[selinux-policy: 1766/3172] trunk: Unified labeled networking policy from Paul Moore.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 21:37:37 UTC 2010
commit 1900668638d0862c775a4ecfd4ae03fc67c88b2e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Jun 27 15:23:21 2007 +0000
trunk: Unified labeled networking policy from Paul Moore.
The latest revision of the labeled policy patches which enable both labeled
and unlabeled policy support for NetLabel. This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access. The older, transport layer specific interfaces, are still
present for use by third-party modules but are not used in the default policy
modules.
trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
Changelog | 2 +
policy/mls | 5 +-
policy/modules/admin/amanda.te | 8 +-
policy/modules/admin/apt.te | 5 +-
policy/modules/admin/backup.te | 5 +-
policy/modules/admin/dpkg.te | 5 +-
policy/modules/admin/firstboot.te | 5 +-
policy/modules/admin/mrtg.te | 5 +-
policy/modules/admin/netutils.te | 11 +-
policy/modules/admin/portage.if | 6 +-
policy/modules/admin/portage.te | 2 +-
policy/modules/admin/rpm.te | 5 +-
policy/modules/admin/sxid.te | 5 +-
policy/modules/admin/vpn.te | 5 +-
policy/modules/apps/calamaris.te | 5 +-
policy/modules/apps/evolution.if | 9 +-
policy/modules/apps/evolution.te | 2 +-
policy/modules/apps/games.if | 3 +-
policy/modules/apps/games.te | 2 +-
policy/modules/apps/gift.if | 6 +-
policy/modules/apps/gift.te | 2 +-
policy/modules/apps/gpg.if | 6 +-
policy/modules/apps/gpg.te | 2 +-
policy/modules/apps/irc.if | 3 +-
policy/modules/apps/irc.te | 2 +-
policy/modules/apps/java.if | 3 +-
policy/modules/apps/java.te | 2 +-
policy/modules/apps/mozilla.if | 3 +-
policy/modules/apps/mozilla.te | 2 +-
policy/modules/apps/screen.if | 3 +-
policy/modules/apps/screen.te | 2 +-
policy/modules/apps/thunderbird.if | 3 +-
policy/modules/apps/thunderbird.te | 2 +-
policy/modules/apps/uml.if | 3 +-
policy/modules/apps/uml.te | 2 +-
policy/modules/apps/vmware.te | 5 +-
policy/modules/apps/webalizer.te | 5 +-
policy/modules/apps/yam.te | 5 +-
policy/modules/kernel/corenetwork.if.in | 341 ++++++++++++++++++++++++++++-
policy/modules/kernel/corenetwork.te.in | 9 +-
policy/modules/kernel/kernel.if | 69 +++----
policy/modules/kernel/kernel.te | 6 +-
policy/modules/services/afs.te | 17 +-
policy/modules/services/amavis.te | 5 +-
policy/modules/services/apache.if | 6 +-
policy/modules/services/apache.te | 8 +-
policy/modules/services/apcupsd.te | 5 +-
policy/modules/services/arpwatch.te | 5 +-
policy/modules/services/asterisk.te | 5 +-
policy/modules/services/automount.te | 5 +-
policy/modules/services/avahi.te | 5 +-
policy/modules/services/bind.te | 8 +-
policy/modules/services/bluetooth.te | 5 +-
policy/modules/services/canna.te | 5 +-
policy/modules/services/ccs.te | 5 +-
policy/modules/services/cipe.te | 5 +-
policy/modules/services/clamav.te | 8 +-
policy/modules/services/clockspeed.te | 8 +-
policy/modules/services/comsat.te | 5 +-
policy/modules/services/courier.if | 3 +-
policy/modules/services/courier.te | 2 +-
policy/modules/services/cron.if | 3 +-
policy/modules/services/cron.te | 5 +-
policy/modules/services/cups.te | 17 +-
policy/modules/services/cvs.te | 5 +-
policy/modules/services/cyrus.te | 5 +-
policy/modules/services/dante.te | 5 +-
policy/modules/services/dbskk.te | 5 +-
policy/modules/services/dbus.if | 4 +-
policy/modules/services/dbus.te | 2 +-
policy/modules/services/dcc.te | 20 +-
policy/modules/services/ddclient.te | 5 +-
policy/modules/services/dhcp.te | 5 +-
policy/modules/services/dictd.te | 5 +-
policy/modules/services/distcc.te | 5 +-
policy/modules/services/djbdns.if | 3 +-
policy/modules/services/djbdns.te | 2 +-
policy/modules/services/dnsmasq.te | 5 +-
policy/modules/services/dovecot.te | 5 +-
policy/modules/services/fetchmail.te | 5 +-
policy/modules/services/finger.te | 5 +-
policy/modules/services/ftp.te | 5 +-
policy/modules/services/gatekeeper.te | 5 +-
policy/modules/services/hal.te | 5 +-
policy/modules/services/howl.te | 5 +-
policy/modules/services/i18n_input.te | 5 +-
policy/modules/services/imaze.te | 5 +-
policy/modules/services/inetd.te | 14 +-
policy/modules/services/inn.te | 5 +-
policy/modules/services/ircd.te | 5 +-
policy/modules/services/jabber.te | 5 +-
policy/modules/services/kerberos.if | 3 +-
policy/modules/services/kerberos.te | 8 +-
policy/modules/services/ktalk.te | 5 +-
policy/modules/services/ldap.te | 5 +-
policy/modules/services/lpd.if | 3 +-
policy/modules/services/lpd.te | 8 +-
policy/modules/services/mailman.if | 3 +-
policy/modules/services/mailman.te | 2 +-
policy/modules/services/monop.te | 5 +-
policy/modules/services/mta.if | 3 +-
policy/modules/services/mta.te | 2 +-
policy/modules/services/munin.te | 5 +-
policy/modules/services/mysql.te | 5 +-
policy/modules/services/nagios.te | 5 +-
policy/modules/services/nessus.te | 5 +-
policy/modules/services/networkmanager.te | 5 +-
policy/modules/services/nis.if | 3 +-
policy/modules/services/nis.te | 17 +-
policy/modules/services/nscd.te | 5 +-
policy/modules/services/nsd.te | 8 +-
policy/modules/services/ntop.te | 5 +-
policy/modules/services/ntp.te | 5 +-
policy/modules/services/nx.te | 5 +-
policy/modules/services/oav.te | 8 +-
policy/modules/services/openvpn.te | 5 +-
policy/modules/services/pcscd.te | 5 +-
policy/modules/services/pegasus.te | 5 +-
policy/modules/services/perdition.te | 5 +-
policy/modules/services/portmap.te | 8 +-
policy/modules/services/portslave.te | 5 +-
policy/modules/services/postfix.if | 3 +-
policy/modules/services/postfix.te | 8 +-
policy/modules/services/postgresql.te | 5 +-
policy/modules/services/postgrey.te | 5 +-
policy/modules/services/ppp.te | 8 +-
policy/modules/services/privoxy.te | 5 +-
policy/modules/services/procmail.te | 5 +-
policy/modules/services/pyzor.te | 5 +-
policy/modules/services/qmail.te | 5 +-
policy/modules/services/radius.te | 5 +-
policy/modules/services/radvd.te | 5 +-
policy/modules/services/razor.if | 3 +-
policy/modules/services/razor.te | 5 +-
policy/modules/services/rdisc.te | 5 +-
policy/modules/services/rhgb.te | 5 +-
policy/modules/services/ricci.te | 6 +-
policy/modules/services/rlogin.te | 5 +-
policy/modules/services/roundup.te | 5 +-
policy/modules/services/rpc.if | 4 +-
policy/modules/services/rpc.te | 2 +-
policy/modules/services/rshd.te | 5 +-
policy/modules/services/rsync.te | 5 +-
policy/modules/services/rwho.te | 5 +-
policy/modules/services/samba.te | 20 +-
policy/modules/services/sasl.te | 5 +-
policy/modules/services/sendmail.te | 5 +-
policy/modules/services/setroubleshoot.te | 5 +-
policy/modules/services/smartmon.te | 5 +-
policy/modules/services/snmp.te | 5 +-
policy/modules/services/snort.te | 5 +-
policy/modules/services/soundserver.te | 5 +-
policy/modules/services/spamassassin.if | 6 +-
policy/modules/services/spamassassin.te | 5 +-
policy/modules/services/squid.te | 5 +-
policy/modules/services/ssh.if | 6 +-
policy/modules/services/ssh.te | 2 +-
policy/modules/services/stunnel.te | 5 +-
policy/modules/services/tcpd.te | 5 +-
policy/modules/services/telnet.te | 5 +-
policy/modules/services/tftp.te | 5 +-
policy/modules/services/timidity.te | 5 +-
policy/modules/services/tor.te | 5 +-
policy/modules/services/transproxy.te | 5 +-
policy/modules/services/ucspitcp.te | 8 +-
policy/modules/services/uucp.te | 5 +-
policy/modules/services/uwimap.te | 5 +-
policy/modules/services/watchdog.te | 5 +-
policy/modules/services/xprint.te | 5 +-
policy/modules/services/xserver.if | 3 +-
policy/modules/services/xserver.te | 5 +-
policy/modules/services/zebra.te | 5 +-
policy/modules/system/hotplug.te | 5 +-
policy/modules/system/init.te | 5 +-
policy/modules/system/ipsec.te | 6 +-
policy/modules/system/iscsi.te | 5 +-
policy/modules/system/logging.te | 5 +-
policy/modules/system/lvm.te | 5 +-
policy/modules/system/mount.te | 5 +-
policy/modules/system/sysnetwork.if | 9 +-
policy/modules/system/sysnetwork.te | 5 +-
policy/modules/system/userdomain.if | 9 +-
policy/modules/system/userdomain.te | 2 +-
policy/modules/system/xen.te | 5 +-
184 files changed, 943 insertions(+), 424 deletions(-)
---
diff --git a/Changelog b/Changelog
index 87d5be7..a919ef7 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,5 @@
+- Unified labeled networking policy from Paul Moore.
+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
- Xen updates from Dan Walsh.
- Filesystem updates from Dan Walsh.
- Large samba update from Dan Walsh.
diff --git a/policy/mls b/policy/mls
index 16fbfcb..16bd1df 100644
--- a/policy/mls
+++ b/policy/mls
@@ -182,11 +182,12 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
(( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
( t1 == mlsnetwrite ));
-# used by netlabel to restrict normal domains to same level connections
+# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
(( l1 eq l2 ) or
(( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
- ( t1 == mlsnetread ));
+ ( t1 == mlsnetread ) or
+ ( t2 == unlabeled_t ));
# these access vectors have no MLS restrictions
# { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
diff --git a/policy/modules/admin/amanda.te b/policy/modules/admin/amanda.te
index b6ada7d..29d7835 100644
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@@ -1,5 +1,5 @@
-policy_module(amanda,1.5.0)
+policy_module(amanda,1.5.1)
#######################################
#
@@ -113,7 +113,8 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
# Added for targeted policy
term_use_unallocated_ttys(amanda_t)
-corenet_non_ipsec_sendrecv(amanda_t)
+corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_all_recvfrom_netlabel(amanda_t)
corenet_tcp_sendrecv_all_if(amanda_t)
corenet_udp_sendrecv_all_if(amanda_t)
corenet_raw_sendrecv_all_if(amanda_t)
@@ -200,7 +201,8 @@ files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file
kernel_read_system_state(amanda_recover_t)
kernel_read_kernel_sysctls(amanda_recover_t)
-corenet_non_ipsec_sendrecv(amanda_recover_t)
+corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_all_recvfrom_netlabel(amanda_recover_t)
corenet_tcp_sendrecv_all_if(amanda_recover_t)
corenet_udp_sendrecv_all_if(amanda_recover_t)
corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
diff --git a/policy/modules/admin/apt.te b/policy/modules/admin/apt.te
index 3a3ba9d..7c7272b 100644
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@@ -1,5 +1,5 @@
-policy_module(apt,1.1.0)
+policy_module(apt,1.1.1)
########################################
#
@@ -72,7 +72,8 @@ kernel_read_kernel_sysctls(apt_t)
corecmd_exec_bin(apt_t)
corecmd_exec_shell(apt_t)
-corenet_non_ipsec_sendrecv(apt_t)
+corenet_all_recvfrom_unlabeled(apt_t)
+corenet_all_recvfrom_netlabel(apt_t)
corenet_tcp_sendrecv_all_if(apt_t)
corenet_udp_sendrecv_all_if(apt_t)
corenet_tcp_sendrecv_all_nodes(apt_t)
diff --git a/policy/modules/admin/backup.te b/policy/modules/admin/backup.te
index 277c49a..fee5b9c 100644
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@@ -1,5 +1,5 @@
-policy_module(backup,1.1.0)
+policy_module(backup,1.1.1)
########################################
#
@@ -36,7 +36,8 @@ kernel_read_kernel_sysctls(backup_t)
corecmd_exec_bin(backup_t)
-corenet_non_ipsec_sendrecv(backup_t)
+corenet_all_recvfrom_unlabeled(backup_t)
+corenet_all_recvfrom_netlabel(backup_t)
corenet_tcp_sendrecv_generic_if(backup_t)
corenet_udp_sendrecv_generic_if(backup_t)
corenet_raw_sendrecv_generic_if(backup_t)
diff --git a/policy/modules/admin/dpkg.te b/policy/modules/admin/dpkg.te
index 932d12f..1808c88 100644
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@@ -1,5 +1,5 @@
-policy_module(dpkg,1.1.1)
+policy_module(dpkg,1.1.2)
########################################
#
@@ -90,7 +90,8 @@ kernel_read_kernel_sysctls(dpkg_t)
corecmd_exec_all_executables(dpkg_t)
# TODO: do we really need all networking?
-corenet_non_ipsec_sendrecv(dpkg_t)
+corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_all_if(dpkg_t)
corenet_raw_sendrecv_all_if(dpkg_t)
corenet_udp_sendrecv_all_if(dpkg_t)
diff --git a/policy/modules/admin/firstboot.te b/policy/modules/admin/firstboot.te
index 0453cd8..3d016fc 100644
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@@ -1,5 +1,5 @@
-policy_module(firstboot,1.4.0)
+policy_module(firstboot,1.4.1)
gen_require(`
class passwd rootok;
@@ -41,7 +41,8 @@ unconfined_domain(firstboot_t)
kernel_read_system_state(firstboot_t)
kernel_read_kernel_sysctls(firstboot_t)
-corenet_non_ipsec_sendrecv(firstboot_t)
+corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
corenet_tcp_sendrecv_all_if(firstboot_t)
corenet_tcp_sendrecv_all_nodes(firstboot_t)
corenet_tcp_sendrecv_all_ports(firstboot_t)
diff --git a/policy/modules/admin/mrtg.te b/policy/modules/admin/mrtg.te
index 5ec21f4..e1e202c 100644
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@@ -1,5 +1,5 @@
-policy_module(mrtg,1.1.0)
+policy_module(mrtg,1.1.1)
########################################
#
@@ -63,7 +63,8 @@ kernel_read_kernel_sysctls(mrtg_t)
corecmd_exec_bin(mrtg_t)
corecmd_exec_shell(mrtg_t)
-corenet_non_ipsec_sendrecv(mrtg_t)
+corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_all_recvfrom_netlabel(mrtg_t)
corenet_tcp_sendrecv_generic_if(mrtg_t)
corenet_udp_sendrecv_generic_if(mrtg_t)
corenet_tcp_sendrecv_all_nodes(mrtg_t)
diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te
index a7e9a1e..014b697 100644
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@@ -1,5 +1,5 @@
-policy_module(netutils,1.4.1)
+policy_module(netutils,1.4.2)
########################################
#
@@ -53,7 +53,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })
kernel_search_proc(netutils_t)
-corenet_non_ipsec_sendrecv(netutils_t)
+corenet_all_recvfrom_unlabeled(netutils_t)
+corenet_all_recvfrom_netlabel(netutils_t)
corenet_tcp_sendrecv_all_if(netutils_t)
corenet_raw_sendrecv_all_if(netutils_t)
corenet_udp_sendrecv_all_if(netutils_t)
@@ -114,7 +115,8 @@ allow ping_t self:tcp_socket create_socket_perms;
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
-corenet_non_ipsec_sendrecv(ping_t)
+corenet_all_recvfrom_unlabeled(ping_t)
+corenet_all_recvfrom_netlabel(ping_t)
corenet_tcp_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_if(ping_t)
corenet_raw_sendrecv_all_nodes(ping_t)
@@ -184,7 +186,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
-corenet_non_ipsec_sendrecv(traceroute_t)
+corenet_all_recvfrom_unlabeled(traceroute_t)
+corenet_all_recvfrom_netlabel(traceroute_t)
corenet_tcp_sendrecv_all_if(traceroute_t)
corenet_udp_sendrecv_all_if(traceroute_t)
corenet_raw_sendrecv_all_if(traceroute_t)
diff --git a/policy/modules/admin/portage.if b/policy/modules/admin/portage.if
index f486c97..3fe9309 100644
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@@ -152,7 +152,8 @@ interface(`portage_compile_domain',`
# really shouldnt need this but some packages test
# network access, such as during configure
# also distcc--need to reinvestigate confining distcc client
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_udp_sendrecv_generic_if($1)
corenet_raw_sendrecv_generic_if($1)
@@ -242,7 +243,8 @@ interface(`portage_fetch_domain',`
corecmd_exec_bin($1)
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_generic_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_all_ports($1)
diff --git a/policy/modules/admin/portage.te b/policy/modules/admin/portage.te
index 4335d44..0540613 100644
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@@ -1,5 +1,5 @@
-policy_module(portage,1.2.0)
+policy_module(portage,1.2.1)
########################################
#
diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index b1ccc1b..70f4ade 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -1,5 +1,5 @@
-policy_module(rpm,1.6.1)
+policy_module(rpm,1.6.2)
########################################
#
@@ -91,7 +91,8 @@ kernel_read_kernel_sysctls(rpm_t)
corecmd_exec_all_executables(rpm_t)
-corenet_non_ipsec_sendrecv(rpm_t)
+corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_all_recvfrom_netlabel(rpm_t)
corenet_tcp_sendrecv_all_if(rpm_t)
corenet_raw_sendrecv_all_if(rpm_t)
corenet_udp_sendrecv_all_if(rpm_t)
diff --git a/policy/modules/admin/sxid.te b/policy/modules/admin/sxid.te
index ea0bde2..1341a1b 100644
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@@ -1,5 +1,5 @@
-policy_module(sxid,1.1.0)
+policy_module(sxid,1.1.1)
########################################
#
@@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(sxid_t)
corecmd_exec_bin(sxid_t)
corecmd_exec_shell(sxid_t)
-corenet_non_ipsec_sendrecv(sxid_t)
+corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_all_recvfrom_netlabel(sxid_t)
corenet_tcp_sendrecv_generic_if(sxid_t)
corenet_udp_sendrecv_generic_if(sxid_t)
corenet_tcp_sendrecv_all_nodes(sxid_t)
diff --git a/policy/modules/admin/vpn.te b/policy/modules/admin/vpn.te
index 2056403..51ddb35 100644
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@@ -1,5 +1,5 @@
-policy_module(vpn,1.4.0)
+policy_module(vpn,1.4.1)
########################################
#
@@ -48,7 +48,8 @@ kernel_read_network_state(vpnc_t)
kernel_read_kernel_sysctls(vpnc_t)
kernel_rw_net_sysctls(vpnc_t)
-corenet_non_ipsec_sendrecv(vpnc_t)
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
corenet_tcp_sendrecv_all_if(vpnc_t)
corenet_udp_sendrecv_all_if(vpnc_t)
corenet_raw_sendrecv_all_if(vpnc_t)
diff --git a/policy/modules/apps/calamaris.te b/policy/modules/apps/calamaris.te
index 5bb18e3..674ca1d 100644
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@@ -1,5 +1,5 @@
-policy_module(calamaris,1.1.0)
+policy_module(calamaris,1.1.1)
########################################
#
@@ -40,7 +40,8 @@ kernel_read_system_state(calamaris_t)
corecmd_exec_bin(calamaris_t)
-corenet_non_ipsec_sendrecv(calamaris_t)
+corenet_all_recvfrom_unlabeled(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
corenet_tcp_sendrecv_generic_if(calamaris_t)
corenet_udp_sendrecv_generic_if(calamaris_t)
corenet_tcp_sendrecv_all_nodes(calamaris_t)
diff --git a/policy/modules/apps/evolution.if b/policy/modules/apps/evolution.if
index b167857..0e22c03 100644
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@@ -188,7 +188,8 @@ template(`evolution_per_role_template',`
# Run various programs
corecmd_exec_bin($1_evolution_t)
- corenet_non_ipsec_sendrecv($1_evolution_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_t)
+ corenet_all_recvfrom_netlabel($1_evolution_t)
corenet_tcp_sendrecv_generic_if($1_evolution_t)
corenet_udp_sendrecv_generic_if($1_evolution_t)
corenet_raw_sendrecv_generic_if($1_evolution_t)
@@ -681,7 +682,8 @@ template(`evolution_per_role_template',`
corecmd_exec_shell($1_evolution_server_t)
# Obtain weather data via http (read server name from xml file in /usr)
- corenet_non_ipsec_sendrecv($1_evolution_server_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_server_t)
+ corenet_all_recvfrom_netlabel($1_evolution_server_t)
corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
corenet_tcp_sendrecv_http_port($1_evolution_server_t)
@@ -758,7 +760,8 @@ template(`evolution_per_role_template',`
# Transition from user type
domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)
- corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
+ corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
+ corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
diff --git a/policy/modules/apps/evolution.te b/policy/modules/apps/evolution.te
index 1d92ee4..38d17a4 100644
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@@ -1,5 +1,5 @@
-policy_module(evolution,1.2.0)
+policy_module(evolution,1.2.1)
########################################
#
diff --git a/policy/modules/apps/games.if b/policy/modules/apps/games.if
index 7aa39b3..ed79d9f 100644
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@@ -92,7 +92,8 @@ template(`games_per_role_template',`
corecmd_exec_bin($1_games_t)
- corenet_non_ipsec_sendrecv($1_games_t)
+ corenet_all_recvfrom_unlabeled($1_games_t)
+ corenet_all_recvfrom_netlabel($1_games_t)
corenet_tcp_sendrecv_generic_if($1_games_t)
corenet_udp_sendrecv_generic_if($1_games_t)
corenet_tcp_sendrecv_all_nodes($1_games_t)
diff --git a/policy/modules/apps/games.te b/policy/modules/apps/games.te
index 851d90c..0a0fba8 100644
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@@ -1,5 +1,5 @@
-policy_module(games,1.2.0)
+policy_module(games,1.2.1)
########################################
#
diff --git a/policy/modules/apps/gift.if b/policy/modules/apps/gift.if
index 1895947..1bdc35f 100644
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@@ -96,7 +96,8 @@ template(`gift_per_role_template',`
kernel_read_system_state($1_giftd_t)
# Connect to gift daemon
- corenet_non_ipsec_sendrecv($1_gift_t)
+ corenet_all_recvfrom_unlabeled($1_gift_t)
+ corenet_all_recvfrom_netlabel($1_gift_t)
corenet_tcp_sendrecv_generic_if($1_gift_t)
corenet_tcp_sendrecv_all_nodes($1_gift_t)
corenet_tcp_sendrecv_giftd_port($1_gift_t)
@@ -155,7 +156,8 @@ template(`gift_per_role_template',`
kernel_read_kernel_sysctls($1_giftd_t)
# Serve content on various p2p networks. Ports can be random.
- corenet_non_ipsec_sendrecv($1_giftd_t)
+ corenet_all_recvfrom_unlabeled($1_giftd_t)
+ corenet_all_recvfrom_netlabel($1_giftd_t)
corenet_tcp_sendrecv_generic_if($1_giftd_t)
corenet_udp_sendrecv_generic_if($1_giftd_t)
corenet_tcp_sendrecv_all_nodes($1_giftd_t)
diff --git a/policy/modules/apps/gift.te b/policy/modules/apps/gift.te
index 55e3bca..bc6e328 100644
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@@ -1,5 +1,5 @@
-policy_module(gift,1.0.0)
+policy_module(gift,1.0.1)
########################################
#
diff --git a/policy/modules/apps/gpg.if b/policy/modules/apps/gpg.if
index 07a4cbb..d2382c4 100644
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@@ -98,7 +98,8 @@ template(`gpg_per_role_template',`
# allow ps to show gpg
ps_process_pattern($2,$1_gpg_t)
- corenet_non_ipsec_sendrecv($1_gpg_t)
+ corenet_all_recvfrom_unlabeled($1_gpg_t)
+ corenet_all_recvfrom_netlabel($1_gpg_t)
corenet_tcp_sendrecv_all_if($1_gpg_t)
corenet_udp_sendrecv_all_if($1_gpg_t)
corenet_tcp_sendrecv_all_nodes($1_gpg_t)
@@ -161,6 +162,8 @@ template(`gpg_per_role_template',`
dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;
+ corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
+ corenet_all_recvfrom_netlabel($1_gpg_helper_t)
corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
corenet_raw_sendrecv_all_if($1_gpg_helper_t)
corenet_udp_sendrecv_all_if($1_gpg_helper_t)
@@ -169,7 +172,6 @@ template(`gpg_per_role_template',`
corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
- corenet_non_ipsec_sendrecv($1_gpg_helper_t)
corenet_tcp_bind_all_nodes($1_gpg_helper_t)
corenet_udp_bind_all_nodes($1_gpg_helper_t)
corenet_tcp_connect_all_ports($1_gpg_helper_t)
diff --git a/policy/modules/apps/gpg.te b/policy/modules/apps/gpg.te
index de90c0f..7150d54 100644
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@@ -1,5 +1,5 @@
-policy_module(gpg, 1.2.0)
+policy_module(gpg, 1.2.1)
########################################
#
diff --git a/policy/modules/apps/irc.if b/policy/modules/apps/irc.if
index 6debc0b..8fbbc04 100644
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@@ -90,7 +90,8 @@ template(`irc_per_role_template',`
kernel_read_proc_symlinks($1_irc_t)
- corenet_non_ipsec_sendrecv($1_irc_t)
+ corenet_all_recvfrom_unlabeled($1_irc_t)
+ corenet_all_recvfrom_netlabel($1_irc_t)
corenet_tcp_sendrecv_generic_if($1_irc_t)
corenet_udp_sendrecv_generic_if($1_irc_t)
corenet_tcp_sendrecv_all_nodes($1_irc_t)
diff --git a/policy/modules/apps/irc.te b/policy/modules/apps/irc.te
index 419b695..67407d7 100644
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@@ -1,5 +1,5 @@
-policy_module(irc,1.1.0)
+policy_module(irc,1.1.1)
########################################
#
diff --git a/policy/modules/apps/java.if b/policy/modules/apps/java.if
index 52426e3..80770b1 100644
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@@ -97,7 +97,8 @@ template(`java_per_role_template',`
# Search bin directory under javaplugin for javaplugin executable
corecmd_search_bin($1_javaplugin_t)
- corenet_non_ipsec_sendrecv($1_javaplugin_t)
+ corenet_all_recvfrom_unlabeled($1_javaplugin_t)
+ corenet_all_recvfrom_netlabel($1_javaplugin_t)
corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
corenet_udp_sendrecv_generic_if($1_javaplugin_t)
corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
diff --git a/policy/modules/apps/java.te b/policy/modules/apps/java.te
index ebeb70f..a998a18 100644
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@@ -1,5 +1,5 @@
-policy_module(java,1.4.0)
+policy_module(java,1.4.1)
########################################
#
diff --git a/policy/modules/apps/mozilla.if b/policy/modules/apps/mozilla.if
index 207db69..7a1802e 100644
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -126,7 +126,8 @@ template(`mozilla_per_role_template',`
corecmd_exec_bin($1_mozilla_t)
# Browse the web, connect to printer
- corenet_non_ipsec_sendrecv($1_mozilla_t)
+ corenet_all_recvfrom_unlabeled($1_mozilla_t)
+ corenet_all_recvfrom_netlabel($1_mozilla_t)
corenet_tcp_sendrecv_generic_if($1_mozilla_t)
corenet_raw_sendrecv_generic_if($1_mozilla_t)
corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
diff --git a/policy/modules/apps/mozilla.te b/policy/modules/apps/mozilla.te
index 305c1cc..d89ebe3 100644
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@@ -1,5 +1,5 @@
-policy_module(mozilla,1.2.1)
+policy_module(mozilla,1.2.2)
########################################
#
diff --git a/policy/modules/apps/screen.if b/policy/modules/apps/screen.if
index 79b57a2..73b396c 100644
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@@ -111,7 +111,8 @@ template(`screen_per_role_template',`
corecmd_shell_domtrans($1_screen_t,$2)
corecmd_bin_domtrans($1_screen_t,$2)
- corenet_non_ipsec_sendrecv($1_screen_t)
+ corenet_all_recvfrom_unlabeled($1_screen_t)
+ corenet_all_recvfrom_netlabel($1_screen_t)
corenet_tcp_sendrecv_generic_if($1_screen_t)
corenet_udp_sendrecv_generic_if($1_screen_t)
corenet_tcp_sendrecv_all_nodes($1_screen_t)
diff --git a/policy/modules/apps/screen.te b/policy/modules/apps/screen.te
index 4e65b79..a94643f 100644
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@@ -1,5 +1,5 @@
-policy_module(screen,1.1.0)
+policy_module(screen,1.1.1)
########################################
#
diff --git a/policy/modules/apps/thunderbird.if b/policy/modules/apps/thunderbird.if
index fe9dcc5..fb1ab3f 100644
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@@ -105,7 +105,8 @@ template(`thunderbird_per_role_template',`
# Startup shellscript
corecmd_exec_shell($1_thunderbird_t)
- corenet_non_ipsec_sendrecv($1_thunderbird_t)
+ corenet_all_recvfrom_unlabeled($1_thunderbird_t)
+ corenet_all_recvfrom_netlabel($1_thunderbird_t)
corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
diff --git a/policy/modules/apps/thunderbird.te b/policy/modules/apps/thunderbird.te
index c45ad59..88adcd4 100644
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@@ -1,5 +1,5 @@
-policy_module(thunderbird,1.2.0)
+policy_module(thunderbird,1.2.1)
########################################
#
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if
index 29dcf95..ac9cae1 100644
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@@ -152,7 +152,8 @@ template(`uml_per_role_template',`
# for xterm
corecmd_exec_bin($1_uml_t)
- corenet_non_ipsec_sendrecv($1_uml_t)
+ corenet_all_recvfrom_unlabeled($1_uml_t)
+ corenet_all_recvfrom_netlabel($1_uml_t)
corenet_tcp_sendrecv_generic_if($1_uml_t)
corenet_udp_sendrecv_generic_if($1_uml_t)
corenet_tcp_sendrecv_all_nodes($1_uml_t)
diff --git a/policy/modules/apps/uml.te b/policy/modules/apps/uml.te
index b3e3bce..1336a86 100644
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@@ -1,5 +1,5 @@
-policy_module(uml,1.2.0)
+policy_module(uml,1.2.1)
########################################
#
diff --git a/policy/modules/apps/vmware.te b/policy/modules/apps/vmware.te
index 60a5977..3fa0b9f 100644
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@@ -1,5 +1,5 @@
-policy_module(vmware,1.1.0)
+policy_module(vmware,1.1.1)
########################################
#
@@ -45,7 +45,8 @@ kernel_read_kernel_sysctls(vmware_host_t)
kernel_list_proc(vmware_host_t)
kernel_read_proc_symlinks(vmware_host_t)
-corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
corenet_tcp_sendrecv_generic_if(vmware_host_t)
corenet_udp_sendrecv_generic_if(vmware_host_t)
corenet_raw_sendrecv_generic_if(vmware_host_t)
diff --git a/policy/modules/apps/webalizer.te b/policy/modules/apps/webalizer.te
index ae68cff..fdc2d6c 100644
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@@ -1,5 +1,5 @@
-policy_module(webalizer,1.4.0)
+policy_module(webalizer,1.4.1)
########################################
#
@@ -61,7 +61,8 @@ files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
kernel_read_kernel_sysctls(webalizer_t)
kernel_read_system_state(webalizer_t)
-corenet_non_ipsec_sendrecv(webalizer_t)
+corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
corenet_tcp_sendrecv_all_if(webalizer_t)
corenet_tcp_sendrecv_all_nodes(webalizer_t)
corenet_tcp_sendrecv_all_ports(webalizer_t)
diff --git a/policy/modules/apps/yam.te b/policy/modules/apps/yam.te
index bd82b0d..a8c38fe 100644
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@@ -1,5 +1,5 @@
-policy_module(yam,1.0.0)
+policy_module(yam,1.0.1)
########################################
#
@@ -60,7 +60,8 @@ corecmd_exec_bin(yam_t)
# Rsync and lftp need to network. They also set files attributes to
# match whats on the remote server.
-corenet_non_ipsec_sendrecv(yam_t)
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
corenet_tcp_sendrecv_generic_if(yam_t)
corenet_tcp_sendrecv_all_nodes(yam_t)
corenet_tcp_sendrecv_all_ports(yam_t)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index d433fa2..969da70 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1565,6 +1565,17 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
## non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## Send and receive messages on a
+## non-encrypted (no IPSEC) network
+## session. (Deprecated)
+## </p>
+## <p>
+## The corenet_all_recvfrom_unlabeled() interface should be used instead
+## of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain allowed access.
@@ -1572,7 +1583,8 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
## </param>
#
interface(`corenet_non_ipsec_sendrecv',`
- kernel_sendrecv_unlabeled_association($1)
+ refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+ corenet_all_recvfrom_unlabeled($1)
')
########################################
@@ -1581,6 +1593,17 @@ interface(`corenet_non_ipsec_sendrecv',`
## messages on a non-encrypted (no IPSEC) network
## session.
## </summary>
+## <desc>
+## <p>
+## Do not audit attempts to send and receive
+## messages on a non-encrypted (no IPSEC) network
+## session.
+## </p>
+## <p>
+## The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+## used instead of this one.
+## </p>
+## </desc>
## <param name="domain">
## <summary>
## Domain to not audit.
@@ -1588,7 +1611,8 @@ interface(`corenet_non_ipsec_sendrecv',`
## </param>
#
interface(`corenet_dontaudit_non_ipsec_sendrecv',`
- kernel_dontaudit_sendrecv_unlabeled_association($1)
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+ corenet_dontaudit_all_recvfrom_unlabeled($1)
')
########################################
@@ -1602,7 +1626,45 @@ interface(`corenet_dontaudit_non_ipsec_sendrecv',`
## </param>
#
interface(`corenet_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+ corenet_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
kernel_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1617,7 +1679,47 @@ interface(`corenet_tcp_recv_netlabel',`
## </param>
#
interface(`corenet_dontaudit_tcp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+ corenet_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1631,7 +1733,45 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
## </param>
#
interface(`corenet_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+ corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
kernel_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1646,7 +1786,47 @@ interface(`corenet_udp_recv_netlabel',`
## </param>
#
interface(`corenet_dontaudit_udp_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+ corenet_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
kernel_dontaudit_udp_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
')
########################################
@@ -1660,7 +1840,45 @@ interface(`corenet_dontaudit_udp_recv_netlabel',`
## </param>
#
interface(`corenet_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+ corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
')
########################################
@@ -1675,7 +1893,126 @@ interface(`corenet_raw_recv_netlabel',`
## </param>
#
interface(`corenet_dontaudit_raw_recv_netlabel',`
+ refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
+ corenet_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+ kernel_tcp_recvfrom_unlabeled($1)
+ kernel_udp_recvfrom_unlabeled($1)
+ kernel_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Receive packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+ kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+ kernel_dontaudit_udp_recvfrom_unlabeled($1)
+ kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+ # XXX - at some point the oubound/send access check will be removed
+ # but for right now we need to keep this in place so as not to break
+ # older systems
+ kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to receive packets from a NetLabel
+## connection.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+ gen_require(`
+ type netlabel_peer_t;
+ ')
+
+ dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
')
########################################
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 199f7c9..bf24b64 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.2.9)
+policy_module(corenetwork,1.2.10)
########################################
#
@@ -37,6 +37,13 @@ dev_node(tun_tap_device_t)
type client_packet_t, packet_type, client_packet_type;
#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
+#
# port_t is the default type of INET port numbers.
#
type port_t, port_type;
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 00c3cc0..2b96253 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2198,17 +2198,14 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
########################################
## <summary>
-## Receive TCP packets from a NetLabel connection.
+## Receive TCP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive TCP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive TCP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_tcp_recv_netlabel() should
+## The corenetwork interface corenet_tcp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2228,19 +2225,17 @@ interface(`kernel_tcp_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive TCP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive TCP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_tcp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2259,17 +2254,14 @@ interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
########################################
## <summary>
-## Receive UDP packets from a NetLabel connection.
+## Receive UDP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive UDP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive UDP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_udp_recv_netlabel() should
+## The corenetwork interface corenet_udp_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2289,19 +2281,17 @@ interface(`kernel_udp_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive UDP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive UDP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_udp_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
@@ -2320,17 +2310,14 @@ interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
########################################
## <summary>
-## Receive Raw IP packets from a NetLabel connection.
+## Receive Raw IP packets from an unlabeled connection.
## </summary>
## <desc>
## <p>
-## Receive Raw IP packets from a NetLabel connection, NetLabel is an
-## explicit packet labeling framework which implements CIPSO and
-## similar protocols.
+## Receive Raw IP packets from an unlabeled connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_raw_recv_netlabel() should
+## The corenetwork interface corenet_raw_recv_unlabeled() should
## be used instead of this one.
## </p>
## </desc>
@@ -2350,19 +2337,17 @@ interface(`kernel_raw_recvfrom_unlabeled',`
########################################
## <summary>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </summary>
## <desc>
## <p>
-## Do not audit attempts to receive Raw IP packets from a NetLabel
-## connection. NetLabel is an explicit packet labeling framework
-## which implements CIPSO and similar protocols.
+## Do not audit attempts to receive Raw IP packets from an unlabeled
+## connection.
## </p>
## <p>
-## The corenetwork interface
-## corenet_dontaudit_raw_recv_netlabel() should
-## be used instead of this one.
+## The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+## should be used instead of this one.
## </p>
## </desc>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index cd5f366..3cc8516 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.6.1)
+policy_module(kernel,1.6.2)
########################################
#
@@ -153,7 +153,6 @@ sid icmp_socket gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid igmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid init gen_context(system_u:object_r:unlabeled_t,s0)
sid kmod gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid netmsg gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid policy gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid scmp_packet gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
sid sysctl_modprobe gen_context(system_u:object_r:unlabeled_t,s0)
@@ -206,7 +205,8 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
-corenet_non_ipsec_sendrecv(kernel_t)
+corenet_all_recvfrom_unlabeled(kernel_t)
+corenet_all_recvfrom_netlabel(kernel_t)
# Kernel-generated traffic e.g., ICMP replies:
corenet_raw_sendrecv_all_if(kernel_t)
corenet_raw_sendrecv_all_nodes(kernel_t)
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index 6d44970..91f1359 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -1,5 +1,5 @@
-policy_module(afs,1.1.0)
+policy_module(afs,1.1.1)
########################################
#
@@ -89,7 +89,8 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)
kernel_read_kernel_sysctls(afs_bosserver_t)
-corenet_non_ipsec_sendrecv(afs_bosserver_t)
+corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_all_recvfrom_netlabel(afs_bosserver_t)
corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
@@ -153,7 +154,8 @@ corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-corenet_non_ipsec_sendrecv(afs_fsserver_t)
+corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_all_recvfrom_netlabel(afs_fsserver_t)
corenet_tcp_bind_all_nodes(afs_fsserver_t)
corenet_udp_bind_all_nodes(afs_fsserver_t)
corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@@ -206,7 +208,8 @@ manage_files_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)
kernel_read_kernel_sysctls(afs_kaserver_t)
-corenet_non_ipsec_sendrecv(afs_kaserver_t)
+corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_all_recvfrom_netlabel(afs_kaserver_t)
corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
@@ -253,7 +256,8 @@ manage_files_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
-corenet_non_ipsec_sendrecv(afs_ptserver_t)
+corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_all_recvfrom_netlabel(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
@@ -294,7 +298,8 @@ manage_files_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
-corenet_non_ipsec_sendrecv(afs_vlserver_t)
+corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_all_recvfrom_netlabel(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
diff --git a/policy/modules/services/amavis.te b/policy/modules/services/amavis.te
index b46567b..994f10a 100644
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@@ -1,5 +1,5 @@
-policy_module(amavis,1.2.2)
+policy_module(amavis,1.2.3)
########################################
#
@@ -100,7 +100,8 @@ kernel_dontaudit_read_system_state(amavis_t)
# find perl
corecmd_exec_bin(amavis_t)
-corenet_non_ipsec_sendrecv(amavis_t)
+corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_all_recvfrom_netlabel(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
corenet_tcp_bind_all_nodes(amavis_t)
diff --git a/policy/modules/services/apache.if b/policy/modules/services/apache.if
index 1dfbf35..932386f 100644
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@@ -181,7 +181,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
@@ -200,7 +201,8 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+ corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+ corenet_all_recvfrom_netlabel(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index 554f963..3bc00ee 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -1,5 +1,5 @@
-policy_module(apache,1.6.0)
+policy_module(apache,1.6.1)
#
# NOTES:
@@ -298,7 +298,8 @@ kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
-corenet_non_ipsec_sendrecv(httpd_t)
+corenet_all_recvfrom_unlabeled(httpd_t)
+corenet_all_recvfrom_netlabel(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
corenet_udp_sendrecv_all_if(httpd_t)
corenet_tcp_sendrecv_all_nodes(httpd_t)
@@ -641,7 +642,8 @@ tunable_policy(`httpd_can_network_connect',`
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv(httpd_suexec_t)
+ corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+ corenet_all_recvfrom_netlabel(httpd_suexec_t)
corenet_tcp_sendrecv_all_if(httpd_suexec_t)
corenet_udp_sendrecv_all_if(httpd_suexec_t)
corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
diff --git a/policy/modules/services/apcupsd.te b/policy/modules/services/apcupsd.te
index 206253b..ebd456f 100644
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@@ -1,5 +1,5 @@
-policy_module(apcupsd,1.0.1)
+policy_module(apcupsd,1.0.2)
########################################
#
@@ -39,7 +39,8 @@ logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
-corenet_non_ipsec_sendrecv(apcupsd_t)
+corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_all_recvfrom_netlabel(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_all_nodes(apcupsd_t)
corenet_tcp_sendrecv_all_ports(apcupsd_t)
diff --git a/policy/modules/services/arpwatch.te b/policy/modules/services/arpwatch.te
index b16908b..d607d70 100644
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@@ -1,5 +1,5 @@
-policy_module(arpwatch,1.3.1)
+policy_module(arpwatch,1.3.2)
########################################
#
@@ -47,7 +47,8 @@ kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
-corenet_non_ipsec_sendrecv(arpwatch_t)
+corenet_all_recvfrom_unlabeled(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
corenet_tcp_sendrecv_all_if(arpwatch_t)
corenet_udp_sendrecv_all_if(arpwatch_t)
corenet_raw_sendrecv_all_if(arpwatch_t)
diff --git a/policy/modules/services/asterisk.te b/policy/modules/services/asterisk.te
index 0d0bef0..a095248 100644
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@@ -1,5 +1,5 @@
-policy_module(asterisk,1.2.0)
+policy_module(asterisk,1.2.1)
########################################
#
@@ -82,7 +82,8 @@ kernel_read_kernel_sysctls(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_search_bin(asterisk_t)
-corenet_non_ipsec_sendrecv(asterisk_t)
+corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_all_recvfrom_netlabel(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
corenet_tcp_sendrecv_all_nodes(asterisk_t)
diff --git a/policy/modules/services/automount.te b/policy/modules/services/automount.te
index 2cff097..495cf4d 100644
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@@ -1,5 +1,5 @@
-policy_module(automount,1.5.0)
+policy_module(automount,1.5.1)
########################################
#
@@ -76,7 +76,8 @@ fs_unmount_all_fs(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
-corenet_non_ipsec_sendrecv(automount_t)
+corenet_all_recvfrom_unlabeled(automount_t)
+corenet_all_recvfrom_netlabel(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
corenet_tcp_sendrecv_all_nodes(automount_t)
diff --git a/policy/modules/services/avahi.te b/policy/modules/services/avahi.te
index c760f9f..d4815b0 100644
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@@ -1,5 +1,5 @@
-policy_module(avahi,1.5.3)
+policy_module(avahi,1.5.4)
########################################
#
@@ -37,7 +37,8 @@ kernel_list_proc(avahi_t)
kernel_read_proc_symlinks(avahi_t)
kernel_read_network_state(avahi_t)
-corenet_non_ipsec_sendrecv(avahi_t)
+corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_all_recvfrom_netlabel(avahi_t)
corenet_tcp_sendrecv_all_if(avahi_t)
corenet_udp_sendrecv_all_if(avahi_t)
corenet_tcp_sendrecv_all_nodes(avahi_t)
diff --git a/policy/modules/services/bind.te b/policy/modules/services/bind.te
index 993010a..e107053 100644
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@@ -1,5 +1,5 @@
-policy_module(bind,1.4.0)
+policy_module(bind,1.4.1)
########################################
#
@@ -101,7 +101,8 @@ kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
-corenet_non_ipsec_sendrecv(named_t)
+corenet_all_recvfrom_unlabeled(named_t)
+corenet_all_recvfrom_netlabel(named_t)
corenet_tcp_sendrecv_all_if(named_t)
corenet_udp_sendrecv_all_if(named_t)
corenet_tcp_sendrecv_all_nodes(named_t)
@@ -231,7 +232,8 @@ allow ndc_t named_zone_t:dir search;
kernel_read_kernel_sysctls(ndc_t)
-corenet_non_ipsec_sendrecv(ndc_t)
+corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_all_recvfrom_netlabel(ndc_t)
corenet_tcp_sendrecv_all_if(ndc_t)
corenet_tcp_sendrecv_all_nodes(ndc_t)
corenet_tcp_sendrecv_all_ports(ndc_t)
diff --git a/policy/modules/services/bluetooth.te b/policy/modules/services/bluetooth.te
index d5c6d2d..e55617c 100644
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@@ -1,5 +1,5 @@
-policy_module(bluetooth,1.5.1)
+policy_module(bluetooth,1.5.2)
########################################
#
@@ -81,7 +81,8 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
-corenet_non_ipsec_sendrecv(bluetooth_t)
+corenet_all_recvfrom_unlabeled(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
corenet_tcp_sendrecv_all_if(bluetooth_t)
corenet_udp_sendrecv_all_if(bluetooth_t)
corenet_raw_sendrecv_all_if(bluetooth_t)
diff --git a/policy/modules/services/canna.te b/policy/modules/services/canna.te
index 0dfc33b..52c1560 100644
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@@ -1,5 +1,5 @@
-policy_module(canna,1.4.0)
+policy_module(canna,1.4.1)
########################################
#
@@ -47,7 +47,8 @@ files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
-corenet_non_ipsec_sendrecv(canna_t)
+corenet_all_recvfrom_unlabeled(canna_t)
+corenet_all_recvfrom_netlabel(canna_t)
corenet_tcp_sendrecv_all_if(canna_t)
corenet_tcp_sendrecv_all_nodes(canna_t)
corenet_tcp_sendrecv_all_ports(canna_t)
diff --git a/policy/modules/services/ccs.te b/policy/modules/services/ccs.te
index 6c7fae8..d3dd3c8 100644
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@@ -1,5 +1,5 @@
-policy_module(ccs,1.1.0)
+policy_module(ccs,1.1.1)
########################################
#
@@ -77,7 +77,8 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
-corenet_non_ipsec_sendrecv(ccs_t)
+corenet_all_recvfrom_unlabeled(ccs_t)
+corenet_all_recvfrom_netlabel(ccs_t)
corenet_tcp_sendrecv_all_if(ccs_t)
corenet_udp_sendrecv_all_if(ccs_t)
corenet_tcp_sendrecv_all_nodes(ccs_t)
diff --git a/policy/modules/services/cipe.te b/policy/modules/services/cipe.te
index 6101c3a..d7c66e7 100644
--- a/policy/modules/services/cipe.te
+++ b/policy/modules/services/cipe.te
@@ -1,5 +1,5 @@
-policy_module(cipe,1.2.0)
+policy_module(cipe,1.2.1)
########################################
#
@@ -29,7 +29,8 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
-corenet_non_ipsec_sendrecv(ciped_t)
+corenet_all_recvfrom_unlabeled(ciped_t)
+corenet_all_recvfrom_netlabel(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_all_nodes(ciped_t)
corenet_udp_sendrecv_all_ports(ciped_t)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 141cb6c..8dd71e0 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -1,5 +1,5 @@
-policy_module(clamav,1.3.1)
+policy_module(clamav,1.3.2)
########################################
#
@@ -86,7 +86,8 @@ files_pid_filetrans(clamd_t,clamd_var_run_t,file)
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
-corenet_non_ipsec_sendrecv(clamd_t)
+corenet_all_recvfrom_unlabeled(clamd_t)
+corenet_all_recvfrom_netlabel(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
corenet_tcp_sendrecv_all_ports(clamd_t)
@@ -160,7 +161,8 @@ allow freshclam_t freshclam_var_log_t:dir setattr;
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
-corenet_non_ipsec_sendrecv(freshclam_t)
+corenet_all_recvfrom_unlabeled(freshclam_t)
+corenet_all_recvfrom_netlabel(freshclam_t)
corenet_tcp_sendrecv_all_if(freshclam_t)
corenet_tcp_sendrecv_all_nodes(freshclam_t)
corenet_tcp_sendrecv_all_ports(freshclam_t)
diff --git a/policy/modules/services/clockspeed.te b/policy/modules/services/clockspeed.te
index 1b22e77..b1b8192 100644
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@@ -1,5 +1,5 @@
-policy_module(clockspeed,1.1.0)
+policy_module(clockspeed,1.1.1)
########################################
#
@@ -28,7 +28,8 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;
read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
-corenet_non_ipsec_sendrecv(clockspeed_cli_t)
+corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+corenet_all_recvfrom_netlabel(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
@@ -55,7 +56,8 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
manage_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
-corenet_non_ipsec_sendrecv(clockspeed_srv_t)
+corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+corenet_all_recvfrom_netlabel(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
diff --git a/policy/modules/services/comsat.te b/policy/modules/services/comsat.te
index 97c376b..95f03af 100644
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@@ -1,5 +1,5 @@
-policy_module(comsat,1.2.0)
+policy_module(comsat,1.2.1)
########################################
#
@@ -40,7 +40,8 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
-corenet_non_ipsec_sendrecv(comsat_t)
+corenet_all_recvfrom_unlabeled(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
corenet_tcp_sendrecv_all_if(comsat_t)
corenet_udp_sendrecv_all_if(comsat_t)
corenet_tcp_sendrecv_all_nodes(comsat_t)
diff --git a/policy/modules/services/courier.if b/policy/modules/services/courier.if
index 84f3402..ee4a98e 100644
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@@ -48,7 +48,8 @@ template(`courier_domain_template',`
corecmd_exec_bin(courier_$1_t)
- corenet_non_ipsec_sendrecv(courier_$1_t)
+ corenet_all_recvfrom_unlabeled(courier_$1_t)
+ corenet_all_recvfrom_netlabel(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
corenet_tcp_sendrecv_all_nodes(courier_$1_t)
diff --git a/policy/modules/services/courier.te b/policy/modules/services/courier.te
index 7f1cdf1..1cc680d 100644
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@@ -1,5 +1,5 @@
-policy_module(courier,1.2.0)
+policy_module(courier,1.2.1)
########################################
#
diff --git a/policy/modules/services/cron.if b/policy/modules/services/cron.if
index b7fab36..765ffe6 100644
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@@ -94,7 +94,8 @@ template(`cron_per_role_template',`
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot($1_crond_t)
- corenet_non_ipsec_sendrecv($1_crond_t)
+ corenet_all_recvfrom_unlabeled($1_crond_t)
+ corenet_all_recvfrom_netlabel($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_udp_sendrecv_all_if($1_crond_t)
corenet_tcp_sendrecv_all_nodes($1_crond_t)
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te
index 74293df..2946f89 100644
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@@ -1,5 +1,5 @@
-policy_module(cron,1.6.1)
+policy_module(cron,1.6.2)
gen_require(`
class passwd rootok;
@@ -327,7 +327,8 @@ ifdef(`targeted_policy',`
corecmd_exec_all_executables(system_crond_t)
- corenet_non_ipsec_sendrecv(system_crond_t)
+ corenet_all_recvfrom_unlabeled(system_crond_t)
+ corenet_all_recvfrom_netlabel(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
corenet_tcp_sendrecv_all_nodes(system_crond_t)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 30072d8..91f588f 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -1,5 +1,5 @@
-policy_module(cups,1.6.1)
+policy_module(cups,1.6.2)
########################################
#
@@ -133,7 +133,8 @@ kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
-corenet_non_ipsec_sendrecv(cupsd_t)
+corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_all_recvfrom_netlabel(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
corenet_udp_sendrecv_all_if(cupsd_t)
corenet_raw_sendrecv_all_if(cupsd_t)
@@ -340,7 +341,8 @@ files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
-corenet_non_ipsec_sendrecv(cupsd_config_t)
+corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_all_recvfrom_netlabel(cupsd_config_t)
corenet_tcp_sendrecv_all_if(cupsd_config_t)
corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@@ -491,7 +493,8 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
+corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_all_recvfrom_netlabel(cupsd_lpd_t)
corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
corenet_udp_sendrecv_all_if(cupsd_lpd_t)
corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
@@ -564,7 +567,8 @@ files_pid_filetrans(hplip_t,hplip_var_run_t,file)
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
-corenet_non_ipsec_sendrecv(hplip_t)
+corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_all_recvfrom_netlabel(hplip_t)
corenet_tcp_sendrecv_all_if(hplip_t)
corenet_udp_sendrecv_all_if(hplip_t)
corenet_raw_sendrecv_all_if(hplip_t)
@@ -661,7 +665,8 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
-corenet_non_ipsec_sendrecv(ptal_t)
+corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_all_recvfrom_netlabel(ptal_t)
corenet_tcp_sendrecv_all_if(ptal_t)
corenet_tcp_sendrecv_all_nodes(ptal_t)
corenet_tcp_sendrecv_all_ports(ptal_t)
diff --git a/policy/modules/services/cvs.te b/policy/modules/services/cvs.te
index 3746a41..d8ca01f 100644
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@@ -1,5 +1,5 @@
-policy_module(cvs,1.4.0)
+policy_module(cvs,1.4.1)
########################################
#
@@ -54,7 +54,8 @@ kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)
-corenet_non_ipsec_sendrecv(cvs_t)
+corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
corenet_tcp_sendrecv_all_if(cvs_t)
corenet_udp_sendrecv_all_if(cvs_t)
corenet_tcp_sendrecv_all_nodes(cvs_t)
diff --git a/policy/modules/services/cyrus.te b/policy/modules/services/cyrus.te
index a391144..2530b76 100644
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@@ -1,5 +1,5 @@
-policy_module(cyrus,1.3.1)
+policy_module(cyrus,1.3.2)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
-corenet_non_ipsec_sendrecv(cyrus_t)
+corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_all_recvfrom_netlabel(cyrus_t)
corenet_tcp_sendrecv_all_if(cyrus_t)
corenet_udp_sendrecv_all_if(cyrus_t)
corenet_tcp_sendrecv_all_nodes(cyrus_t)
diff --git a/policy/modules/services/dante.te b/policy/modules/services/dante.te
index 9a5cdd8..fe024ed 100644
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@@ -1,5 +1,5 @@
-policy_module(dante,1.2.0)
+policy_module(dante,1.2.1)
########################################
#
@@ -38,7 +38,8 @@ kernel_read_kernel_sysctls(dante_t)
kernel_list_proc(dante_t)
kernel_read_proc_symlinks(dante_t)
-corenet_non_ipsec_sendrecv(dante_t)
+corenet_all_recvfrom_unlabeled(dante_t)
+corenet_all_recvfrom_netlabel(dante_t)
corenet_tcp_sendrecv_generic_if(dante_t)
corenet_udp_sendrecv_generic_if(dante_t)
corenet_tcp_sendrecv_all_nodes(dante_t)
diff --git a/policy/modules/services/dbskk.te b/policy/modules/services/dbskk.te
index 27b5d93..a809592 100644
--- a/policy/modules/services/dbskk.te
+++ b/policy/modules/services/dbskk.te
@@ -1,5 +1,5 @@
-policy_module(dbskk,1.2.0)
+policy_module(dbskk,1.2.1)
########################################
#
@@ -48,7 +48,8 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
-corenet_non_ipsec_sendrecv(dbskkd_t)
+corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_all_recvfrom_netlabel(dbskkd_t)
corenet_tcp_sendrecv_all_if(dbskkd_t)
corenet_udp_sendrecv_all_if(dbskkd_t)
corenet_tcp_sendrecv_all_nodes(dbskkd_t)
diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if
index 12fdb09..a0a64a7 100644
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@@ -107,7 +107,8 @@ template(`dbus_per_role_template',`
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
- corenet_non_ipsec_sendrecv($1_dbusd_t)
+ corenet_all_recvfrom_unlabeled($1_dbusd_t)
+ corenet_all_recvfrom_netlabel($1_dbusd_t)
corenet_tcp_sendrecv_all_if($1_dbusd_t)
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
corenet_tcp_sendrecv_all_ports($1_dbusd_t)
@@ -269,7 +270,6 @@ template(`dbus_send_user_bus',`
allow $2 $1_dbusd_t:dbus send_msg;
')
-
########################################
## <summary>
## Read dbus configuration.
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4273b44..0b86e78 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -1,5 +1,5 @@
-policy_module(dbus,1.5.1)
+policy_module(dbus,1.5.2)
gen_require(`
class dbus { send_msg acquire_svc };
diff --git a/policy/modules/services/dcc.te b/policy/modules/services/dcc.te
index 4dceb2b..076534e 100644
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@@ -1,5 +1,5 @@
-policy_module(dcc,1.2.0)
+policy_module(dcc,1.2.1)
########################################
#
@@ -99,7 +99,8 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
-corenet_non_ipsec_sendrecv(cdcc_t)
+corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
corenet_udp_sendrecv_all_ports(cdcc_t)
@@ -141,7 +142,8 @@ allow dcc_client_t dcc_var_t:dir list_dir_perms;
read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
-corenet_non_ipsec_sendrecv(dcc_client_t)
+corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
corenet_udp_sendrecv_all_ports(dcc_client_t)
@@ -183,7 +185,8 @@ manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)
kernel_read_system_state(dcc_dbclean_t)
-corenet_non_ipsec_sendrecv(dcc_dbclean_t)
+corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
@@ -243,7 +246,8 @@ files_pid_filetrans(dccd_t,dccd_var_run_t,file)
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
-corenet_non_ipsec_sendrecv(dccd_t)
+corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_all_recvfrom_netlabel(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_all_nodes(dccd_t)
corenet_udp_sendrecv_all_ports(dccd_t)
@@ -324,7 +328,8 @@ files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
-corenet_non_ipsec_sendrecv(dccifd_t)
+corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
corenet_udp_sendrecv_all_ports(dccifd_t)
@@ -401,7 +406,8 @@ files_pid_filetrans(dccm_t,dccm_var_run_t,file)
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
-corenet_non_ipsec_sendrecv(dccm_t)
+corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
corenet_udp_sendrecv_all_ports(dccm_t)
diff --git a/policy/modules/services/ddclient.te b/policy/modules/services/ddclient.te
index 32606ae..cda24bb 100644
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@@ -1,5 +1,5 @@
-policy_module(ddclient,1.2.0)
+policy_module(ddclient,1.2.1)
########################################
#
@@ -64,7 +64,8 @@ kernel_read_kernel_sysctls(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
-corenet_non_ipsec_sendrecv(ddclient_t)
+corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_all_recvfrom_netlabel(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
corenet_tcp_sendrecv_all_nodes(ddclient_t)
diff --git a/policy/modules/services/dhcp.te b/policy/modules/services/dhcp.te
index cfa0300..cf534db 100644
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@@ -1,5 +1,5 @@
-policy_module(dhcp,1.3.0)
+policy_module(dhcp,1.3.1)
########################################
#
@@ -52,7 +52,8 @@ files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
-corenet_non_ipsec_sendrecv(dhcpd_t)
+corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_all_recvfrom_netlabel(dhcpd_t)
corenet_tcp_sendrecv_all_if(dhcpd_t)
corenet_udp_sendrecv_all_if(dhcpd_t)
corenet_raw_sendrecv_all_if(dhcpd_t)
diff --git a/policy/modules/services/dictd.te b/policy/modules/services/dictd.te
index ed1722d..5657ccf 100644
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@@ -1,5 +1,5 @@
-policy_module(dictd,1.3.0)
+policy_module(dictd,1.3.1)
########################################
#
@@ -37,7 +37,8 @@ allow dictd_t dictd_var_lib_t:file read_file_perms;
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
-corenet_non_ipsec_sendrecv(dictd_t)
+corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_all_recvfrom_netlabel(dictd_t)
corenet_tcp_sendrecv_all_if(dictd_t)
corenet_raw_sendrecv_all_if(dictd_t)
corenet_udp_sendrecv_all_if(dictd_t)
diff --git a/policy/modules/services/distcc.te b/policy/modules/services/distcc.te
index d7a01c6..d2d422f 100644
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@@ -1,5 +1,5 @@
-policy_module(distcc,1.3.1)
+policy_module(distcc,1.3.2)
########################################
#
@@ -45,7 +45,8 @@ files_pid_filetrans(distccd_t,distccd_var_run_t,file)
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
-corenet_non_ipsec_sendrecv(distccd_t)
+corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_all_recvfrom_netlabel(distccd_t)
corenet_tcp_sendrecv_all_if(distccd_t)
corenet_udp_sendrecv_all_if(distccd_t)
corenet_tcp_sendrecv_all_nodes(distccd_t)
diff --git a/policy/modules/services/djbdns.if b/policy/modules/services/djbdns.if
index ff1d505..7dd7b83 100644
--- a/policy/modules/services/djbdns.if
+++ b/policy/modules/services/djbdns.if
@@ -32,7 +32,8 @@ template(`djbdns_daemontools_domain_template',`
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
- corenet_non_ipsec_sendrecv(djbdns_$1_t)
+ corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+ corenet_all_recvfrom_netlabel(djbdns_$1_t)
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
corenet_udp_sendrecv_all_if(djbdns_$1_t)
corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
diff --git a/policy/modules/services/djbdns.te b/policy/modules/services/djbdns.te
index c58a3a4..c4ccf7b 100644
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@@ -1,5 +1,5 @@
-policy_module(djbdns,1.1.0)
+policy_module(djbdns,1.1.1)
########################################
#
diff --git a/policy/modules/services/dnsmasq.te b/policy/modules/services/dnsmasq.te
index 244384c..8abcd7d 100644
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@@ -1,5 +1,5 @@
-policy_module(dnsmasq,1.3.0)
+policy_module(dnsmasq,1.3.1)
########################################
#
@@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(dnsmasq_t)
kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)
-corenet_non_ipsec_sendrecv(dnsmasq_t)
+corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_all_recvfrom_netlabel(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
corenet_raw_sendrecv_generic_if(dnsmasq_t)
diff --git a/policy/modules/services/dovecot.te b/policy/modules/services/dovecot.te
index c81a948..2357a03 100644
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@@ -1,5 +1,5 @@
-policy_module(dovecot,1.5.1)
+policy_module(dovecot,1.5.2)
########################################
#
@@ -70,7 +70,8 @@ files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
-corenet_non_ipsec_sendrecv(dovecot_t)
+corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_all_recvfrom_netlabel(dovecot_t)
corenet_tcp_sendrecv_all_if(dovecot_t)
corenet_tcp_sendrecv_all_nodes(dovecot_t)
corenet_tcp_sendrecv_all_ports(dovecot_t)
diff --git a/policy/modules/services/fetchmail.te b/policy/modules/services/fetchmail.te
index 02845bf..49985a8 100644
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@@ -1,5 +1,5 @@
-policy_module(fetchmail,1.3.0)
+policy_module(fetchmail,1.3.1)
########################################
#
@@ -46,7 +46,8 @@ kernel_getattr_proc_files(fetchmail_t)
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
-corenet_non_ipsec_sendrecv(fetchmail_t)
+corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_all_recvfrom_netlabel(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_udp_sendrecv_generic_if(fetchmail_t)
corenet_tcp_sendrecv_all_nodes(fetchmail_t)
diff --git a/policy/modules/services/finger.te b/policy/modules/services/finger.te
index a344d30..baa1cd1 100644
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@@ -1,5 +1,5 @@
-policy_module(finger,1.3.0)
+policy_module(finger,1.3.1)
########################################
#
@@ -47,7 +47,8 @@ logging_log_filetrans(fingerd_t,fingerd_log_t,file)
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
-corenet_non_ipsec_sendrecv(fingerd_t)
+corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_all_recvfrom_netlabel(fingerd_t)
corenet_tcp_sendrecv_all_if(fingerd_t)
corenet_udp_sendrecv_all_if(fingerd_t)
corenet_tcp_sendrecv_all_nodes(fingerd_t)
diff --git a/policy/modules/services/ftp.te b/policy/modules/services/ftp.te
index 009b241..74da2aa 100644
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@@ -1,5 +1,5 @@
-policy_module(ftp,1.5.0)
+policy_module(ftp,1.5.1)
########################################
#
@@ -128,7 +128,8 @@ dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
-corenet_non_ipsec_sendrecv(ftpd_t)
+corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_all_recvfrom_netlabel(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
corenet_tcp_sendrecv_all_nodes(ftpd_t)
diff --git a/policy/modules/services/gatekeeper.te b/policy/modules/services/gatekeeper.te
index d5d3a0d..3dcaf5c 100644
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@@ -1,5 +1,5 @@
-policy_module(gatekeeper,1.2.0)
+policy_module(gatekeeper,1.2.1)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
-corenet_non_ipsec_sendrecv(gatekeeper_t)
+corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_all_recvfrom_netlabel(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
diff --git a/policy/modules/services/hal.te b/policy/modules/services/hal.te
index 6dcf4a5..8d80a9a 100644
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@@ -1,5 +1,5 @@
-policy_module(hal,1.6.2)
+policy_module(hal,1.6.3)
########################################
#
@@ -91,7 +91,8 @@ auth_read_pam_console_data(hald_t)
corecmd_exec_all_executables(hald_t)
-corenet_non_ipsec_sendrecv(hald_t)
+corenet_all_recvfrom_unlabeled(hald_t)
+corenet_all_recvfrom_netlabel(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
corenet_tcp_sendrecv_all_nodes(hald_t)
diff --git a/policy/modules/services/howl.te b/policy/modules/services/howl.te
index 33247fd..1e2f857 100644
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@@ -1,5 +1,5 @@
-policy_module(howl,1.3.0)
+policy_module(howl,1.3.1)
########################################
#
@@ -34,7 +34,8 @@ kernel_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
-corenet_non_ipsec_sendrecv(howl_t)
+corenet_all_recvfrom_unlabeled(howl_t)
+corenet_all_recvfrom_netlabel(howl_t)
corenet_tcp_sendrecv_all_if(howl_t)
corenet_udp_sendrecv_all_if(howl_t)
corenet_tcp_sendrecv_all_nodes(howl_t)
diff --git a/policy/modules/services/i18n_input.te b/policy/modules/services/i18n_input.te
index e45dba2..3ef9143 100644
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@@ -1,5 +1,5 @@
-policy_module(i18n_input,1.3.0)
+policy_module(i18n_input,1.3.1)
########################################
#
@@ -37,7 +37,8 @@ can_exec(i18n_input_t, i18n_input_exec_t)
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
-corenet_non_ipsec_sendrecv(i18n_input_t)
+corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_all_recvfrom_netlabel(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_udp_sendrecv_generic_if(i18n_input_t)
corenet_tcp_sendrecv_all_nodes(i18n_input_t)
diff --git a/policy/modules/services/imaze.te b/policy/modules/services/imaze.te
index 41614dc..3b90bd1 100644
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@@ -1,5 +1,5 @@
-policy_module(imaze,1.2.0)
+policy_module(imaze,1.2.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(imazesrv_t)
kernel_list_proc(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
-corenet_non_ipsec_sendrecv(imazesrv_t)
+corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_all_recvfrom_netlabel(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
corenet_tcp_sendrecv_all_nodes(imazesrv_t)
diff --git a/policy/modules/services/inetd.te b/policy/modules/services/inetd.te
index 8430861..939addd 100644
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@@ -1,5 +1,5 @@
-policy_module(inetd,1.3.0)
+policy_module(inetd,1.3.1)
########################################
#
@@ -60,7 +60,8 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
# base networking:
-corenet_non_ipsec_sendrecv(inetd_t)
+corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_all_recvfrom_netlabel(inetd_t)
corenet_tcp_sendrecv_all_if(inetd_t)
corenet_udp_sendrecv_all_if(inetd_t)
corenet_tcp_sendrecv_all_nodes(inetd_t)
@@ -81,7 +82,6 @@ corenet_tcp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_dbskkd_port(inetd_t)
corenet_udp_bind_ftp_port(inetd_t)
corenet_tcp_bind_inetd_child_port(inetd_t)
-corenet_tcp_bind_inetd_child_port(inetd_t)
corenet_udp_bind_ktalkd_port(inetd_t)
corenet_tcp_bind_printer_port(inetd_t)
corenet_udp_bind_rsh_port(inetd_t)
@@ -143,11 +143,6 @@ sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
-ifdef(`enable_mls',`
- corenet_tcp_recv_netlabel(inetd_t)
- corenet_udp_recv_netlabel(inetd_t)
-')
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(inetd_t)
term_dontaudit_use_generic_ptys(inetd_t)
@@ -200,7 +195,8 @@ kernel_read_kernel_sysctls(inetd_child_t)
kernel_read_system_state(inetd_child_t)
kernel_read_network_state(inetd_child_t)
-corenet_non_ipsec_sendrecv(inetd_child_t)
+corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
corenet_tcp_sendrecv_all_if(inetd_child_t)
corenet_udp_sendrecv_all_if(inetd_child_t)
corenet_tcp_sendrecv_all_nodes(inetd_child_t)
diff --git a/policy/modules/services/inn.te b/policy/modules/services/inn.te
index 3745d9a..7d6a100 100644
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@@ -1,5 +1,5 @@
-policy_module(inn,1.3.0)
+policy_module(inn,1.3.1)
########################################
#
@@ -63,7 +63,8 @@ manage_lnk_files_pattern(innd_t,news_spool_t,news_spool_t)
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
-corenet_non_ipsec_sendrecv(innd_t)
+corenet_all_recvfrom_unlabeled(innd_t)
+corenet_all_recvfrom_netlabel(innd_t)
corenet_tcp_sendrecv_all_if(innd_t)
corenet_udp_sendrecv_all_if(innd_t)
corenet_tcp_sendrecv_all_nodes(innd_t)
diff --git a/policy/modules/services/ircd.te b/policy/modules/services/ircd.te
index 32d1c2d..ebdaaad 100644
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@@ -1,5 +1,5 @@
-policy_module(ircd,1.2.0)
+policy_module(ircd,1.2.1)
########################################
#
@@ -50,7 +50,8 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_search_bin(ircd_t)
-corenet_non_ipsec_sendrecv(ircd_t)
+corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_all_recvfrom_netlabel(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_udp_sendrecv_generic_if(ircd_t)
corenet_tcp_sendrecv_all_nodes(ircd_t)
diff --git a/policy/modules/services/jabber.te b/policy/modules/services/jabber.te
index dd92c08..d004ebb 100644
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@@ -1,5 +1,5 @@
-policy_module(jabber,1.2.0)
+policy_module(jabber,1.2.1)
########################################
#
@@ -44,7 +44,8 @@ kernel_read_kernel_sysctls(jabberd_t)
kernel_list_proc(jabberd_t)
kernel_read_proc_symlinks(jabberd_t)
-corenet_non_ipsec_sendrecv(jabberd_t)
+corenet_all_recvfrom_unlabeled(jabberd_t)
+corenet_all_recvfrom_netlabel(jabberd_t)
corenet_tcp_sendrecv_generic_if(jabberd_t)
corenet_udp_sendrecv_generic_if(jabberd_t)
corenet_tcp_sendrecv_all_nodes(jabberd_t)
diff --git a/policy/modules/services/kerberos.if b/policy/modules/services/kerberos.if
index 8c3fe02..4d0fce5 100644
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@@ -47,7 +47,8 @@ interface(`kerberos_use',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
diff --git a/policy/modules/services/kerberos.te b/policy/modules/services/kerberos.te
index 784130d..85932e6 100644
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@@ -1,5 +1,5 @@
-policy_module(kerberos,1.4.0)
+policy_module(kerberos,1.4.1)
########################################
#
@@ -92,7 +92,8 @@ kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
-corenet_non_ipsec_sendrecv(kadmind_t)
+corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_all_recvfrom_netlabel(kadmind_t)
corenet_tcp_sendrecv_all_if(kadmind_t)
corenet_udp_sendrecv_all_if(kadmind_t)
corenet_tcp_sendrecv_all_nodes(kadmind_t)
@@ -192,7 +193,8 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
-corenet_non_ipsec_sendrecv(krb5kdc_t)
+corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_all_recvfrom_netlabel(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
corenet_udp_sendrecv_all_if(krb5kdc_t)
corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
diff --git a/policy/modules/services/ktalk.te b/policy/modules/services/ktalk.te
index b166af0..f04a84a 100644
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@@ -1,5 +1,5 @@
-policy_module(ktalk,1.4.0)
+policy_module(ktalk,1.4.1)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
-corenet_non_ipsec_sendrecv(ktalkd_t)
+corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_all_recvfrom_netlabel(ktalkd_t)
corenet_tcp_sendrecv_all_if(ktalkd_t)
corenet_udp_sendrecv_all_if(ktalkd_t)
corenet_tcp_sendrecv_all_nodes(ktalkd_t)
diff --git a/policy/modules/services/ldap.te b/policy/modules/services/ldap.te
index abdc23d..f74f9cf 100644
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@@ -1,5 +1,5 @@
-policy_module(ldap,1.4.0)
+policy_module(ldap,1.4.1)
########################################
#
@@ -77,7 +77,8 @@ files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
-corenet_non_ipsec_sendrecv(slapd_t)
+corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_all_recvfrom_netlabel(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t)
corenet_tcp_sendrecv_all_nodes(slapd_t)
diff --git a/policy/modules/services/lpd.if b/policy/modules/services/lpd.if
index ce2b1f6..0214664 100644
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@@ -104,7 +104,8 @@ template(`lpd_per_role_template',`
kernel_read_kernel_sysctls($1_lpr_t)
- corenet_non_ipsec_sendrecv($1_lpr_t)
+ corenet_all_recvfrom_unlabeled($1_lpr_t)
+ corenet_all_recvfrom_netlabel($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
corenet_tcp_sendrecv_all_nodes($1_lpr_t)
diff --git a/policy/modules/services/lpd.te b/policy/modules/services/lpd.te
index 1235113..cde9f2d 100644
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@@ -1,5 +1,5 @@
-policy_module(lpd,1.5.0)
+policy_module(lpd,1.5.1)
########################################
#
@@ -72,7 +72,8 @@ allow checkpc_t printconf_t:dir { getattr search read };
kernel_read_system_state(checkpc_t)
-corenet_non_ipsec_sendrecv(checkpc_t)
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
corenet_tcp_sendrecv_all_if(checkpc_t)
corenet_udp_sendrecv_all_if(checkpc_t)
corenet_tcp_sendrecv_all_nodes(checkpc_t)
@@ -157,7 +158,8 @@ kernel_read_kernel_sysctls(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)
-corenet_non_ipsec_sendrecv(lpd_t)
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
corenet_tcp_sendrecv_all_if(lpd_t)
corenet_udp_sendrecv_all_if(lpd_t)
corenet_tcp_sendrecv_all_nodes(lpd_t)
diff --git a/policy/modules/services/mailman.if b/policy/modules/services/mailman.if
index eb26d54..d61cf18 100644
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@@ -48,7 +48,8 @@ template(`mailman_domain_template', `
kernel_read_kernel_sysctls(mailman_$1_t)
kernel_read_system_state(mailman_$1_t)
- corenet_non_ipsec_sendrecv(mailman_$1_t)
+ corenet_all_recvfrom_unlabeled(mailman_$1_t)
+ corenet_all_recvfrom_netlabel(mailman_$1_t)
corenet_tcp_sendrecv_all_if(mailman_$1_t)
corenet_udp_sendrecv_all_if(mailman_$1_t)
corenet_raw_sendrecv_all_if(mailman_$1_t)
diff --git a/policy/modules/services/mailman.te b/policy/modules/services/mailman.te
index 7a8dfaa..3636b04 100644
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@@ -1,5 +1,5 @@
-policy_module(mailman,1.2.1)
+policy_module(mailman,1.2.2)
########################################
#
diff --git a/policy/modules/services/monop.te b/policy/modules/services/monop.te
index 55c6488..ca7a815 100644
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@@ -1,5 +1,5 @@
-policy_module(monop,1.2.0)
+policy_module(monop,1.2.1)
########################################
#
@@ -43,7 +43,8 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
-corenet_non_ipsec_sendrecv(monopd_t)
+corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_all_recvfrom_netlabel(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_udp_sendrecv_generic_if(monopd_t)
corenet_tcp_sendrecv_all_nodes(monopd_t)
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 5fc01ef..dd5d77d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -72,7 +72,8 @@ template(`mta_base_mail_template',`
kernel_read_kernel_sysctls($1_mail_t)
- corenet_non_ipsec_sendrecv($1_mail_t)
+ corenet_all_recvfrom_unlabeled($1_mail_t)
+ corenet_all_recvfrom_netlabel($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
corenet_tcp_sendrecv_all_ports($1_mail_t)
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 23254a3..6069222 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
-policy_module(mta,1.6.1)
+policy_module(mta,1.6.2)
########################################
#
diff --git a/policy/modules/services/munin.te b/policy/modules/services/munin.te
index 24a8887..c9e42c8 100644
--- a/policy/modules/services/munin.te
+++ b/policy/modules/services/munin.te
@@ -1,5 +1,5 @@
-policy_module(munin,1.2.1)
+policy_module(munin,1.2.2)
########################################
#
@@ -65,7 +65,8 @@ kernel_read_kernel_sysctls(munin_t)
corecmd_exec_bin(munin_t)
-corenet_non_ipsec_sendrecv(munin_t)
+corenet_all_recvfrom_unlabeled(munin_t)
+corenet_all_recvfrom_netlabel(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_udp_sendrecv_generic_if(munin_t)
corenet_tcp_sendrecv_all_nodes(munin_t)
diff --git a/policy/modules/services/mysql.te b/policy/modules/services/mysql.te
index df689ee..9e8b8e6 100644
--- a/policy/modules/services/mysql.te
+++ b/policy/modules/services/mysql.te
@@ -1,5 +1,5 @@
-policy_module(mysql,1.4.0)
+policy_module(mysql,1.4.1)
########################################
#
@@ -61,7 +61,8 @@ files_pid_filetrans(mysqld_t,mysqld_var_run_t,file)
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
-corenet_non_ipsec_sendrecv(mysqld_t)
+corenet_all_recvfrom_unlabeled(mysqld_t)
+corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
corenet_tcp_sendrecv_all_nodes(mysqld_t)
diff --git a/policy/modules/services/nagios.te b/policy/modules/services/nagios.te
index cb5bf91..6992bcb 100644
--- a/policy/modules/services/nagios.te
+++ b/policy/modules/services/nagios.te
@@ -1,5 +1,5 @@
-policy_module(nagios,1.2.1)
+policy_module(nagios,1.2.2)
########################################
#
@@ -66,7 +66,8 @@ kernel_read_kernel_sysctls(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
-corenet_non_ipsec_sendrecv(nagios_t)
+corenet_all_recvfrom_unlabeled(nagios_t)
+corenet_all_recvfrom_netlabel(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
corenet_tcp_sendrecv_all_nodes(nagios_t)
diff --git a/policy/modules/services/nessus.te b/policy/modules/services/nessus.te
index cd630c1..51150a4 100644
--- a/policy/modules/services/nessus.te
+++ b/policy/modules/services/nessus.te
@@ -1,5 +1,5 @@
-policy_module(nessus,1.2.0)
+policy_module(nessus,1.2.1)
########################################
#
@@ -57,7 +57,8 @@ kernel_read_kernel_sysctls(nessusd_t)
# for nmap etc
corecmd_exec_bin(nessusd_t)
-corenet_non_ipsec_sendrecv(nessusd_t)
+corenet_all_recvfrom_unlabeled(nessusd_t)
+corenet_all_recvfrom_netlabel(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
corenet_raw_sendrecv_generic_if(nessusd_t)
diff --git a/policy/modules/services/networkmanager.te b/policy/modules/services/networkmanager.te
index 2bf2cfb..56c6967 100644
--- a/policy/modules/services/networkmanager.te
+++ b/policy/modules/services/networkmanager.te
@@ -1,5 +1,5 @@
-policy_module(networkmanager,1.6.1)
+policy_module(networkmanager,1.6.2)
########################################
#
@@ -41,7 +41,8 @@ kernel_read_network_state(NetworkManager_t)
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
-corenet_non_ipsec_sendrecv(NetworkManager_t)
+corenet_all_recvfrom_unlabeled(NetworkManager_t)
+corenet_all_recvfrom_netlabel(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
corenet_udp_sendrecv_all_if(NetworkManager_t)
corenet_raw_sendrecv_all_if(NetworkManager_t)
diff --git a/policy/modules/services/nis.if b/policy/modules/services/nis.if
index 0c8612f..2132e42 100644
--- a/policy/modules/services/nis.if
+++ b/policy/modules/services/nis.if
@@ -37,7 +37,8 @@ interface(`nis_use_ypbind_uncond',`
allow $1 var_yp_t:lnk_file { getattr read };
allow $1 var_yp_t:file read_file_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
diff --git a/policy/modules/services/nis.te b/policy/modules/services/nis.te
index b4841a5..167d566 100644
--- a/policy/modules/services/nis.te
+++ b/policy/modules/services/nis.te
@@ -1,5 +1,5 @@
-policy_module(nis,1.4.0)
+policy_module(nis,1.4.1)
########################################
#
@@ -69,7 +69,8 @@ kernel_read_kernel_sysctls(ypbind_t)
kernel_list_proc(ypbind_t)
kernel_read_proc_symlinks(ypbind_t)
-corenet_non_ipsec_sendrecv(ypbind_t)
+corenet_all_recvfrom_unlabeled(ypbind_t)
+corenet_all_recvfrom_netlabel(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
corenet_udp_sendrecv_all_if(ypbind_t)
corenet_tcp_sendrecv_all_nodes(ypbind_t)
@@ -112,7 +113,6 @@ sysnet_read_config(ypbind_t)
userdom_dontaudit_use_unpriv_user_fds(ypbind_t)
userdom_dontaudit_search_sysadm_home_dirs(ypbind_t)
-
ifdef(`targeted_policy', `
term_dontaudit_use_unallocated_ttys(ypbind_t)
term_dontaudit_use_generic_ptys(ypbind_t)
@@ -152,7 +152,8 @@ kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
-corenet_non_ipsec_sendrecv(yppasswdd_t)
+corenet_all_recvfrom_unlabeled(yppasswdd_t)
+corenet_all_recvfrom_netlabel(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
corenet_tcp_sendrecv_all_nodes(yppasswdd_t)
@@ -199,7 +200,6 @@ sysnet_read_config(yppasswdd_t)
userdom_dontaudit_use_unpriv_user_fds(yppasswdd_t)
userdom_dontaudit_search_sysadm_home_dirs(yppasswdd_t)
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(yppasswdd_t)
term_dontaudit_use_generic_ptys(yppasswdd_t)
@@ -247,7 +247,8 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
-corenet_non_ipsec_sendrecv(ypserv_t)
+corenet_all_recvfrom_unlabeled(ypserv_t)
+corenet_all_recvfrom_netlabel(ypserv_t)
corenet_tcp_sendrecv_all_if(ypserv_t)
corenet_udp_sendrecv_all_if(ypserv_t)
corenet_tcp_sendrecv_all_nodes(ypserv_t)
@@ -288,7 +289,6 @@ sysnet_read_config(ypserv_t)
userdom_dontaudit_use_unpriv_user_fds(ypserv_t)
userdom_dontaudit_search_sysadm_home_dirs(ypserv_t)
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(ypserv_t)
term_dontaudit_use_generic_ptys(ypserv_t)
@@ -321,7 +321,8 @@ allow ypxfr_t ypserv_t:udp_socket { read write };
allow ypxfr_t ypserv_conf_t:file { getattr read };
-corenet_non_ipsec_sendrecv(ypxfr_t)
+corenet_all_recvfrom_unlabeled(ypxfr_t)
+corenet_all_recvfrom_netlabel(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
corenet_tcp_sendrecv_all_nodes(ypxfr_t)
diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te
index 9a94409..a7c72ad 100644
--- a/policy/modules/services/nscd.te
+++ b/policy/modules/services/nscd.te
@@ -1,5 +1,5 @@
-policy_module(nscd,1.4.0)
+policy_module(nscd,1.4.1)
gen_require(`
class nscd all_nscd_perms;
@@ -65,7 +65,8 @@ fs_search_auto_mountpoints(nscd_t)
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
-corenet_non_ipsec_sendrecv(nscd_t)
+corenet_all_recvfrom_unlabeled(nscd_t)
+corenet_all_recvfrom_netlabel(nscd_t)
corenet_tcp_sendrecv_all_if(nscd_t)
corenet_udp_sendrecv_all_if(nscd_t)
corenet_tcp_sendrecv_all_nodes(nscd_t)
diff --git a/policy/modules/services/nsd.te b/policy/modules/services/nsd.te
index ad229e6..f94a0bd 100644
--- a/policy/modules/services/nsd.te
+++ b/policy/modules/services/nsd.te
@@ -1,5 +1,5 @@
-policy_module(nsd,1.2.0)
+policy_module(nsd,1.2.1)
########################################
#
@@ -62,7 +62,8 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
-corenet_non_ipsec_sendrecv(nsd_t)
+corenet_all_recvfrom_unlabeled(nsd_t)
+corenet_all_recvfrom_netlabel(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
corenet_tcp_sendrecv_all_nodes(nsd_t)
@@ -148,7 +149,8 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
-corenet_non_ipsec_sendrecv(nsd_crond_t)
+corenet_all_recvfrom_unlabeled(nsd_crond_t)
+corenet_all_recvfrom_netlabel(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
corenet_udp_sendrecv_generic_if(nsd_crond_t)
corenet_tcp_sendrecv_all_nodes(nsd_crond_t)
diff --git a/policy/modules/services/ntop.te b/policy/modules/services/ntop.te
index cc75818..7d4a8bd 100644
--- a/policy/modules/services/ntop.te
+++ b/policy/modules/services/ntop.te
@@ -1,5 +1,5 @@
-policy_module(ntop,1.2.0)
+policy_module(ntop,1.2.1)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
kernel_read_proc_symlinks(ntop_t)
-corenet_non_ipsec_sendrecv(ntop_t)
+corenet_all_recvfrom_unlabeled(ntop_t)
+corenet_all_recvfrom_netlabel(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_udp_sendrecv_generic_if(ntop_t)
corenet_raw_sendrecv_generic_if(ntop_t)
diff --git a/policy/modules/services/ntp.te b/policy/modules/services/ntp.te
index 4a3f39f..a16e1b8 100644
--- a/policy/modules/services/ntp.te
+++ b/policy/modules/services/ntp.te
@@ -1,5 +1,5 @@
-policy_module(ntp,1.3.0)
+policy_module(ntp,1.3.1)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(ntpd_t)
kernel_read_system_state(ntpd_t)
kernel_read_network_state(ntpd_t)
-corenet_non_ipsec_sendrecv(ntpd_t)
+corenet_all_recvfrom_unlabeled(ntpd_t)
+corenet_all_recvfrom_netlabel(ntpd_t)
corenet_tcp_sendrecv_all_if(ntpd_t)
corenet_udp_sendrecv_all_if(ntpd_t)
corenet_tcp_sendrecv_all_nodes(ntpd_t)
diff --git a/policy/modules/services/nx.te b/policy/modules/services/nx.te
index ff9b491..a758874 100644
--- a/policy/modules/services/nx.te
+++ b/policy/modules/services/nx.te
@@ -1,5 +1,5 @@
-policy_module(nx,1.1.0)
+policy_module(nx,1.1.1)
########################################
#
@@ -51,7 +51,8 @@ kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
-corenet_non_ipsec_sendrecv(nx_server_t)
+corenet_all_recvfrom_unlabeled(nx_server_t)
+corenet_all_recvfrom_netlabel(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
corenet_tcp_sendrecv_all_nodes(nx_server_t)
diff --git a/policy/modules/services/oav.te b/policy/modules/services/oav.te
index 5b51b7c..83d2c4d 100644
--- a/policy/modules/services/oav.te
+++ b/policy/modules/services/oav.te
@@ -1,5 +1,5 @@
-policy_module(oav,1.2.0)
+policy_module(oav,1.2.1)
########################################
#
@@ -50,7 +50,8 @@ read_lnk_files_pattern(oav_update_t,oav_update_var_lib_t,oav_update_var_lib_t)
corecmd_exec_all_executables(oav_update_t)
-corenet_non_ipsec_sendrecv(oav_update_t)
+corenet_all_recvfrom_unlabeled(oav_update_t)
+corenet_all_recvfrom_netlabel(oav_update_t)
corenet_tcp_sendrecv_generic_if(oav_update_t)
corenet_udp_sendrecv_generic_if(oav_update_t)
corenet_tcp_sendrecv_all_nodes(oav_update_t)
@@ -104,7 +105,8 @@ kernel_read_kernel_sysctls(scannerdaemon_t)
# Can run kaffe
corecmd_exec_all_executables(scannerdaemon_t)
-corenet_non_ipsec_sendrecv(scannerdaemon_t)
+corenet_all_recvfrom_unlabeled(scannerdaemon_t)
+corenet_all_recvfrom_netlabel(scannerdaemon_t)
corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
corenet_udp_sendrecv_generic_if(scannerdaemon_t)
corenet_tcp_sendrecv_all_nodes(scannerdaemon_t)
diff --git a/policy/modules/services/openvpn.te b/policy/modules/services/openvpn.te
index 28b6f76..a2591f4 100644
--- a/policy/modules/services/openvpn.te
+++ b/policy/modules/services/openvpn.te
@@ -1,5 +1,5 @@
-policy_module(openvpn,1.2.1)
+policy_module(openvpn,1.2.2)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_system_state(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
-corenet_non_ipsec_sendrecv(openvpn_t)
+corenet_all_recvfrom_unlabeled(openvpn_t)
+corenet_all_recvfrom_netlabel(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_udp_sendrecv_all_if(openvpn_t)
corenet_tcp_sendrecv_generic_node(openvpn_t)
diff --git a/policy/modules/services/pcscd.te b/policy/modules/services/pcscd.te
index 681aa61..b0a1871 100644
--- a/policy/modules/services/pcscd.te
+++ b/policy/modules/services/pcscd.te
@@ -1,5 +1,5 @@
-policy_module(pcscd,1.1.0)
+policy_module(pcscd,1.1.1)
########################################
#
@@ -31,10 +31,11 @@ manage_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
+corenet_all_recvfrom_unlabeled(pcscd_t)
+corenet_all_recvfrom_netlabel(pcscd_t)
corenet_tcp_sendrecv_all_if(pcscd_t)
corenet_tcp_sendrecv_all_nodes(pcscd_t)
corenet_tcp_sendrecv_all_ports(pcscd_t)
-corenet_non_ipsec_sendrecv(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
dev_rw_generic_usb_dev(pcscd_t)
diff --git a/policy/modules/services/pegasus.te b/policy/modules/services/pegasus.te
index a307720..a1fa4fa 100644
--- a/policy/modules/services/pegasus.te
+++ b/policy/modules/services/pegasus.te
@@ -1,5 +1,5 @@
-policy_module(pegasus,1.3.1)
+policy_module(pegasus,1.3.2)
########################################
#
@@ -66,7 +66,8 @@ kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
-corenet_non_ipsec_sendrecv(pegasus_t)
+corenet_all_recvfrom_unlabeled(pegasus_t)
+corenet_all_recvfrom_netlabel(pegasus_t)
corenet_tcp_sendrecv_all_if(pegasus_t)
corenet_tcp_sendrecv_all_nodes(pegasus_t)
corenet_tcp_sendrecv_all_ports(pegasus_t)
diff --git a/policy/modules/services/perdition.te b/policy/modules/services/perdition.te
index 8e3f11a..22b8b0f 100644
--- a/policy/modules/services/perdition.te
+++ b/policy/modules/services/perdition.te
@@ -1,5 +1,5 @@
-policy_module(perdition,1.2.0)
+policy_module(perdition,1.2.1)
########################################
#
@@ -37,7 +37,8 @@ kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
kernel_read_proc_symlinks(perdition_t)
-corenet_non_ipsec_sendrecv(perdition_t)
+corenet_all_recvfrom_unlabeled(perdition_t)
+corenet_all_recvfrom_netlabel(perdition_t)
corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_udp_sendrecv_generic_if(perdition_t)
corenet_tcp_sendrecv_all_nodes(perdition_t)
diff --git a/policy/modules/services/portmap.te b/policy/modules/services/portmap.te
index d2df243..971efd2 100644
--- a/policy/modules/services/portmap.te
+++ b/policy/modules/services/portmap.te
@@ -1,5 +1,5 @@
-policy_module(portmap,1.4.0)
+policy_module(portmap,1.4.1)
########################################
#
@@ -45,7 +45,8 @@ kernel_read_kernel_sysctls(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
-corenet_non_ipsec_sendrecv(portmap_t)
+corenet_all_recvfrom_unlabeled(portmap_t)
+corenet_all_recvfrom_netlabel(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
corenet_udp_sendrecv_all_if(portmap_t)
corenet_tcp_sendrecv_all_nodes(portmap_t)
@@ -123,6 +124,8 @@ allow portmap_helper_t self:udp_socket create_socket_perms;
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
+corenet_all_recvfrom_unlabeled(portmap_helper_t)
+corenet_all_recvfrom_netlabel(portmap_helper_t)
corenet_tcp_sendrecv_all_if(portmap_helper_t)
corenet_udp_sendrecv_all_if(portmap_helper_t)
corenet_raw_sendrecv_all_if(portmap_helper_t)
@@ -131,7 +134,6 @@ corenet_udp_sendrecv_all_nodes(portmap_helper_t)
corenet_raw_sendrecv_all_nodes(portmap_helper_t)
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
corenet_udp_sendrecv_all_ports(portmap_helper_t)
-corenet_non_ipsec_sendrecv(portmap_helper_t)
corenet_tcp_bind_all_nodes(portmap_helper_t)
corenet_udp_bind_all_nodes(portmap_helper_t)
corenet_tcp_bind_reserved_port(portmap_helper_t)
diff --git a/policy/modules/services/portslave.te b/policy/modules/services/portslave.te
index 7dae3dd..d4d2f94 100644
--- a/policy/modules/services/portslave.te
+++ b/policy/modules/services/portslave.te
@@ -1,5 +1,5 @@
-policy_module(portslave,1.2.0)
+policy_module(portslave,1.2.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
-corenet_non_ipsec_sendrecv(portslave_t)
+corenet_all_recvfrom_unlabeled(portslave_t)
+corenet_all_recvfrom_netlabel(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
corenet_tcp_sendrecv_all_nodes(portslave_t)
diff --git a/policy/modules/services/postfix.if b/policy/modules/services/postfix.if
index a40154a..97e9297 100644
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -125,7 +125,8 @@ template(`postfix_server_domain_template',`
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
- corenet_non_ipsec_sendrecv(postfix_$1_t)
+ corenet_all_recvfrom_unlabeled(postfix_$1_t)
+ corenet_all_recvfrom_netlabel(postfix_$1_t)
corenet_tcp_sendrecv_all_if(postfix_$1_t)
corenet_udp_sendrecv_all_if(postfix_$1_t)
corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te
index dabea2d..51520bb 100644
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@@ -1,5 +1,5 @@
-policy_module(postfix,1.5.0)
+policy_module(postfix,1.5.1)
########################################
#
@@ -133,7 +133,8 @@ rename_files_pattern(postfix_master_t,postfix_spool_maildrop_t,postfix_spool_mai
kernel_read_all_sysctls(postfix_master_t)
-corenet_non_ipsec_sendrecv(postfix_master_t)
+corenet_all_recvfrom_unlabeled(postfix_master_t)
+corenet_all_recvfrom_netlabel(postfix_master_t)
corenet_tcp_sendrecv_all_if(postfix_master_t)
corenet_udp_sendrecv_all_if(postfix_master_t)
corenet_tcp_sendrecv_all_nodes(postfix_master_t)
@@ -309,7 +310,8 @@ kernel_read_kernel_sysctls(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
-corenet_non_ipsec_sendrecv(postfix_map_t)
+corenet_all_recvfrom_unlabeled(postfix_map_t)
+corenet_all_recvfrom_netlabel(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
corenet_tcp_sendrecv_all_nodes(postfix_map_t)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index e5a6a25..799132e 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql,1.3.0)
+policy_module(postgresql,1.3.1)
#################################
#
@@ -82,7 +82,8 @@ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
-corenet_non_ipsec_sendrecv(postgresql_t)
+corenet_all_recvfrom_unlabeled(postgresql_t)
+corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
corenet_tcp_sendrecv_all_nodes(postgresql_t)
diff --git a/policy/modules/services/postgrey.te b/policy/modules/services/postgrey.te
index bfb365a..73fd224 100644
--- a/policy/modules/services/postgrey.te
+++ b/policy/modules/services/postgrey.te
@@ -1,5 +1,5 @@
-policy_module(postgrey,1.2.0)
+policy_module(postgrey,1.2.1)
########################################
#
@@ -46,7 +46,8 @@ kernel_read_kernel_sysctls(postgrey_t)
# for perl
corecmd_search_bin(postgrey_t)
-corenet_non_ipsec_sendrecv(postgrey_t)
+corenet_all_recvfrom_unlabeled(postgrey_t)
+corenet_all_recvfrom_netlabel(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_all_nodes(postgrey_t)
corenet_tcp_sendrecv_all_ports(postgrey_t)
diff --git a/policy/modules/services/ppp.te b/policy/modules/services/ppp.te
index 005af7b..5c865d7 100644
--- a/policy/modules/services/ppp.te
+++ b/policy/modules/services/ppp.te
@@ -1,5 +1,5 @@
-policy_module(ppp,1.4.1)
+policy_module(ppp,1.4.2)
########################################
#
@@ -126,7 +126,8 @@ dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
-corenet_non_ipsec_sendrecv(pppd_t)
+corenet_all_recvfrom_unlabeled(pppd_t)
+corenet_all_recvfrom_netlabel(pppd_t)
corenet_tcp_sendrecv_all_if(pppd_t)
corenet_raw_sendrecv_all_if(pppd_t)
corenet_udp_sendrecv_all_if(pppd_t)
@@ -261,7 +262,8 @@ kernel_read_proc_symlinks(pptp_t)
dev_read_sysfs(pptp_t)
-corenet_non_ipsec_sendrecv(pptp_t)
+corenet_all_recvfrom_unlabeled(pptp_t)
+corenet_all_recvfrom_netlabel(pptp_t)
corenet_tcp_sendrecv_all_if(pptp_t)
corenet_raw_sendrecv_all_if(pptp_t)
corenet_tcp_sendrecv_all_nodes(pptp_t)
diff --git a/policy/modules/services/privoxy.te b/policy/modules/services/privoxy.te
index 10325d5..1ccb495 100644
--- a/policy/modules/services/privoxy.te
+++ b/policy/modules/services/privoxy.te
@@ -1,5 +1,5 @@
-policy_module(privoxy,1.3.0)
+policy_module(privoxy,1.3.1)
########################################
#
@@ -40,7 +40,8 @@ kernel_read_kernel_sysctls(privoxy_t)
kernel_list_proc(privoxy_t)
kernel_read_proc_symlinks(privoxy_t)
-corenet_non_ipsec_sendrecv(privoxy_t)
+corenet_all_recvfrom_unlabeled(privoxy_t)
+corenet_all_recvfrom_netlabel(privoxy_t)
corenet_tcp_sendrecv_all_if(privoxy_t)
corenet_tcp_sendrecv_all_nodes(privoxy_t)
corenet_tcp_sendrecv_all_ports(privoxy_t)
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 1b9492d..5beb82e 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
-policy_module(procmail,1.5.1)
+policy_module(procmail,1.5.2)
########################################
#
@@ -34,7 +34,8 @@ files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
-corenet_non_ipsec_sendrecv(procmail_t)
+corenet_all_recvfrom_unlabeled(procmail_t)
+corenet_all_recvfrom_netlabel(procmail_t)
corenet_tcp_sendrecv_all_if(procmail_t)
corenet_udp_sendrecv_all_if(procmail_t)
corenet_tcp_sendrecv_all_nodes(procmail_t)
diff --git a/policy/modules/services/pyzor.te b/policy/modules/services/pyzor.te
index 137a111..046162a 100644
--- a/policy/modules/services/pyzor.te
+++ b/policy/modules/services/pyzor.te
@@ -1,5 +1,5 @@
-policy_module(pyzor,1.2.1)
+policy_module(pyzor,1.2.2)
########################################
#
@@ -112,7 +112,8 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
-corenet_non_ipsec_sendrecv(pyzord_t)
+corenet_all_recvfrom_unlabeled(pyzord_t)
+corenet_all_recvfrom_netlabel(pyzord_t)
corenet_udp_sendrecv_all_if(pyzord_t)
corenet_udp_sendrecv_all_nodes(pyzord_t)
corenet_udp_sendrecv_all_ports(pyzord_t)
diff --git a/policy/modules/services/qmail.te b/policy/modules/services/qmail.te
index 67bfb6b..8a8d697 100644
--- a/policy/modules/services/qmail.te
+++ b/policy/modules/services/qmail.te
@@ -1,5 +1,5 @@
-policy_module(qmail,1.1.0)
+policy_module(qmail,1.1.1)
########################################
#
@@ -171,7 +171,8 @@ allow qmail_remote_t self:udp_socket create_socket_perms;
rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t)
-corenet_non_ipsec_sendrecv(qmail_remote_t)
+corenet_all_recvfrom_unlabeled(qmail_remote_t)
+corenet_all_recvfrom_netlabel(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
corenet_udp_sendrecv_generic_if(qmail_remote_t)
corenet_tcp_sendrecv_generic_node(qmail_remote_t)
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
index a77138a..8991af4 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -1,5 +1,5 @@
-policy_module(radius,1.3.1)
+policy_module(radius,1.3.2)
########################################
#
@@ -58,7 +58,8 @@ files_pid_filetrans(radiusd_t,radiusd_var_run_t,file)
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
-corenet_non_ipsec_sendrecv(radiusd_t)
+corenet_all_recvfrom_unlabeled(radiusd_t)
+corenet_all_recvfrom_netlabel(radiusd_t)
corenet_tcp_sendrecv_all_if(radiusd_t)
corenet_udp_sendrecv_all_if(radiusd_t)
corenet_tcp_sendrecv_all_nodes(radiusd_t)
diff --git a/policy/modules/services/radvd.te b/policy/modules/services/radvd.te
index d808771..df87097 100644
--- a/policy/modules/services/radvd.te
+++ b/policy/modules/services/radvd.te
@@ -1,5 +1,5 @@
-policy_module(radvd,1.3.0)
+policy_module(radvd,1.3.1)
########################################
#
@@ -38,7 +38,8 @@ kernel_read_net_sysctls(radvd_t)
kernel_read_network_state(radvd_t)
kernel_read_system_state(radvd_t)
-corenet_non_ipsec_sendrecv(radvd_t)
+corenet_all_recvfrom_unlabeled(radvd_t)
+corenet_all_recvfrom_netlabel(radvd_t)
corenet_tcp_sendrecv_all_if(radvd_t)
corenet_udp_sendrecv_all_if(radvd_t)
corenet_raw_sendrecv_all_if(radvd_t)
diff --git a/policy/modules/services/razor.if b/policy/modules/services/razor.if
index 5c5b99d..c8f24ac 100644
--- a/policy/modules/services/razor.if
+++ b/policy/modules/services/razor.if
@@ -67,7 +67,8 @@ template(`razor_common_domain_template',`
corecmd_exec_bin($1_t)
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
diff --git a/policy/modules/services/razor.te b/policy/modules/services/razor.te
index f88636d..27bae91 100644
--- a/policy/modules/services/razor.te
+++ b/policy/modules/services/razor.te
@@ -1,5 +1,5 @@
-policy_module(razor,1.2.0)
+policy_module(razor,1.2.1)
########################################
#
@@ -41,7 +41,8 @@ logging_log_filetrans(razor_t,razor_log_t,file)
manage_files_pattern(razor_t,razor_var_lib_t,razor_var_lib_t)
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
-corenet_non_ipsec_sendrecv(razor_t)
+corenet_all_recvfrom_unlabeled(razor_t)
+corenet_all_recvfrom_netlabel(razor_t)
corenet_tcp_sendrecv_generic_if(razor_t)
corenet_raw_sendrecv_generic_if(razor_t)
corenet_tcp_sendrecv_all_nodes(razor_t)
diff --git a/policy/modules/services/rdisc.te b/policy/modules/services/rdisc.te
index 7ab6419..b90ae77 100644
--- a/policy/modules/services/rdisc.te
+++ b/policy/modules/services/rdisc.te
@@ -1,5 +1,5 @@
-policy_module(rdisc,1.3.0)
+policy_module(rdisc,1.3.1)
########################################
#
@@ -26,7 +26,8 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
-corenet_non_ipsec_sendrecv(rdisc_t)
+corenet_all_recvfrom_unlabeled(rdisc_t)
+corenet_all_recvfrom_netlabel(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
corenet_udp_sendrecv_all_nodes(rdisc_t)
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index df66704..5707299 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
-policy_module(rhgb,1.3.0)
+policy_module(rhgb,1.3.1)
########################################
#
@@ -44,7 +44,8 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
-corenet_non_ipsec_sendrecv(rhgb_t)
+corenet_all_recvfrom_unlabeled(rhgb_t)
+corenet_all_recvfrom_netlabel(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
corenet_udp_sendrecv_generic_if(rhgb_t)
corenet_tcp_sendrecv_all_nodes(rhgb_t)
diff --git a/policy/modules/services/ricci.te b/policy/modules/services/ricci.te
index 674c7aa..40d07a6 100644
--- a/policy/modules/services/ricci.te
+++ b/policy/modules/services/ricci.te
@@ -1,5 +1,5 @@
-policy_module(ricci,1.1.0)
+policy_module(ricci,1.1.1)
########################################
#
@@ -120,7 +120,8 @@ kernel_read_kernel_sysctls(ricci_t)
corecmd_exec_bin(ricci_t)
-corenet_non_ipsec_sendrecv(ricci_t)
+corenet_all_recvfrom_unlabeled(ricci_t)
+corenet_all_recvfrom_netlabel(ricci_t)
corenet_tcp_sendrecv_all_if(ricci_t)
corenet_tcp_sendrecv_all_nodes(ricci_t)
corenet_tcp_sendrecv_all_ports(ricci_t)
@@ -356,7 +357,6 @@ logging_read_generic_logs(ricci_modlog_t)
miscfiles_read_localization(ricci_modlog_t)
-
optional_policy(`
nscd_dontaudit_search_pid(ricci_modlog_t)
')
diff --git a/policy/modules/services/rlogin.te b/policy/modules/services/rlogin.te
index c38ec83..45e947e 100644
--- a/policy/modules/services/rlogin.te
+++ b/policy/modules/services/rlogin.te
@@ -1,5 +1,5 @@
-policy_module(rlogin,1.3.0)
+policy_module(rlogin,1.3.1)
########################################
#
@@ -50,7 +50,8 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
-corenet_non_ipsec_sendrecv(rlogind_t)
+corenet_all_recvfrom_unlabeled(rlogind_t)
+corenet_all_recvfrom_netlabel(rlogind_t)
corenet_tcp_sendrecv_all_if(rlogind_t)
corenet_udp_sendrecv_all_if(rlogind_t)
corenet_tcp_sendrecv_all_nodes(rlogind_t)
diff --git a/policy/modules/services/roundup.te b/policy/modules/services/roundup.te
index 92458ec..211f735 100644
--- a/policy/modules/services/roundup.te
+++ b/policy/modules/services/roundup.te
@@ -1,5 +1,5 @@
-policy_module(roundup,1.2.0)
+policy_module(roundup,1.2.1)
########################################
#
@@ -43,7 +43,8 @@ dev_read_sysfs(roundup_t)
# execute python
corecmd_exec_bin(roundup_t)
-corenet_non_ipsec_sendrecv(roundup_t)
+corenet_all_recvfrom_unlabeled(roundup_t)
+corenet_all_recvfrom_netlabel(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_udp_sendrecv_generic_if(roundup_t)
corenet_raw_sendrecv_generic_if(roundup_t)
diff --git a/policy/modules/services/rpc.if b/policy/modules/services/rpc.if
index 21d96f5..bbf5f41 100644
--- a/policy/modules/services/rpc.if
+++ b/policy/modules/services/rpc.if
@@ -70,7 +70,8 @@ template(`rpc_domain_template', `
dev_read_urand($1_t)
dev_read_rand($1_t)
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
@@ -80,7 +81,6 @@ template(`rpc_domain_template', `
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_reserved_port($1_t)
- corenet_tcp_bind_reserved_port($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_portmap_client_packets($1_t)
# do not log when it tries to bind to a port belonging to another domain
diff --git a/policy/modules/services/rpc.te b/policy/modules/services/rpc.te
index 429f47f..a746392 100644
--- a/policy/modules/services/rpc.te
+++ b/policy/modules/services/rpc.te
@@ -1,5 +1,5 @@
-policy_module(rpc,1.5.0)
+policy_module(rpc,1.5.1)
########################################
#
diff --git a/policy/modules/services/rshd.te b/policy/modules/services/rshd.te
index 1dbe9c0..949859c 100644
--- a/policy/modules/services/rshd.te
+++ b/policy/modules/services/rshd.te
@@ -1,5 +1,5 @@
-policy_module(rshd,1.2.0)
+policy_module(rshd,1.2.1)
########################################
#
@@ -23,7 +23,8 @@ allow rshd_t self:tcp_socket create_stream_socket_perms;
kernel_read_kernel_sysctls(rshd_t)
-corenet_non_ipsec_sendrecv(rshd_t)
+corenet_all_recvfrom_unlabeled(rshd_t)
+corenet_all_recvfrom_netlabel(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
corenet_udp_sendrecv_generic_if(rshd_t)
corenet_tcp_sendrecv_all_nodes(rshd_t)
diff --git a/policy/modules/services/rsync.te b/policy/modules/services/rsync.te
index 5096d24..c9de498 100644
--- a/policy/modules/services/rsync.te
+++ b/policy/modules/services/rsync.te
@@ -1,5 +1,5 @@
-policy_module(rsync,1.4.0)
+policy_module(rsync,1.4.1)
########################################
#
@@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
-corenet_non_ipsec_sendrecv(rsync_t)
+corenet_all_recvfrom_unlabeled(rsync_t)
+corenet_all_recvfrom_netlabel(rsync_t)
corenet_tcp_sendrecv_all_if(rsync_t)
corenet_udp_sendrecv_all_if(rsync_t)
corenet_tcp_sendrecv_all_nodes(rsync_t)
diff --git a/policy/modules/services/rwho.te b/policy/modules/services/rwho.te
index d47263a..4f74729 100644
--- a/policy/modules/services/rwho.te
+++ b/policy/modules/services/rwho.te
@@ -1,5 +1,5 @@
-policy_module(rwho,1.0.1)
+policy_module(rwho,1.0.2)
########################################
#
@@ -32,7 +32,8 @@ files_spool_filetrans(rwho_t,rwho_spool_t, { file dir })
kernel_read_system_state(rwho_t)
-corenet_non_ipsec_sendrecv(rwho_t)
+corenet_all_recvfrom_unlabeled(rwho_t)
+corenet_all_recvfrom_netlabel(rwho_t)
corenet_udp_sendrecv_all_if(rwho_t)
corenet_udp_sendrecv_all_nodes(rwho_t)
corenet_udp_sendrecv_all_ports(rwho_t)
diff --git a/policy/modules/services/samba.te b/policy/modules/services/samba.te
index bb9746e..2b0bf32 100644
--- a/policy/modules/services/samba.te
+++ b/policy/modules/services/samba.te
@@ -1,5 +1,5 @@
-policy_module(samba,1.5.1)
+policy_module(samba,1.5.2)
#################################
#
@@ -170,6 +170,8 @@ manage_lnk_files_pattern(samba_net_t,samba_var_t,samba_var_t)
kernel_read_proc_symlinks(samba_net_t)
+corenet_all_recvfrom_unlabeled(samba_net_t)
+corenet_all_recvfrom_netlabel(samba_net_t)
corenet_tcp_sendrecv_all_if(samba_net_t)
corenet_udp_sendrecv_all_if(samba_net_t)
corenet_raw_sendrecv_all_if(samba_net_t)
@@ -178,7 +180,6 @@ corenet_udp_sendrecv_all_nodes(samba_net_t)
corenet_raw_sendrecv_all_nodes(samba_net_t)
corenet_tcp_sendrecv_all_ports(samba_net_t)
corenet_udp_sendrecv_all_ports(samba_net_t)
-corenet_non_ipsec_sendrecv(samba_net_t)
corenet_tcp_bind_all_nodes(samba_net_t)
corenet_udp_bind_all_nodes(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)
@@ -280,6 +281,8 @@ kernel_read_system_state(smbd_t)
corecmd_exec_shell(smbd_t)
corecmd_exec_bin(smbd_t)
+corenet_all_recvfrom_unlabeled(smbd_t)
+corenet_all_recvfrom_netlabel(smbd_t)
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
@@ -288,7 +291,6 @@ corenet_udp_sendrecv_all_nodes(smbd_t)
corenet_raw_sendrecv_all_nodes(smbd_t)
corenet_tcp_sendrecv_all_ports(smbd_t)
corenet_udp_sendrecv_all_ports(smbd_t)
-corenet_non_ipsec_sendrecv(smbd_t)
corenet_tcp_bind_all_nodes(smbd_t)
corenet_udp_bind_all_nodes(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
@@ -444,7 +446,8 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
-corenet_non_ipsec_sendrecv(nmbd_t)
+corenet_all_recvfrom_unlabeled(nmbd_t)
+corenet_all_recvfrom_netlabel(nmbd_t)
corenet_tcp_sendrecv_all_if(nmbd_t)
corenet_udp_sendrecv_all_if(nmbd_t)
corenet_tcp_sendrecv_all_nodes(nmbd_t)
@@ -529,6 +532,8 @@ files_list_var_lib(smbmount_t)
kernel_read_system_state(smbmount_t)
+corenet_all_recvfrom_unlabeled(smbmount_t)
+corenet_all_recvfrom_netlabel(smbmount_t)
corenet_tcp_sendrecv_all_if(smbmount_t)
corenet_raw_sendrecv_all_if(smbmount_t)
corenet_udp_sendrecv_all_if(smbmount_t)
@@ -537,7 +542,6 @@ corenet_raw_sendrecv_all_nodes(smbmount_t)
corenet_udp_sendrecv_all_nodes(smbmount_t)
corenet_tcp_sendrecv_all_ports(smbmount_t)
corenet_udp_sendrecv_all_ports(smbmount_t)
-corenet_non_ipsec_sendrecv(smbmount_t)
corenet_tcp_bind_all_nodes(smbmount_t)
corenet_udp_bind_all_nodes(smbmount_t)
corenet_tcp_connect_all_ports(smbmount_t)
@@ -631,7 +635,8 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
-corenet_non_ipsec_sendrecv(swat_t)
+corenet_all_recvfrom_unlabeled(swat_t)
+corenet_all_recvfrom_netlabel(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
corenet_raw_sendrecv_generic_if(swat_t)
@@ -738,6 +743,8 @@ kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
+corenet_all_recvfrom_unlabeled(winbind_t)
+corenet_all_recvfrom_netlabel(winbind_t)
corenet_tcp_sendrecv_all_if(winbind_t)
corenet_udp_sendrecv_all_if(winbind_t)
corenet_raw_sendrecv_all_if(winbind_t)
@@ -746,7 +753,6 @@ corenet_udp_sendrecv_all_nodes(winbind_t)
corenet_raw_sendrecv_all_nodes(winbind_t)
corenet_tcp_sendrecv_all_ports(winbind_t)
corenet_udp_sendrecv_all_ports(winbind_t)
-corenet_non_ipsec_sendrecv(winbind_t)
corenet_tcp_bind_all_nodes(winbind_t)
corenet_udp_bind_all_nodes(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
diff --git a/policy/modules/services/sasl.te b/policy/modules/services/sasl.te
index ce54944..be95079 100644
--- a/policy/modules/services/sasl.te
+++ b/policy/modules/services/sasl.te
@@ -1,5 +1,5 @@
-policy_module(sasl,1.5.0)
+policy_module(sasl,1.5.1)
########################################
#
@@ -47,7 +47,8 @@ files_pid_filetrans(saslauthd_t,saslauthd_var_run_t,file)
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
-corenet_non_ipsec_sendrecv(saslauthd_t)
+corenet_all_recvfrom_unlabeled(saslauthd_t)
+corenet_all_recvfrom_netlabel(saslauthd_t)
corenet_tcp_sendrecv_all_if(saslauthd_t)
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
corenet_tcp_sendrecv_all_ports(saslauthd_t)
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index 13bcb92..69d6671 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
-policy_module(sendmail,1.4.2)
+policy_module(sendmail,1.4.3)
########################################
#
@@ -49,7 +49,8 @@ kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
-corenet_non_ipsec_sendrecv(sendmail_t)
+corenet_all_recvfrom_unlabeled(sendmail_t)
+corenet_all_recvfrom_netlabel(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_tcp_sendrecv_all_nodes(sendmail_t)
corenet_tcp_sendrecv_all_ports(sendmail_t)
diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 99090db..0698cad 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot,1.3.1)
+policy_module(setroubleshoot,1.3.2)
########################################
#
@@ -58,7 +58,8 @@ kernel_read_network_state(setroubleshootd_t)
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
-corenet_non_ipsec_sendrecv(setroubleshootd_t)
+corenet_all_recvfrom_unlabeled(setroubleshootd_t)
+corenet_all_recvfrom_netlabel(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
corenet_tcp_sendrecv_all_ports(setroubleshootd_t)
diff --git a/policy/modules/services/smartmon.te b/policy/modules/services/smartmon.te
index 5bc4baa..f7ea4b1 100644
--- a/policy/modules/services/smartmon.te
+++ b/policy/modules/services/smartmon.te
@@ -1,5 +1,5 @@
-policy_module(smartmon,1.2.0)
+policy_module(smartmon,1.2.1)
########################################
#
@@ -42,7 +42,8 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
-corenet_non_ipsec_sendrecv(fsdaemon_t)
+corenet_all_recvfrom_unlabeled(fsdaemon_t)
+corenet_all_recvfrom_netlabel(fsdaemon_t)
corenet_udp_sendrecv_generic_if(fsdaemon_t)
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
corenet_udp_sendrecv_all_ports(fsdaemon_t)
diff --git a/policy/modules/services/snmp.te b/policy/modules/services/snmp.te
index f515d71..143a4c7 100644
--- a/policy/modules/services/snmp.te
+++ b/policy/modules/services/snmp.te
@@ -1,5 +1,5 @@
-policy_module(snmp,1.4.3)
+policy_module(snmp,1.4.4)
########################################
#
@@ -53,7 +53,8 @@ kernel_read_network_state(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
-corenet_non_ipsec_sendrecv(snmpd_t)
+corenet_all_recvfrom_unlabeled(snmpd_t)
+corenet_all_recvfrom_netlabel(snmpd_t)
corenet_tcp_sendrecv_all_if(snmpd_t)
corenet_udp_sendrecv_all_if(snmpd_t)
corenet_tcp_sendrecv_all_nodes(snmpd_t)
diff --git a/policy/modules/services/snort.te b/policy/modules/services/snort.te
index 86f8176..0af52e5 100644
--- a/policy/modules/services/snort.te
+++ b/policy/modules/services/snort.te
@@ -1,5 +1,5 @@
-policy_module(snort,1.2.0)
+policy_module(snort,1.2.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t)
-corenet_non_ipsec_sendrecv(snort_t)
+corenet_all_recvfrom_unlabeled(snort_t)
+corenet_all_recvfrom_netlabel(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
corenet_raw_sendrecv_generic_if(snort_t)
diff --git a/policy/modules/services/soundserver.te b/policy/modules/services/soundserver.te
index 8119ab2..250bbb7 100644
--- a/policy/modules/services/soundserver.te
+++ b/policy/modules/services/soundserver.te
@@ -1,5 +1,5 @@
-policy_module(soundserver,1.2.0)
+policy_module(soundserver,1.2.1)
########################################
#
@@ -62,7 +62,8 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
-corenet_non_ipsec_sendrecv(soundd_t)
+corenet_all_recvfrom_unlabeled(soundd_t)
+corenet_all_recvfrom_netlabel(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
corenet_udp_sendrecv_generic_if(soundd_t)
corenet_tcp_sendrecv_all_nodes(soundd_t)
diff --git a/policy/modules/services/spamassassin.if b/policy/modules/services/spamassassin.if
index 186838f..7a374fd 100644
--- a/policy/modules/services/spamassassin.if
+++ b/policy/modules/services/spamassassin.if
@@ -97,7 +97,8 @@ template(`spamassassin_per_role_template',`
kernel_read_kernel_sysctls($1_spamc_t)
- corenet_non_ipsec_sendrecv($1_spamc_t)
+ corenet_all_recvfrom_unlabeled($1_spamc_t)
+ corenet_all_recvfrom_netlabel($1_spamc_t)
corenet_tcp_sendrecv_generic_if($1_spamc_t)
corenet_udp_sendrecv_generic_if($1_spamc_t)
corenet_tcp_sendrecv_all_nodes($1_spamc_t)
@@ -267,7 +268,8 @@ template(`spamassassin_per_role_template',`
allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
allow $1_spamassassin_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1_spamassassin_t)
+ corenet_all_recvfrom_unlabeled($1_spamassassin_t)
+ corenet_all_recvfrom_netlabel($1_spamassassin_t)
corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
corenet_udp_sendrecv_generic_if($1_spamassassin_t)
corenet_tcp_sendrecv_all_nodes($1_spamassassin_t)
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 78f85ba..3152d7b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin,1.6.1)
+policy_module(spamassassin,1.6.2)
########################################
#
@@ -93,7 +93,8 @@ files_pid_filetrans(spamd_t,spamd_var_run_t,file)
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
-corenet_non_ipsec_sendrecv(spamd_t)
+corenet_all_recvfrom_unlabeled(spamd_t)
+corenet_all_recvfrom_netlabel(spamd_t)
corenet_tcp_sendrecv_all_if(spamd_t)
corenet_udp_sendrecv_all_if(spamd_t)
corenet_tcp_sendrecv_all_nodes(spamd_t)
diff --git a/policy/modules/services/squid.te b/policy/modules/services/squid.te
index 356f465..16d6bd4 100644
--- a/policy/modules/services/squid.te
+++ b/policy/modules/services/squid.te
@@ -1,5 +1,5 @@
-policy_module(squid,1.3.1)
+policy_module(squid,1.3.2)
########################################
#
@@ -75,7 +75,8 @@ kernel_read_system_state(squid_t)
files_dontaudit_getattr_boot_dirs(squid_t)
-corenet_non_ipsec_sendrecv(squid_t)
+corenet_all_recvfrom_unlabeled(squid_t)
+corenet_all_recvfrom_netlabel(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
corenet_udp_sendrecv_all_if(squid_t)
corenet_tcp_sendrecv_all_nodes(squid_t)
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index 86f393b..623cdd0 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -109,7 +109,8 @@ template(`ssh_basic_client_template',`
kernel_read_kernel_sysctls($1_ssh_t)
- corenet_non_ipsec_sendrecv($1_ssh_t)
+ corenet_all_recvfrom_unlabeled($1_ssh_t)
+ corenet_all_recvfrom_netlabel($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
corenet_tcp_sendrecv_all_ports($1_ssh_t)
@@ -466,6 +467,8 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
@@ -474,7 +477,6 @@ template(`ssh_server_template', `
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
- corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5fff856..4e78a6c 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -1,5 +1,5 @@
-policy_module(ssh,1.6.1)
+policy_module(ssh,1.6.2)
########################################
#
diff --git a/policy/modules/services/stunnel.te b/policy/modules/services/stunnel.te
index cee092b..24eb409 100644
--- a/policy/modules/services/stunnel.te
+++ b/policy/modules/services/stunnel.te
@@ -1,5 +1,5 @@
-policy_module(stunnel,1.3.0)
+policy_module(stunnel,1.3.1)
########################################
#
@@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
-corenet_non_ipsec_sendrecv(stunnel_t)
+corenet_all_recvfrom_unlabeled(stunnel_t)
+corenet_all_recvfrom_netlabel(stunnel_t)
corenet_tcp_sendrecv_all_if(stunnel_t)
corenet_udp_sendrecv_all_if(stunnel_t)
corenet_tcp_sendrecv_all_nodes(stunnel_t)
diff --git a/policy/modules/services/tcpd.te b/policy/modules/services/tcpd.te
index a16ccc5..e0945ac 100644
--- a/policy/modules/services/tcpd.te
+++ b/policy/modules/services/tcpd.te
@@ -1,5 +1,5 @@
-policy_module(tcpd,1.1.0)
+policy_module(tcpd,1.1.1)
########################################
#
@@ -23,7 +23,8 @@ manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
-corenet_non_ipsec_sendrecv(tcpd_t)
+corenet_all_recvfrom_unlabeled(tcpd_t)
+corenet_all_recvfrom_netlabel(tcpd_t)
corenet_tcp_sendrecv_all_if(tcpd_t)
corenet_tcp_sendrecv_all_nodes(tcpd_t)
corenet_tcp_sendrecv_all_ports(tcpd_t)
diff --git a/policy/modules/services/telnet.te b/policy/modules/services/telnet.te
index ea6993d..05e7cb1 100644
--- a/policy/modules/services/telnet.te
+++ b/policy/modules/services/telnet.te
@@ -1,5 +1,5 @@
-policy_module(telnet,1.4.0)
+policy_module(telnet,1.4.1)
########################################
#
@@ -49,7 +49,8 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
-corenet_non_ipsec_sendrecv(telnetd_t)
+corenet_all_recvfrom_unlabeled(telnetd_t)
+corenet_all_recvfrom_netlabel(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
corenet_tcp_sendrecv_all_nodes(telnetd_t)
diff --git a/policy/modules/services/tftp.te b/policy/modules/services/tftp.te
index 7e57399..56437d5 100644
--- a/policy/modules/services/tftp.te
+++ b/policy/modules/services/tftp.te
@@ -1,5 +1,5 @@
-policy_module(tftp,1.4.1)
+policy_module(tftp,1.4.2)
########################################
#
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
-corenet_non_ipsec_sendrecv(tftpd_t)
+corenet_all_recvfrom_unlabeled(tftpd_t)
+corenet_all_recvfrom_netlabel(tftpd_t)
corenet_tcp_sendrecv_all_if(tftpd_t)
corenet_udp_sendrecv_all_if(tftpd_t)
corenet_tcp_sendrecv_all_nodes(tftpd_t)
diff --git a/policy/modules/services/timidity.te b/policy/modules/services/timidity.te
index 4768d55..38f9dc6 100644
--- a/policy/modules/services/timidity.te
+++ b/policy/modules/services/timidity.te
@@ -1,5 +1,5 @@
-policy_module(timidity,1.3.0)
+policy_module(timidity,1.3.1)
# Note: You only need this policy if you want to run timidity as a server
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(timidity_t)
# read /proc/cpuinfo
kernel_read_system_state(timidity_t)
-corenet_non_ipsec_sendrecv(timidity_t)
+corenet_all_recvfrom_unlabeled(timidity_t)
+corenet_all_recvfrom_netlabel(timidity_t)
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
corenet_tcp_sendrecv_all_nodes(timidity_t)
diff --git a/policy/modules/services/tor.te b/policy/modules/services/tor.te
index b54acb7..b96d6a0 100644
--- a/policy/modules/services/tor.te
+++ b/policy/modules/services/tor.te
@@ -1,5 +1,5 @@
-policy_module(tor,1.2.0)
+policy_module(tor,1.2.1)
########################################
#
@@ -63,7 +63,8 @@ files_pid_filetrans(tor_t,tor_var_run_t, { file sock_file })
kernel_read_system_state(tor_t)
# networking basics
-corenet_non_ipsec_sendrecv(tor_t)
+corenet_all_recvfrom_unlabeled(tor_t)
+corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_all_if(tor_t)
corenet_tcp_sendrecv_all_nodes(tor_t)
corenet_tcp_sendrecv_all_ports(tor_t)
diff --git a/policy/modules/services/transproxy.te b/policy/modules/services/transproxy.te
index 680ce59..8e3e6f9 100644
--- a/policy/modules/services/transproxy.te
+++ b/policy/modules/services/transproxy.te
@@ -1,5 +1,5 @@
-policy_module(transproxy,1.2.0)
+policy_module(transproxy,1.2.1)
########################################
#
@@ -30,7 +30,8 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
-corenet_non_ipsec_sendrecv(transproxy_t)
+corenet_all_recvfrom_unlabeled(transproxy_t)
+corenet_all_recvfrom_netlabel(transproxy_t)
corenet_tcp_sendrecv_generic_if(transproxy_t)
corenet_tcp_sendrecv_all_nodes(transproxy_t)
corenet_tcp_sendrecv_all_ports(transproxy_t)
diff --git a/policy/modules/services/ucspitcp.te b/policy/modules/services/ucspitcp.te
index a93f147..251b160 100644
--- a/policy/modules/services/ucspitcp.te
+++ b/policy/modules/services/ucspitcp.te
@@ -1,5 +1,5 @@
-policy_module(ucspitcp,1.1.0)
+policy_module(ucspitcp,1.1.1)
########################################
#
@@ -25,13 +25,14 @@ ucspitcp_service_domain(rblsmtpd_t, rblsmtpd_exec_t)
corecmd_search_bin(rblsmtpd_t)
+corenet_all_recvfrom_unlabeled(rblsmtpd_t)
+corenet_all_recvfrom_netlabel(rblsmtpd_t)
corenet_tcp_sendrecv_all_if(rblsmtpd_t)
corenet_udp_sendrecv_all_if(rblsmtpd_t)
corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
corenet_udp_sendrecv_all_ports(rblsmtpd_t)
-corenet_non_ipsec_sendrecv(rblsmtpd_t)
corenet_tcp_bind_all_nodes(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
@@ -58,7 +59,8 @@ allow ucspitcp_t self:udp_socket create_socket_perms;
corecmd_search_bin(ucspitcp_t)
# base networking:
-corenet_non_ipsec_sendrecv(ucspitcp_t)
+corenet_all_recvfrom_unlabeled(ucspitcp_t)
+corenet_all_recvfrom_netlabel(ucspitcp_t)
corenet_tcp_sendrecv_all_if(ucspitcp_t)
corenet_udp_sendrecv_all_if(ucspitcp_t)
corenet_tcp_sendrecv_all_nodes(ucspitcp_t)
diff --git a/policy/modules/services/uucp.te b/policy/modules/services/uucp.te
index 415b610..d08f12f 100644
--- a/policy/modules/services/uucp.te
+++ b/policy/modules/services/uucp.te
@@ -1,5 +1,5 @@
-policy_module(uucp,1.3.0)
+policy_module(uucp,1.3.1)
########################################
#
@@ -70,7 +70,8 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
-corenet_non_ipsec_sendrecv(uucpd_t)
+corenet_all_recvfrom_unlabeled(uucpd_t)
+corenet_all_recvfrom_netlabel(uucpd_t)
corenet_tcp_sendrecv_all_if(uucpd_t)
corenet_udp_sendrecv_all_if(uucpd_t)
corenet_tcp_sendrecv_all_nodes(uucpd_t)
diff --git a/policy/modules/services/uwimap.te b/policy/modules/services/uwimap.te
index c0f923d..6f15a3f 100644
--- a/policy/modules/services/uwimap.te
+++ b/policy/modules/services/uwimap.te
@@ -1,5 +1,5 @@
-policy_module(uwimap,1.2.0)
+policy_module(uwimap,1.2.1)
########################################
#
@@ -39,7 +39,8 @@ kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
-corenet_non_ipsec_sendrecv(imapd_t)
+corenet_all_recvfrom_unlabeled(imapd_t)
+corenet_all_recvfrom_netlabel(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_all_nodes(imapd_t)
corenet_tcp_sendrecv_all_ports(imapd_t)
diff --git a/policy/modules/services/watchdog.te b/policy/modules/services/watchdog.te
index 45009a7..ca35daf 100644
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -1,5 +1,5 @@
-policy_module(watchdog,1.2.0)
+policy_module(watchdog,1.2.1)
#################################
#
@@ -43,7 +43,8 @@ kernel_unmount_proc(watchdog_t)
corecmd_exec_shell(watchdog_t)
# cjp: why networking?
-corenet_non_ipsec_sendrecv(watchdog_t)
+corenet_all_recvfrom_unlabeled(watchdog_t)
+corenet_all_recvfrom_netlabel(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
corenet_udp_sendrecv_generic_if(watchdog_t)
corenet_tcp_sendrecv_all_nodes(watchdog_t)
diff --git a/policy/modules/services/xprint.te b/policy/modules/services/xprint.te
index 14f0599..7dd67c2 100644
--- a/policy/modules/services/xprint.te
+++ b/policy/modules/services/xprint.te
@@ -1,5 +1,5 @@
-policy_module(xprint,1.2.0)
+policy_module(xprint,1.2.1)
########################################
#
@@ -33,7 +33,8 @@ kernel_read_kernel_sysctls(xprint_t)
corecmd_exec_bin(xprint_t)
corecmd_exec_shell(xprint_t)
-corenet_non_ipsec_sendrecv(xprint_t)
+corenet_all_recvfrom_unlabeled(xprint_t)
+corenet_all_recvfrom_netlabel(xprint_t)
corenet_tcp_sendrecv_generic_if(xprint_t)
corenet_udp_sendrecv_generic_if(xprint_t)
corenet_tcp_sendrecv_all_nodes(xprint_t)
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 39512fe..47faddf 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -94,7 +94,8 @@ template(`xserver_common_domain_template',`
corecmd_exec_bin($1_xserver_t)
corecmd_exec_shell($1_xserver_t)
- corenet_non_ipsec_sendrecv($1_xserver_t)
+ corenet_all_recvfrom_unlabeled($1_xserver_t)
+ corenet_all_recvfrom_netlabel($1_xserver_t)
corenet_tcp_sendrecv_generic_if($1_xserver_t)
corenet_udp_sendrecv_generic_if($1_xserver_t)
corenet_tcp_sendrecv_all_nodes($1_xserver_t)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 6493e17..bd0eea8 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -1,5 +1,5 @@
-policy_module(xserver,1.4.1)
+policy_module(xserver,1.4.2)
########################################
#
@@ -177,7 +177,8 @@ kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
-corenet_non_ipsec_sendrecv(xdm_t)
+corenet_all_recvfrom_unlabeled(xdm_t)
+corenet_all_recvfrom_netlabel(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
corenet_tcp_sendrecv_all_nodes(xdm_t)
diff --git a/policy/modules/services/zebra.te b/policy/modules/services/zebra.te
index c0e3924..6cfc28c 100644
--- a/policy/modules/services/zebra.te
+++ b/policy/modules/services/zebra.te
@@ -1,5 +1,5 @@
-policy_module(zebra,1.4.0)
+policy_module(zebra,1.4.1)
########################################
#
@@ -67,7 +67,8 @@ kernel_read_system_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
-corenet_non_ipsec_sendrecv(zebra_t)
+corenet_all_recvfrom_unlabeled(zebra_t)
+corenet_all_recvfrom_netlabel(zebra_t)
corenet_tcp_sendrecv_all_if(zebra_t)
corenet_udp_sendrecv_all_if(zebra_t)
corenet_raw_sendrecv_all_if(zebra_t)
diff --git a/policy/modules/system/hotplug.te b/policy/modules/system/hotplug.te
index 9ab1d39..d2450f3 100644
--- a/policy/modules/system/hotplug.te
+++ b/policy/modules/system/hotplug.te
@@ -1,5 +1,5 @@
-policy_module(hotplug,1.5.1)
+policy_module(hotplug,1.5.2)
########################################
#
@@ -51,7 +51,8 @@ kernel_read_net_sysctls(hotplug_t)
files_read_kernel_modules(hotplug_t)
-corenet_non_ipsec_sendrecv(hotplug_t)
+corenet_all_recvfrom_unlabeled(hotplug_t)
+corenet_all_recvfrom_netlabel(hotplug_t)
corenet_tcp_sendrecv_all_if(hotplug_t)
corenet_udp_sendrecv_all_if(hotplug_t)
corenet_tcp_sendrecv_all_nodes(hotplug_t)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index c0c0b99..cf0c2ac 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1,5 +1,5 @@
-policy_module(init,1.6.1)
+policy_module(init,1.6.2)
gen_require(`
class passwd rootok;
@@ -247,7 +247,8 @@ kernel_dontaudit_getattr_message_if(initrc_t)
files_read_kernel_symbol_table(initrc_t)
-corenet_non_ipsec_sendrecv(initrc_t)
+corenet_all_recvfrom_unlabeled(initrc_t)
+corenet_all_recvfrom_netlabel(initrc_t)
corenet_tcp_sendrecv_all_if(initrc_t)
corenet_udp_sendrecv_all_if(initrc_t)
corenet_tcp_sendrecv_all_nodes(initrc_t)
diff --git a/policy/modules/system/ipsec.te b/policy/modules/system/ipsec.te
index 06163e4..58e65bd 100644
--- a/policy/modules/system/ipsec.te
+++ b/policy/modules/system/ipsec.te
@@ -1,5 +1,5 @@
-policy_module(ipsec,1.3.0)
+policy_module(ipsec,1.3.1)
########################################
#
@@ -95,7 +95,7 @@ kernel_getattr_core_if(ipsec_t)
kernel_getattr_message_if(ipsec_t)
# Pluto needs network access
-corenet_non_ipsec_sendrecv(ipsec_t)
+corenet_all_recvfrom_unlabeled(ipsec_t)
corenet_tcp_sendrecv_all_if(ipsec_t)
corenet_raw_sendrecv_all_if(ipsec_t)
corenet_tcp_sendrecv_all_nodes(ipsec_t)
@@ -307,7 +307,7 @@ allow racoon_t ipsec_spd_t:association setcontext;
kernel_read_network_state(racoon_t)
-corenet_non_ipsec_sendrecv(racoon_t)
+corenet_all_recvfrom_unlabeled(racoon_t)
corenet_tcp_bind_all_nodes(racoon_t)
corenet_udp_bind_isakmp_port(racoon_t)
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te
index d91cba4..02c57fd 100644
--- a/policy/modules/system/iscsi.te
+++ b/policy/modules/system/iscsi.te
@@ -1,5 +1,5 @@
-policy_module(iscsid,1.1.0)
+policy_module(iscsid,1.1.1)
########################################
#
@@ -54,7 +54,8 @@ files_search_var_lib(iscsid_t)
manage_files_pattern(iscsid_t,iscsi_var_run_t,iscsi_var_run_t)
files_pid_filetrans(iscsid_t,iscsi_var_run_t,file)
-corenet_non_ipsec_sendrecv(iscsid_t)
+corenet_all_recvfrom_unlabeled(iscsid_t)
+corenet_all_recvfrom_netlabel(iscsid_t)
corenet_tcp_sendrecv_all_if(iscsid_t)
corenet_tcp_sendrecv_all_nodes(iscsid_t)
corenet_tcp_sendrecv_all_ports(iscsid_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index ab0e9a3..8e9b3e7 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging,1.6.1)
+policy_module(logging,1.6.2)
########################################
#
@@ -303,7 +303,8 @@ init_read_utmp(syslogd_t)
init_dontaudit_write_utmp(syslogd_t)
term_write_all_user_ttys(syslogd_t)
-corenet_non_ipsec_sendrecv(syslogd_t)
+corenet_all_recvfrom_unlabeled(syslogd_t)
+corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
corenet_udp_sendrecv_all_nodes(syslogd_t)
corenet_udp_sendrecv_all_ports(syslogd_t)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index e23daa8..7944156 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -1,5 +1,5 @@
-policy_module(lvm,1.6.0)
+policy_module(lvm,1.6.1)
########################################
#
@@ -69,7 +69,8 @@ kernel_dontaudit_getattr_core_if(clvmd_t)
corecmd_exec_shell(clvmd_t)
corecmd_getattr_bin_files(clvmd_t)
-corenet_non_ipsec_sendrecv(clvmd_t)
+corenet_all_recvfrom_unlabeled(clvmd_t)
+corenet_all_recvfrom_netlabel(clvmd_t)
corenet_tcp_sendrecv_all_if(clvmd_t)
corenet_udp_sendrecv_all_if(clvmd_t)
corenet_raw_sendrecv_all_if(clvmd_t)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 3713d67..5b88bd8 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -1,5 +1,5 @@
-policy_module(mount,1.6.0)
+policy_module(mount,1.6.1)
########################################
#
@@ -139,7 +139,8 @@ ifdef(`targeted_policy',`
optional_policy(`
# for nfs
- corenet_non_ipsec_sendrecv(mount_t)
+ corenet_all_recvfrom_unlabeled(mount_t)
+ corenet_all_recvfrom_netlabel(mount_t)
corenet_tcp_sendrecv_all_if(mount_t)
corenet_raw_sendrecv_all_if(mount_t)
corenet_udp_sendrecv_all_if(mount_t)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 5b9c2cd..970e2cf 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -480,7 +480,8 @@ interface(`sysnet_dns_name_resolve',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
@@ -511,7 +512,8 @@ interface(`sysnet_use_ldap',`
allow $1 self:tcp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
corenet_tcp_sendrecv_ldap_port($1)
@@ -540,7 +542,8 @@ interface(`sysnet_use_portmap',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1)
+ corenet_all_recvfrom_unlabeled($1)
+ corenet_all_recvfrom_netlabel($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
corenet_tcp_sendrecv_all_nodes($1)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 285bc86..3422da9 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -1,5 +1,5 @@
-policy_module(sysnetwork,1.3.0)
+policy_module(sysnetwork,1.3.1)
########################################
#
@@ -84,7 +84,8 @@ kernel_read_network_state(dhcpc_t)
kernel_read_kernel_sysctls(dhcpc_t)
kernel_use_fds(dhcpc_t)
-corenet_non_ipsec_sendrecv(dhcpc_t)
+corenet_all_recvfrom_unlabeled(dhcpc_t)
+corenet_all_recvfrom_netlabel(dhcpc_t)
corenet_tcp_sendrecv_all_if(dhcpc_t)
corenet_raw_sendrecv_all_if(dhcpc_t)
corenet_udp_sendrecv_all_if(dhcpc_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index fcd4572..6db2c1f 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -537,7 +537,8 @@ template(`userdom_basic_networking_template',`
allow $1_t self:tcp_socket create_stream_socket_perms;
allow $1_t self:udp_socket create_socket_perms;
- corenet_non_ipsec_sendrecv($1_t)
+ corenet_all_recvfrom_unlabeled($1_t)
+ corenet_all_recvfrom_netlabel($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_tcp_sendrecv_all_nodes($1_t)
@@ -546,12 +547,6 @@ template(`userdom_basic_networking_template',`
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
-
- ifdef(`enable_mls',`
- # netlabel/CIPSO labeled networking
- corenet_tcp_recv_netlabel($1_t)
- corenet_udp_recv_netlabel($1_t)
- ')
')
#######################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 22ac2f2..1b7597c 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,2.2.3)
+policy_module(userdomain,2.2.4)
gen_require(`
role sysadm_r, staff_r, user_r;
diff --git a/policy/modules/system/xen.te b/policy/modules/system/xen.te
index 9d1d1ed..570613d 100644
--- a/policy/modules/system/xen.te
+++ b/policy/modules/system/xen.te
@@ -1,5 +1,5 @@
-policy_module(xen,1.3.1)
+policy_module(xen,1.3.2)
########################################
#
@@ -142,7 +142,8 @@ kernel_read_network_state(xend_t)
corecmd_exec_bin(xend_t)
corecmd_exec_shell(xend_t)
-corenet_non_ipsec_sendrecv(xend_t)
+corenet_all_recvfrom_unlabeled(xend_t)
+corenet_all_recvfrom_netlabel(xend_t)
corenet_tcp_sendrecv_all_if(xend_t)
corenet_tcp_sendrecv_all_nodes(xend_t)
corenet_tcp_sendrecv_all_ports(xend_t)
More information about the scm-commits
mailing list