity[,...]])
+#
+define(`network_port',`
+type $1_port_t, port_type;
+declare_ports($1_port_t,shift($*))
+')