From: "Paul Moore" <paul.moore@hp.com>
To: selinux@tycho.nsa.gov
Cc: cpebenito@tresys.com, Paul Moore <paul.moore@hp.com>
Subject: [PATCH 3/5] Add NetLabel labeled and unlabeled support to the service domains
Date: Thu, 14 Jun 2007 15:55:05 -0400 [thread overview]
Message-ID: <20070614200100.885758728@hp.com> (raw)
In-Reply-To: 20070614195502.420663549@hp.com
This patch adds calls to the NetLabel corenet policy interfaces to grant the
relevant service domains access to NetLabel labeled and unlabeled packets.
Signed-off-by: Paul Moore <paul.moore@hp.com>
---
policy/modules/services/afs.te | 20 ++++++++++++++++++
policy/modules/services/amavis.te | 4 +++
policy/modules/services/apache.if | 8 +++++++
policy/modules/services/apache.te | 8 +++++++
policy/modules/services/apcupsd.te | 4 +++
policy/modules/services/arpwatch.te | 4 +++
policy/modules/services/asterisk.te | 4 +++
policy/modules/services/automount.te | 4 +++
policy/modules/services/avahi.te | 4 +++
policy/modules/services/bind.te | 4 +++
policy/modules/services/bluetooth.te | 4 +++
policy/modules/services/canna.te | 2 +
policy/modules/services/ccs.te | 4 +++
policy/modules/services/cipe.te | 2 +
policy/modules/services/clamav.te | 4 +++
policy/modules/services/clockspeed.te | 4 +++
policy/modules/services/comsat.te | 4 +++
policy/modules/services/courier.if | 4 +++
policy/modules/services/cron.if | 4 +++
policy/modules/services/cron.te | 4 +++
policy/modules/services/cups.te | 18 ++++++++++++++++
policy/modules/services/cvs.te | 4 +++
policy/modules/services/cyrus.te | 4 +++
policy/modules/services/dante.te | 4 +++
policy/modules/services/dbskk.te | 4 +++
policy/modules/services/dbus.if | 4 +++
policy/modules/services/dcc.te | 12 +++++++++++
policy/modules/services/ddclient.te | 4 +++
policy/modules/services/dhcp.te | 6 +++++
policy/modules/services/dictd.te | 6 +++++
policy/modules/services/distcc.te | 4 +++
policy/modules/services/djbdns.if | 4 +++
policy/modules/services/dnsmasq.te | 6 +++++
policy/modules/services/dovecot.te | 2 +
policy/modules/services/fetchmail.te | 4 +++
policy/modules/services/finger.te | 4 +++
policy/modules/services/ftp.te | 4 +++
policy/modules/services/gatekeeper.te | 4 +++
policy/modules/services/hal.te | 4 +++
policy/modules/services/howl.te | 4 +++
policy/modules/services/i18n_input.te | 4 +++
policy/modules/services/imaze.te | 4 +++
policy/modules/services/inetd.te | 13 +++++++-----
policy/modules/services/inn.te | 4 +++
policy/modules/services/ircd.te | 4 +++
policy/modules/services/jabber.te | 4 +++
policy/modules/services/kerberos.if | 4 +++
policy/modules/services/kerberos.te | 8 +++++++
policy/modules/services/ktalk.te | 4 +++
policy/modules/services/ldap.te | 4 +++
policy/modules/services/lpd.if | 4 +++
policy/modules/services/lpd.te | 8 +++++++
policy/modules/services/mailman.if | 4 +++
policy/modules/services/monop.te | 4 +++
policy/modules/services/mta.if | 2 +
policy/modules/services/munin.te | 4 +++
policy/modules/services/mysql.te | 4 +++
policy/modules/services/nagios.te | 4 +++
policy/modules/services/nessus.te | 6 +++++
policy/modules/services/networkmanager.te | 6 +++++
policy/modules/services/nis.if | 4 +++
policy/modules/services/nis.te | 16 +++++++++++++++
policy/modules/services/nscd.te | 4 +++
policy/modules/services/nsd.te | 8 +++++++
policy/modules/services/ntop.te | 6 +++++
policy/modules/services/nx.te | 4 +++
policy/modules/services/oav.te | 8 +++++++
policy/modules/services/openvpn.te | 4 +++
policy/modules/services/pcscd.te | 4 ++-
policy/modules/services/pegasus.te | 2 +
policy/modules/services/perdition.te | 4 +++
policy/modules/services/portmap.te | 10 ++++++++-
policy/modules/services/portslave.te | 4 +++
policy/modules/services/postfix.if | 4 +++
policy/modules/services/postfix.te | 8 +++++++
policy/modules/services/postgresql.te | 4 +++
policy/modules/services/postgrey.te | 2 +
policy/modules/services/ppp.te | 12 +++++++++++
policy/modules/services/privoxy.te | 2 +
policy/modules/services/procmail.te | 4 +++
policy/modules/services/pyzor.te | 2 +
policy/modules/services/qmail.te | 4 +++
policy/modules/services/radius.te | 4 +++
policy/modules/services/radvd.te | 6 +++++
policy/modules/services/razor.if | 4 +++
policy/modules/services/razor.te | 4 +++
policy/modules/services/rdisc.te | 4 +++
policy/modules/services/rhgb.te | 4 +++
policy/modules/services/ricci.te | 4 +++
policy/modules/services/rlogin.te | 4 +++
policy/modules/services/roundup.te | 6 +++++
policy/modules/services/rpc.if | 4 +++
policy/modules/services/rshd.te | 4 +++
policy/modules/services/rsync.te | 4 +++
policy/modules/services/rwho.te | 2 +
policy/modules/services/samba.te | 32 ++++++++++++++++++++++++++----
policy/modules/services/sasl.te | 2 +
policy/modules/services/sendmail.te | 2 +
policy/modules/services/setroubleshoot.te | 2 +
policy/modules/services/smartmon.te | 2 +
policy/modules/services/snmp.te | 4 +++
policy/modules/services/snort.te | 6 +++++
policy/modules/services/soundserver.te | 4 +++
policy/modules/services/spamassassin.if | 8 +++++++
policy/modules/services/spamassassin.te | 4 +++
policy/modules/services/squid.te | 4 +++
policy/modules/services/ssh.if | 8 ++++++-
policy/modules/services/stunnel.te | 4 +++
policy/modules/services/tcpd.te | 2 +
policy/modules/services/telnet.te | 4 +++
policy/modules/services/tftp.te | 4 +++
policy/modules/services/timidity.te | 4 +++
policy/modules/services/tor.te | 2 +
policy/modules/services/transproxy.te | 2 +
policy/modules/services/ucspitcp.te | 10 ++++++++-
policy/modules/services/uucp.te | 4 +++
policy/modules/services/uwimap.te | 2 +
policy/modules/services/watchdog.te | 4 +++
policy/modules/services/xprint.te | 4 +++
policy/modules/services/xserver.if | 4 +++
policy/modules/services/xserver.te | 4 +++
policy/modules/services/zebra.te | 6 +++++
122 files changed, 604 insertions(+), 13 deletions(-)
Index: refpolicy_svn_repo/policy/modules/services/afs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/afs.te
+++ refpolicy_svn_repo/policy/modules/services/afs.te
@@ -89,6 +89,10 @@ domtrans_pattern(afs_bosserver_t, afs_vl
kernel_read_kernel_sysctls(afs_bosserver_t)
+corenet_tcp_recv_unlabeled(afs_bosserver_t)
+corenet_udp_recv_unlabeled(afs_bosserver_t)
+corenet_tcp_recv_netlabel(afs_bosserver_t)
+corenet_udp_recv_netlabel(afs_bosserver_t)
corenet_non_ipsec_sendrecv(afs_bosserver_t)
corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
corenet_udp_sendrecv_generic_if(afs_bosserver_t)
@@ -153,6 +157,10 @@ corenet_tcp_sendrecv_all_nodes(afs_fsser
corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
corenet_udp_sendrecv_all_ports(afs_fsserver_t)
+corenet_tcp_recv_unlabeled(afs_fsserver_t)
+corenet_udp_recv_unlabeled(afs_fsserver_t)
+corenet_tcp_recv_netlabel(afs_fsserver_t)
+corenet_udp_recv_netlabel(afs_fsserver_t)
corenet_non_ipsec_sendrecv(afs_fsserver_t)
corenet_tcp_bind_all_nodes(afs_fsserver_t)
corenet_udp_bind_all_nodes(afs_fsserver_t)
@@ -206,6 +214,10 @@ manage_files_pattern(afs_kaserver_t,afs_
kernel_read_kernel_sysctls(afs_kaserver_t)
+corenet_tcp_recv_unlabeled(afs_kaserver_t)
+corenet_udp_recv_unlabeled(afs_kaserver_t)
+corenet_tcp_recv_netlabel(afs_kaserver_t)
+corenet_udp_recv_netlabel(afs_kaserver_t)
corenet_non_ipsec_sendrecv(afs_kaserver_t)
corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
corenet_udp_sendrecv_generic_if(afs_kaserver_t)
@@ -253,6 +265,10 @@ manage_files_pattern(afs_ptserver_t,afs_
manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)
+corenet_tcp_recv_unlabeled(afs_ptserver_t)
+corenet_udp_recv_unlabeled(afs_ptserver_t)
+corenet_tcp_recv_netlabel(afs_ptserver_t)
+corenet_udp_recv_netlabel(afs_ptserver_t)
corenet_non_ipsec_sendrecv(afs_ptserver_t)
corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
corenet_udp_sendrecv_generic_if(afs_ptserver_t)
@@ -294,6 +310,10 @@ manage_files_pattern(afs_vlserver_t,afs_
manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)
+corenet_tcp_recv_unlabeled(afs_vlserver_t)
+corenet_udp_recv_unlabeled(afs_vlserver_t)
+corenet_tcp_recv_netlabel(afs_vlserver_t)
+corenet_udp_recv_netlabel(afs_vlserver_t)
corenet_non_ipsec_sendrecv(afs_vlserver_t)
corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
corenet_udp_sendrecv_generic_if(afs_vlserver_t)
Index: refpolicy_svn_repo/policy/modules/services/amavis.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/amavis.te
+++ refpolicy_svn_repo/policy/modules/services/amavis.te
@@ -100,6 +100,10 @@ kernel_dontaudit_read_system_state(amavi
# find perl
corecmd_exec_bin(amavis_t)
+corenet_tcp_recv_unlabeled(amavis_t)
+corenet_udp_recv_unlabeled(amavis_t)
+corenet_tcp_recv_netlabel(amavis_t)
+corenet_udp_recv_netlabel(amavis_t)
corenet_non_ipsec_sendrecv(amavis_t)
corenet_tcp_sendrecv_all_if(amavis_t)
corenet_tcp_sendrecv_all_nodes(amavis_t)
Index: refpolicy_svn_repo/policy/modules/services/apache.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apache.if
+++ refpolicy_svn_repo/policy/modules/services/apache.if
@@ -181,6 +181,10 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
+ corenet_tcp_recv_unlabeled(httpd_$1_script_t)
+ corenet_udp_recv_unlabeled(httpd_$1_script_t)
+ corenet_tcp_recv_netlabel(httpd_$1_script_t)
+ corenet_udp_recv_netlabel(httpd_$1_script_t)
corenet_non_ipsec_sendrecv(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
@@ -200,6 +204,10 @@ template(`apache_content_template',`
allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
allow httpd_$1_script_t self:udp_socket create_socket_perms;
+ corenet_tcp_recv_unlabeled(httpd_$1_script_t)
+ corenet_udp_recv_unlabeled(httpd_$1_script_t)
+ corenet_tcp_recv_netlabel(httpd_$1_script_t)
+ corenet_udp_recv_netlabel(httpd_$1_script_t)
corenet_non_ipsec_sendrecv(httpd_$1_script_t)
corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
corenet_udp_sendrecv_all_if(httpd_$1_script_t)
Index: refpolicy_svn_repo/policy/modules/services/apache.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apache.te
+++ refpolicy_svn_repo/policy/modules/services/apache.te
@@ -298,6 +298,10 @@ kernel_read_kernel_sysctls(httpd_t)
# for modules that want to access /proc/meminfo
kernel_read_system_state(httpd_t)
+corenet_tcp_recv_unlabeled(httpd_t)
+corenet_udp_recv_unlabeled(httpd_t)
+corenet_tcp_recv_netlabel(httpd_t)
+corenet_udp_recv_netlabel(httpd_t)
corenet_non_ipsec_sendrecv(httpd_t)
corenet_tcp_sendrecv_all_if(httpd_t)
corenet_udp_sendrecv_all_if(httpd_t)
@@ -641,6 +645,10 @@ tunable_policy(`httpd_can_network_connec
allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
allow httpd_suexec_t self:udp_socket create_socket_perms;
+ corenet_tcp_recv_unlabeled(httpd_suexec_t)
+ corenet_udp_recv_unlabeled(httpd_suexec_t)
+ corenet_tcp_recv_netlabel(httpd_suexec_t)
+ corenet_udp_recv_netlabel(httpd_suexec_t)
corenet_non_ipsec_sendrecv(httpd_suexec_t)
corenet_tcp_sendrecv_all_if(httpd_suexec_t)
corenet_udp_sendrecv_all_if(httpd_suexec_t)
Index: refpolicy_svn_repo/policy/modules/services/apcupsd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/apcupsd.te
+++ refpolicy_svn_repo/policy/modules/services/apcupsd.te
@@ -39,6 +39,10 @@ logging_log_filetrans(apcupsd_t,apcupsd_
manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)
+corenet_tcp_recv_unlabeled(apcupsd_t)
+corenet_udp_recv_unlabeled(apcupsd_t)
+corenet_tcp_recv_netlabel(apcupsd_t)
+corenet_udp_recv_netlabel(apcupsd_t)
corenet_non_ipsec_sendrecv(apcupsd_t)
corenet_tcp_sendrecv_generic_if(apcupsd_t)
corenet_tcp_sendrecv_all_nodes(apcupsd_t)
Index: refpolicy_svn_repo/policy/modules/services/arpwatch.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/arpwatch.te
+++ refpolicy_svn_repo/policy/modules/services/arpwatch.te
@@ -47,6 +47,10 @@ kernel_read_kernel_sysctls(arpwatch_t)
kernel_list_proc(arpwatch_t)
kernel_read_proc_symlinks(arpwatch_t)
+corenet_tcp_recv_unlabeled(arpwatch_t)
+corenet_udp_recv_unlabeled(arpwatch_t)
+corenet_tcp_recv_netlabel(arpwatch_t)
+corenet_udp_recv_netlabel(arpwatch_t)
corenet_non_ipsec_sendrecv(arpwatch_t)
corenet_tcp_sendrecv_all_if(arpwatch_t)
corenet_udp_sendrecv_all_if(arpwatch_t)
Index: refpolicy_svn_repo/policy/modules/services/asterisk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/asterisk.te
+++ refpolicy_svn_repo/policy/modules/services/asterisk.te
@@ -82,6 +82,10 @@ kernel_read_kernel_sysctls(asterisk_t)
corecmd_exec_bin(asterisk_t)
corecmd_search_bin(asterisk_t)
+corenet_tcp_recv_unlabeled(asterisk_t)
+corenet_udp_recv_unlabeled(asterisk_t)
+corenet_tcp_recv_netlabel(asterisk_t)
+corenet_udp_recv_netlabel(asterisk_t)
corenet_non_ipsec_sendrecv(asterisk_t)
corenet_tcp_sendrecv_generic_if(asterisk_t)
corenet_udp_sendrecv_generic_if(asterisk_t)
Index: refpolicy_svn_repo/policy/modules/services/automount.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/automount.te
+++ refpolicy_svn_repo/policy/modules/services/automount.te
@@ -76,6 +76,10 @@ fs_unmount_all_fs(automount_t)
corecmd_exec_bin(automount_t)
corecmd_exec_shell(automount_t)
+corenet_tcp_recv_unlabeled(automount_t)
+corenet_udp_recv_unlabeled(automount_t)
+corenet_tcp_recv_netlabel(automount_t)
+corenet_udp_recv_netlabel(automount_t)
corenet_non_ipsec_sendrecv(automount_t)
corenet_tcp_sendrecv_generic_if(automount_t)
corenet_udp_sendrecv_generic_if(automount_t)
Index: refpolicy_svn_repo/policy/modules/services/avahi.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/avahi.te
+++ refpolicy_svn_repo/policy/modules/services/avahi.te
@@ -37,6 +37,10 @@ kernel_list_proc(avahi_t)
kernel_read_proc_symlinks(avahi_t)
kernel_read_network_state(avahi_t)
+corenet_tcp_recv_unlabeled(avahi_t)
+corenet_udp_recv_unlabeled(avahi_t)
+corenet_tcp_recv_netlabel(avahi_t)
+corenet_udp_recv_netlabel(avahi_t)
corenet_non_ipsec_sendrecv(avahi_t)
corenet_tcp_sendrecv_all_if(avahi_t)
corenet_udp_sendrecv_all_if(avahi_t)
Index: refpolicy_svn_repo/policy/modules/services/bind.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/bind.te
+++ refpolicy_svn_repo/policy/modules/services/bind.te
@@ -101,6 +101,10 @@ kernel_read_kernel_sysctls(named_t)
kernel_read_system_state(named_t)
kernel_read_network_state(named_t)
+corenet_tcp_recv_unlabeled(named_t)
+corenet_udp_recv_unlabeled(named_t)
+corenet_tcp_recv_netlabel(named_t)
+corenet_udp_recv_netlabel(named_t)
corenet_non_ipsec_sendrecv(named_t)
corenet_tcp_sendrecv_all_if(named_t)
corenet_udp_sendrecv_all_if(named_t)
Index: refpolicy_svn_repo/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/bluetooth.te
+++ refpolicy_svn_repo/policy/modules/services/bluetooth.te
@@ -81,6 +81,10 @@ files_pid_filetrans(bluetooth_t, bluetoo
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
+corenet_tcp_recv_unlabeled(bluetooth_t)
+corenet_udp_recv_unlabeled(bluetooth_t)
+corenet_tcp_recv_netlabel(bluetooth_t)
+corenet_udp_recv_netlabel(bluetooth_t)
corenet_non_ipsec_sendrecv(bluetooth_t)
corenet_tcp_sendrecv_all_if(bluetooth_t)
corenet_udp_sendrecv_all_if(bluetooth_t)
Index: refpolicy_svn_repo/policy/modules/services/canna.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/canna.te
+++ refpolicy_svn_repo/policy/modules/services/canna.te
@@ -47,6 +47,8 @@ files_pid_filetrans(canna_t, canna_var_r
kernel_read_kernel_sysctls(canna_t)
kernel_read_system_state(canna_t)
+corenet_tcp_recv_unlabeled(canna_t)
+corenet_tcp_recv_netlabel(canna_t)
corenet_non_ipsec_sendrecv(canna_t)
corenet_tcp_sendrecv_all_if(canna_t)
corenet_tcp_sendrecv_all_nodes(canna_t)
Index: refpolicy_svn_repo/policy/modules/services/ccs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ccs.te
+++ refpolicy_svn_repo/policy/modules/services/ccs.te
@@ -77,6 +77,10 @@ kernel_read_kernel_sysctls(ccs_t)
corecmd_list_bin(ccs_t)
corecmd_exec_bin(ccs_t)
+corenet_tcp_recv_unlabeled(ccs_t)
+corenet_udp_recv_unlabeled(ccs_t)
+corenet_tcp_recv_netlabel(ccs_t)
+corenet_udp_recv_netlabel(ccs_t)
corenet_non_ipsec_sendrecv(ccs_t)
corenet_tcp_sendrecv_all_if(ccs_t)
corenet_udp_sendrecv_all_if(ccs_t)
Index: refpolicy_svn_repo/policy/modules/services/cipe.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cipe.te
+++ refpolicy_svn_repo/policy/modules/services/cipe.te
@@ -29,6 +29,8 @@ kernel_read_system_state(ciped_t)
corecmd_exec_shell(ciped_t)
corecmd_exec_bin(ciped_t)
+corenet_udp_recv_unlabeled(ciped_t)
+corenet_udp_recv_netlabel(ciped_t)
corenet_non_ipsec_sendrecv(ciped_t)
corenet_udp_sendrecv_generic_if(ciped_t)
corenet_udp_sendrecv_all_nodes(ciped_t)
Index: refpolicy_svn_repo/policy/modules/services/clamav.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/clamav.te
+++ refpolicy_svn_repo/policy/modules/services/clamav.te
@@ -86,6 +86,8 @@ files_pid_filetrans(clamd_t,clamd_var_ru
kernel_dontaudit_list_proc(clamd_t)
kernel_read_sysctl(clamd_t)
+corenet_tcp_recv_unlabeled(clamd_t)
+corenet_tcp_recv_netlabel(clamd_t)
corenet_non_ipsec_sendrecv(clamd_t)
corenet_tcp_sendrecv_all_if(clamd_t)
corenet_tcp_sendrecv_all_nodes(clamd_t)
@@ -159,6 +161,8 @@ allow freshclam_t freshclam_var_log_t:di
allow freshclam_t clamd_var_log_t:dir search_dir_perms;
logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)
+corenet_tcp_recv_unlabeled(freshclam_t)
+corenet_tcp_recv_netlabel(freshclam_t)
corenet_non_ipsec_sendrecv(freshclam_t)
corenet_tcp_sendrecv_all_if(freshclam_t)
corenet_tcp_sendrecv_all_nodes(freshclam_t)
Index: refpolicy_svn_repo/policy/modules/services/clockspeed.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/clockspeed.te
+++ refpolicy_svn_repo/policy/modules/services/clockspeed.te
@@ -28,6 +28,8 @@ allow clockspeed_cli_t self:udp_socket c
read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
+corenet_udp_recv_unlabeled(clockspeed_cli_t)
+corenet_udp_recv_netlabel(clockspeed_cli_t)
corenet_non_ipsec_sendrecv(clockspeed_cli_t)
corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
@@ -55,6 +57,8 @@ allow clockspeed_srv_t self:unix_stream_
manage_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
+corenet_udp_recv_unlabeled(clockspeed_srv_t)
+corenet_udp_recv_netlabel(clockspeed_srv_t)
corenet_non_ipsec_sendrecv(clockspeed_srv_t)
corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
Index: refpolicy_svn_repo/policy/modules/services/comsat.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/comsat.te
+++ refpolicy_svn_repo/policy/modules/services/comsat.te
@@ -40,6 +40,10 @@ kernel_read_kernel_sysctls(comsat_t)
kernel_read_network_state(comsat_t)
kernel_read_system_state(comsat_t)
+corenet_tcp_recv_unlabeled(comsat_t)
+corenet_udp_recv_unlabeled(comsat_t)
+corenet_tcp_recv_netlabel(comsat_t)
+corenet_udp_recv_netlabel(comsat_t)
corenet_non_ipsec_sendrecv(comsat_t)
corenet_tcp_sendrecv_all_if(comsat_t)
corenet_udp_sendrecv_all_if(comsat_t)
Index: refpolicy_svn_repo/policy/modules/services/courier.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/courier.if
+++ refpolicy_svn_repo/policy/modules/services/courier.if
@@ -48,6 +48,10 @@ template(`courier_domain_template',`
corecmd_exec_bin(courier_$1_t)
+ corenet_tcp_recv_unlabeled(courier_$1_t)
+ corenet_udp_recv_unlabeled(courier_$1_t)
+ corenet_tcp_recv_netlabel(courier_$1_t)
+ corenet_udp_recv_netlabel(courier_$1_t)
corenet_non_ipsec_sendrecv(courier_$1_t)
corenet_tcp_sendrecv_generic_if(courier_$1_t)
corenet_udp_sendrecv_generic_if(courier_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/cron.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cron.if
+++ refpolicy_svn_repo/policy/modules/services/cron.if
@@ -94,6 +94,10 @@ template(`cron_per_role_template',`
# ps does not need to access /boot when run from cron
files_dontaudit_search_boot($1_crond_t)
+ corenet_tcp_recv_unlabeled($1_crond_t)
+ corenet_udp_recv_unlabeled($1_crond_t)
+ corenet_tcp_recv_netlabel($1_crond_t)
+ corenet_udp_recv_netlabel($1_crond_t)
corenet_non_ipsec_sendrecv($1_crond_t)
corenet_tcp_sendrecv_all_if($1_crond_t)
corenet_udp_sendrecv_all_if($1_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/cron.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cron.te
+++ refpolicy_svn_repo/policy/modules/services/cron.te
@@ -327,6 +327,10 @@ ifdef(`targeted_policy',`
corecmd_exec_all_executables(system_crond_t)
+ corenet_tcp_recv_unlabeled(system_crond_t)
+ corenet_udp_recv_unlabeled(system_crond_t)
+ corenet_tcp_recv_netlabel(system_crond_t)
+ corenet_udp_recv_netlabel(system_crond_t)
corenet_non_ipsec_sendrecv(system_crond_t)
corenet_tcp_sendrecv_all_if(system_crond_t)
corenet_udp_sendrecv_all_if(system_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/cups.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cups.te
+++ refpolicy_svn_repo/policy/modules/services/cups.te
@@ -133,6 +133,12 @@ kernel_read_system_state(cupsd_t)
kernel_read_network_state(cupsd_t)
kernel_read_all_sysctls(cupsd_t)
+corenet_tcp_recv_unlabeled(cupsd_t)
+corenet_udp_recv_unlabeled(cupsd_t)
+corenet_raw_recv_unlabeled(cupsd_t)
+corenet_tcp_recv_netlabel(cupsd_t)
+corenet_udp_recv_netlabel(cupsd_t)
+corenet_raw_recv_unlabeled(cupsd_t)
corenet_non_ipsec_sendrecv(cupsd_t)
corenet_tcp_sendrecv_all_if(cupsd_t)
corenet_udp_sendrecv_all_if(cupsd_t)
@@ -340,6 +346,8 @@ files_pid_filetrans(cupsd_config_t,cupsd
kernel_read_system_state(cupsd_config_t)
kernel_read_kernel_sysctls(cupsd_config_t)
+corenet_tcp_recv_unlabeled(cupsd_config_t)
+corenet_tcp_recv_netlabel(cupsd_config_t)
corenet_non_ipsec_sendrecv(cupsd_config_t)
corenet_tcp_sendrecv_all_if(cupsd_config_t)
corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
@@ -491,6 +499,10 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
kernel_read_system_state(cupsd_lpd_t)
kernel_read_network_state(cupsd_lpd_t)
+corenet_tcp_recv_unlabeled(cupsd_lpd_t)
+corenet_udp_recv_unlabeled(cupsd_lpd_t)
+corenet_tcp_recv_netlabel(cupsd_lpd_t)
+corenet_udp_recv_netlabel(cupsd_lpd_t)
corenet_non_ipsec_sendrecv(cupsd_lpd_t)
corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
corenet_udp_sendrecv_all_if(cupsd_lpd_t)
@@ -564,6 +576,10 @@ files_pid_filetrans(hplip_t,hplip_var_ru
kernel_read_system_state(hplip_t)
kernel_read_kernel_sysctls(hplip_t)
+corenet_tcp_recv_unlabeled(hplip_t)
+corenet_udp_recv_unlabeled(hplip_t)
+corenet_tcp_recv_netlabel(hplip_t)
+corenet_udp_recv_netlabel(hplip_t)
corenet_non_ipsec_sendrecv(hplip_t)
corenet_tcp_sendrecv_all_if(hplip_t)
corenet_udp_sendrecv_all_if(hplip_t)
@@ -661,6 +677,8 @@ kernel_read_kernel_sysctls(ptal_t)
kernel_list_proc(ptal_t)
kernel_read_proc_symlinks(ptal_t)
+corenet_tcp_recv_unlabeled(ptal_t)
+corenet_tcp_recv_netlabel(ptal_t)
corenet_non_ipsec_sendrecv(ptal_t)
corenet_tcp_sendrecv_all_if(ptal_t)
corenet_tcp_sendrecv_all_nodes(ptal_t)
Index: refpolicy_svn_repo/policy/modules/services/cvs.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cvs.te
+++ refpolicy_svn_repo/policy/modules/services/cvs.te
@@ -54,6 +54,10 @@ kernel_read_kernel_sysctls(cvs_t)
kernel_read_system_state(cvs_t)
kernel_read_network_state(cvs_t)
+corenet_tcp_recv_unlabeled(cvs_t)
+corenet_udp_recv_unlabeled(cvs_t)
+corenet_tcp_recv_netlabel(cvs_t)
+corenet_udp_recv_netlabel(cvs_t)
corenet_non_ipsec_sendrecv(cvs_t)
corenet_tcp_sendrecv_all_if(cvs_t)
corenet_udp_sendrecv_all_if(cvs_t)
Index: refpolicy_svn_repo/policy/modules/services/cyrus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/cyrus.te
+++ refpolicy_svn_repo/policy/modules/services/cyrus.te
@@ -61,6 +61,10 @@ kernel_read_kernel_sysctls(cyrus_t)
kernel_read_system_state(cyrus_t)
kernel_read_all_sysctls(cyrus_t)
+corenet_tcp_recv_unlabeled(cyrus_t)
+corenet_udp_recv_unlabeled(cyrus_t)
+corenet_tcp_recv_netlabel(cyrus_t)
+corenet_udp_recv_netlabel(cyrus_t)
corenet_non_ipsec_sendrecv(cyrus_t)
corenet_tcp_sendrecv_all_if(cyrus_t)
corenet_udp_sendrecv_all_if(cyrus_t)
Index: refpolicy_svn_repo/policy/modules/services/dante.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dante.te
+++ refpolicy_svn_repo/policy/modules/services/dante.te
@@ -38,6 +38,10 @@ kernel_read_kernel_sysctls(dante_t)
kernel_list_proc(dante_t)
kernel_read_proc_symlinks(dante_t)
+corenet_tcp_recv_unlabeled(dante_t)
+corenet_udp_recv_unlabeled(dante_t)
+corenet_tcp_recv_netlabel(dante_t)
+corenet_udp_recv_netlabel(dante_t)
corenet_non_ipsec_sendrecv(dante_t)
corenet_tcp_sendrecv_generic_if(dante_t)
corenet_udp_sendrecv_generic_if(dante_t)
Index: refpolicy_svn_repo/policy/modules/services/dbskk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dbskk.te
+++ refpolicy_svn_repo/policy/modules/services/dbskk.te
@@ -48,6 +48,10 @@ kernel_read_kernel_sysctls(dbskkd_t)
kernel_read_system_state(dbskkd_t)
kernel_read_network_state(dbskkd_t)
+corenet_tcp_recv_unlabeled(dbskkd_t)
+corenet_udp_recv_unlabeled(dbskkd_t)
+corenet_tcp_recv_netlabel(dbskkd_t)
+corenet_udp_recv_netlabel(dbskkd_t)
corenet_non_ipsec_sendrecv(dbskkd_t)
corenet_tcp_sendrecv_all_if(dbskkd_t)
corenet_udp_sendrecv_all_if(dbskkd_t)
Index: refpolicy_svn_repo/policy/modules/services/dbus.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dbus.if
+++ refpolicy_svn_repo/policy/modules/services/dbus.if
@@ -107,6 +107,10 @@ template(`dbus_per_role_template',`
corecmd_read_bin_pipes($1_dbusd_t)
corecmd_read_bin_sockets($1_dbusd_t)
+ corenet_tcp_recv_unlabeled($1_dbusd_t)
+ corenet_udp_recv_unlabeled($1_dbusd_t)
+ corenet_tcp_recv_netlabel($1_dbusd_t)
+ corenet_udp_recv_netlabel($1_dbusd_t)
corenet_non_ipsec_sendrecv($1_dbusd_t)
corenet_tcp_sendrecv_all_if($1_dbusd_t)
corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
Index: refpolicy_svn_repo/policy/modules/services/dcc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dcc.te
+++ refpolicy_svn_repo/policy/modules/services/dcc.te
@@ -99,6 +99,8 @@ allow cdcc_t dcc_var_t:dir list_dir_perm
read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
+corenet_udp_recv_unlabeled(cdcc_t)
+corenet_udp_recv_netlabel(cdcc_t)
corenet_non_ipsec_sendrecv(cdcc_t)
corenet_udp_sendrecv_generic_if(cdcc_t)
corenet_udp_sendrecv_all_nodes(cdcc_t)
@@ -141,6 +143,8 @@ allow dcc_client_t dcc_var_t:dir list_di
read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
+corenet_udp_recv_unlabeled(dcc_client_t)
+corenet_udp_recv_netlabel(dcc_client_t)
corenet_non_ipsec_sendrecv(dcc_client_t)
corenet_udp_sendrecv_generic_if(dcc_client_t)
corenet_udp_sendrecv_all_nodes(dcc_client_t)
@@ -183,6 +187,8 @@ manage_lnk_files_pattern(dcc_dbclean_t,d
kernel_read_system_state(dcc_dbclean_t)
+corenet_udp_recv_unlabeled(dcc_dbclean_t)
+corenet_udp_recv_netlabel(dcc_dbclean_t)
corenet_non_ipsec_sendrecv(dcc_dbclean_t)
corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
@@ -243,6 +249,8 @@ files_pid_filetrans(dccd_t,dccd_var_run_
kernel_read_system_state(dccd_t)
kernel_read_kernel_sysctls(dccd_t)
+corenet_udp_recv_unlabeled(dccd_t)
+corenet_udp_recv_netlabel(dccd_t)
corenet_non_ipsec_sendrecv(dccd_t)
corenet_udp_sendrecv_generic_if(dccd_t)
corenet_udp_sendrecv_all_nodes(dccd_t)
@@ -324,6 +332,8 @@ files_pid_filetrans(dccifd_t,dccifd_var_
kernel_read_system_state(dccifd_t)
kernel_read_kernel_sysctls(dccifd_t)
+corenet_udp_recv_unlabeled(dccifd_t)
+corenet_udp_recv_netlabel(dccifd_t)
corenet_non_ipsec_sendrecv(dccifd_t)
corenet_udp_sendrecv_generic_if(dccifd_t)
corenet_udp_sendrecv_all_nodes(dccifd_t)
@@ -401,6 +411,8 @@ files_pid_filetrans(dccm_t,dccm_var_run_
kernel_read_system_state(dccm_t)
kernel_read_kernel_sysctls(dccm_t)
+corenet_udp_recv_unlabeled(dccm_t)
+corenet_udp_recv_netlabel(dccm_t)
corenet_non_ipsec_sendrecv(dccm_t)
corenet_udp_sendrecv_generic_if(dccm_t)
corenet_udp_sendrecv_all_nodes(dccm_t)
Index: refpolicy_svn_repo/policy/modules/services/ddclient.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ddclient.te
+++ refpolicy_svn_repo/policy/modules/services/ddclient.te
@@ -64,6 +64,10 @@ kernel_read_kernel_sysctls(ddclient_t)
corecmd_exec_shell(ddclient_t)
corecmd_exec_bin(ddclient_t)
+corenet_tcp_recv_unlabeled(ddclient_t)
+corenet_udp_recv_unlabeled(ddclient_t)
+corenet_tcp_recv_netlabel(ddclient_t)
+corenet_udp_recv_netlabel(ddclient_t)
corenet_non_ipsec_sendrecv(ddclient_t)
corenet_tcp_sendrecv_generic_if(ddclient_t)
corenet_udp_sendrecv_generic_if(ddclient_t)
Index: refpolicy_svn_repo/policy/modules/services/dhcp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dhcp.te
+++ refpolicy_svn_repo/policy/modules/services/dhcp.te
@@ -52,6 +52,12 @@ files_pid_filetrans(dhcpd_t,dhcpd_var_ru
kernel_read_system_state(dhcpd_t)
kernel_read_kernel_sysctls(dhcpd_t)
+corenet_tcp_recv_unlabeled(dhcpd_t)
+corenet_udp_recv_unlabeled(dhcpd_t)
+corenet_raw_recv_unlabeled(dhcpd_t)
+corenet_tcp_recv_netlabel(dhcpd_t)
+corenet_udp_recv_netlabel(dhcpd_t)
+corenet_raw_recv_netlabel(dhcpd_t)
corenet_non_ipsec_sendrecv(dhcpd_t)
corenet_tcp_sendrecv_all_if(dhcpd_t)
corenet_udp_sendrecv_all_if(dhcpd_t)
Index: refpolicy_svn_repo/policy/modules/services/dictd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dictd.te
+++ refpolicy_svn_repo/policy/modules/services/dictd.te
@@ -37,6 +37,12 @@ allow dictd_t dictd_var_lib_t:file read_
kernel_read_system_state(dictd_t)
kernel_read_kernel_sysctls(dictd_t)
+corenet_tcp_recv_unlabeled(dictd_t)
+corenet_udp_recv_unlabeled(dictd_t)
+corenet_raw_recv_unlabeled(dictd_t)
+corenet_tcp_recv_netlabel(dictd_t)
+corenet_udp_recv_netlabel(dictd_t)
+corenet_raw_recv_netlabel(dictd_t)
corenet_non_ipsec_sendrecv(dictd_t)
corenet_tcp_sendrecv_all_if(dictd_t)
corenet_raw_sendrecv_all_if(dictd_t)
Index: refpolicy_svn_repo/policy/modules/services/distcc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/distcc.te
+++ refpolicy_svn_repo/policy/modules/services/distcc.te
@@ -44,6 +44,10 @@ files_pid_filetrans(distccd_t,distccd_va
kernel_read_system_state(distccd_t)
kernel_read_kernel_sysctls(distccd_t)
+corenet_tcp_recv_unlabeled(distccd_t)
+corenet_udp_recv_unlabeled(distccd_t)
+corenet_tcp_recv_netlabel(distccd_t)
+corenet_udp_recv_netlabel(distccd_t)
corenet_non_ipsec_sendrecv(distccd_t)
corenet_tcp_sendrecv_all_if(distccd_t)
corenet_udp_sendrecv_all_if(distccd_t)
Index: refpolicy_svn_repo/policy/modules/services/djbdns.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/djbdns.if
+++ refpolicy_svn_repo/policy/modules/services/djbdns.if
@@ -32,6 +32,10 @@ template(`djbdns_daemontools_domain_temp
allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;
+ corenet_tcp_recv_unlabeled(djbdns_$1_t)
+ corenet_udp_recv_unlabeled(djbdns_$1_t)
+ corenet_tcp_recv_netlabel(djbdns_$1_t)
+ corenet_udp_recv_netlabel(djbdns_$1_t)
corenet_non_ipsec_sendrecv(djbdns_$1_t)
corenet_tcp_sendrecv_all_if(djbdns_$1_t)
corenet_udp_sendrecv_all_if(djbdns_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/dnsmasq.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dnsmasq.te
+++ refpolicy_svn_repo/policy/modules/services/dnsmasq.te
@@ -42,6 +42,12 @@ kernel_read_kernel_sysctls(dnsmasq_t)
kernel_list_proc(dnsmasq_t)
kernel_read_proc_symlinks(dnsmasq_t)
+corenet_tcp_recv_unlabeled(dnsmasq_t)
+corenet_udp_recv_unlabeled(dnsmasq_t)
+corenet_raw_recv_unlabeled(dnsmasq_t)
+corenet_tcp_recv_netlabel(dnsmasq_t)
+corenet_udp_recv_netlabel(dnsmasq_t)
+corenet_raw_recv_netlabel(dnsmasq_t)
corenet_non_ipsec_sendrecv(dnsmasq_t)
corenet_tcp_sendrecv_generic_if(dnsmasq_t)
corenet_udp_sendrecv_generic_if(dnsmasq_t)
Index: refpolicy_svn_repo/policy/modules/services/dovecot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/dovecot.te
+++ refpolicy_svn_repo/policy/modules/services/dovecot.te
@@ -70,6 +70,8 @@ files_pid_filetrans(dovecot_t,dovecot_va
kernel_read_kernel_sysctls(dovecot_t)
kernel_read_system_state(dovecot_t)
+corenet_tcp_recv_unlabeled(dovecot_t)
+corenet_tcp_recv_netlabel(dovecot_t)
corenet_non_ipsec_sendrecv(dovecot_t)
corenet_tcp_sendrecv_all_if(dovecot_t)
corenet_tcp_sendrecv_all_nodes(dovecot_t)
Index: refpolicy_svn_repo/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/fetchmail.te
+++ refpolicy_svn_repo/policy/modules/services/fetchmail.te
@@ -46,6 +46,10 @@ kernel_getattr_proc_files(fetchmail_t)
kernel_read_proc_symlinks(fetchmail_t)
kernel_dontaudit_read_system_state(fetchmail_t)
+corenet_tcp_recv_unlabeled(fetchmail_t)
+corenet_udp_recv_unlabeled(fetchmail_t)
+corenet_tcp_recv_netlabel(fetchmail_t)
+corenet_udp_recv_netlabel(fetchmail_t)
corenet_non_ipsec_sendrecv(fetchmail_t)
corenet_tcp_sendrecv_generic_if(fetchmail_t)
corenet_udp_sendrecv_generic_if(fetchmail_t)
Index: refpolicy_svn_repo/policy/modules/services/finger.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/finger.te
+++ refpolicy_svn_repo/policy/modules/services/finger.te
@@ -47,6 +47,10 @@ logging_log_filetrans(fingerd_t,fingerd_
kernel_read_kernel_sysctls(fingerd_t)
kernel_read_system_state(fingerd_t)
+corenet_tcp_recv_unlabeled(fingerd_t)
+corenet_udp_recv_unlabeled(fingerd_t)
+corenet_tcp_recv_netlabel(fingerd_t)
+corenet_udp_recv_netlabel(fingerd_t)
corenet_non_ipsec_sendrecv(fingerd_t)
corenet_tcp_sendrecv_all_if(fingerd_t)
corenet_udp_sendrecv_all_if(fingerd_t)
Index: refpolicy_svn_repo/policy/modules/services/ftp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ftp.te
+++ refpolicy_svn_repo/policy/modules/services/ftp.te
@@ -128,6 +128,10 @@ dev_read_urand(ftpd_t)
corecmd_exec_bin(ftpd_t)
+corenet_tcp_recv_unlabeled(ftpd_t)
+corenet_udp_recv_unlabeled(ftpd_t)
+corenet_tcp_recv_netlabel(ftpd_t)
+corenet_udp_recv_netlabel(ftpd_t)
corenet_non_ipsec_sendrecv(ftpd_t)
corenet_tcp_sendrecv_all_if(ftpd_t)
corenet_udp_sendrecv_all_if(ftpd_t)
Index: refpolicy_svn_repo/policy/modules/services/gatekeeper.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/gatekeeper.te
+++ refpolicy_svn_repo/policy/modules/services/gatekeeper.te
@@ -53,6 +53,10 @@ kernel_read_kernel_sysctls(gatekeeper_t)
corecmd_list_bin(gatekeeper_t)
+corenet_tcp_recv_unlabeled(gatekeeper_t)
+corenet_udp_recv_unlabeled(gatekeeper_t)
+corenet_tcp_recv_netlabel(gatekeeper_t)
+corenet_udp_recv_netlabel(gatekeeper_t)
corenet_non_ipsec_sendrecv(gatekeeper_t)
corenet_tcp_sendrecv_generic_if(gatekeeper_t)
corenet_udp_sendrecv_generic_if(gatekeeper_t)
Index: refpolicy_svn_repo/policy/modules/services/hal.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/hal.te
+++ refpolicy_svn_repo/policy/modules/services/hal.te
@@ -91,6 +91,10 @@ auth_read_pam_console_data(hald_t)
corecmd_exec_all_executables(hald_t)
+corenet_tcp_recv_unlabeled(hald_t)
+corenet_udp_recv_unlabeled(hald_t)
+corenet_tcp_recv_netlabel(hald_t)
+corenet_udp_recv_netlabel(hald_t)
corenet_non_ipsec_sendrecv(hald_t)
corenet_tcp_sendrecv_all_if(hald_t)
corenet_udp_sendrecv_all_if(hald_t)
Index: refpolicy_svn_repo/policy/modules/services/howl.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/howl.te
+++ refpolicy_svn_repo/policy/modules/services/howl.te
@@ -34,6 +34,10 @@ kernel_load_module(howl_t)
kernel_list_proc(howl_t)
kernel_read_proc_symlinks(howl_t)
+corenet_tcp_recv_unlabeled(howl_t)
+corenet_udp_recv_unlabeled(howl_t)
+corenet_tcp_recv_netlabel(howl_t)
+corenet_udp_recv_netlabel(howl_t)
corenet_non_ipsec_sendrecv(howl_t)
corenet_tcp_sendrecv_all_if(howl_t)
corenet_udp_sendrecv_all_if(howl_t)
Index: refpolicy_svn_repo/policy/modules/services/i18n_input.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/i18n_input.te
+++ refpolicy_svn_repo/policy/modules/services/i18n_input.te
@@ -37,6 +37,10 @@ can_exec(i18n_input_t, i18n_input_exec_t
kernel_read_kernel_sysctls(i18n_input_t)
kernel_read_system_state(i18n_input_t)
+corenet_tcp_recv_unlabeled(i18n_input_t)
+corenet_udp_recv_unlabeled(i18n_input_t)
+corenet_tcp_recv_netlabel(i18n_input_t)
+corenet_udp_recv_netlabel(i18n_input_t)
corenet_non_ipsec_sendrecv(i18n_input_t)
corenet_tcp_sendrecv_generic_if(i18n_input_t)
corenet_udp_sendrecv_generic_if(i18n_input_t)
Index: refpolicy_svn_repo/policy/modules/services/imaze.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/imaze.te
+++ refpolicy_svn_repo/policy/modules/services/imaze.te
@@ -55,6 +55,10 @@ kernel_read_kernel_sysctls(imazesrv_t)
kernel_list_proc(imazesrv_t)
kernel_read_proc_symlinks(imazesrv_t)
+corenet_tcp_recv_unlabeled(imazesrv_t)
+corenet_udp_recv_unlabeled(imazesrv_t)
+corenet_tcp_recv_netlabel(imazesrv_t)
+corenet_udp_recv_netlabel(imazesrv_t)
corenet_non_ipsec_sendrecv(imazesrv_t)
corenet_tcp_sendrecv_generic_if(imazesrv_t)
corenet_udp_sendrecv_generic_if(imazesrv_t)
Index: refpolicy_svn_repo/policy/modules/services/inetd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/inetd.te
+++ refpolicy_svn_repo/policy/modules/services/inetd.te
@@ -60,6 +60,10 @@ kernel_read_system_state(inetd_t)
kernel_tcp_recvfrom_unlabeled(inetd_t)
# base networking:
+corenet_tcp_recv_unlabeled(inetd_t)
+corenet_udp_recv_unlabeled(inetd_t)
+corenet_tcp_recv_netlabel(inetd_t)
+corenet_udp_recv_netlabel(inetd_t)
corenet_non_ipsec_sendrecv(inetd_t)
corenet_tcp_sendrecv_all_if(inetd_t)
corenet_udp_sendrecv_all_if(inetd_t)
@@ -143,11 +147,6 @@ sysnet_read_config(inetd_t)
userdom_dontaudit_use_unpriv_user_fds(inetd_t)
userdom_dontaudit_search_sysadm_home_dirs(inetd_t)
-ifdef(`enable_mls',`
- corenet_tcp_recv_netlabel(inetd_t)
- corenet_udp_recv_netlabel(inetd_t)
-')
-
ifdef(`targeted_policy',`
term_dontaudit_use_unallocated_ttys(inetd_t)
term_dontaudit_use_generic_ptys(inetd_t)
@@ -200,6 +199,10 @@ kernel_read_kernel_sysctls(inetd_child_t
kernel_read_system_state(inetd_child_t)
kernel_read_network_state(inetd_child_t)
+corenet_tcp_recv_unlabeled(inetd_child_t)
+corenet_udp_recv_unlabeled(inetd_child_t)
+corenet_tcp_recv_netlabel(inetd_child_t)
+corenet_udp_recv_netlabel(inetd_child_t)
corenet_non_ipsec_sendrecv(inetd_child_t)
corenet_tcp_sendrecv_all_if(inetd_child_t)
corenet_udp_sendrecv_all_if(inetd_child_t)
Index: refpolicy_svn_repo/policy/modules/services/inn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/inn.te
+++ refpolicy_svn_repo/policy/modules/services/inn.te
@@ -63,6 +63,10 @@ manage_lnk_files_pattern(innd_t,news_spo
kernel_read_kernel_sysctls(innd_t)
kernel_read_system_state(innd_t)
+corenet_tcp_recv_unlabeled(innd_t)
+corenet_udp_recv_unlabeled(innd_t)
+corenet_tcp_recv_netlabel(innd_t)
+corenet_udp_recv_netlabel(innd_t)
corenet_non_ipsec_sendrecv(innd_t)
corenet_tcp_sendrecv_all_if(innd_t)
corenet_udp_sendrecv_all_if(innd_t)
Index: refpolicy_svn_repo/policy/modules/services/ircd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ircd.te
+++ refpolicy_svn_repo/policy/modules/services/ircd.te
@@ -50,6 +50,10 @@ kernel_read_kernel_sysctls(ircd_t)
corecmd_search_bin(ircd_t)
+corenet_tcp_recv_unlabeled(ircd_t)
+corenet_udp_recv_unlabeled(ircd_t)
+corenet_tcp_recv_netlabel(ircd_t)
+corenet_udp_recv_netlabel(ircd_t)
corenet_non_ipsec_sendrecv(ircd_t)
corenet_tcp_sendrecv_generic_if(ircd_t)
corenet_udp_sendrecv_generic_if(ircd_t)
Index: refpolicy_svn_repo/policy/modules/services/jabber.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/jabber.te
+++ refpolicy_svn_repo/policy/modules/services/jabber.te
@@ -44,6 +44,10 @@ kernel_read_kernel_sysctls(jabberd_t)
kernel_list_proc(jabberd_t)
kernel_read_proc_symlinks(jabberd_t)
+corenet_tcp_recv_unlabeled(jabberd_t)
+corenet_udp_recv_unlabeled(jabberd_t)
+corenet_tcp_recv_netlabel(jabberd_t)
+corenet_udp_recv_netlabel(jabberd_t)
corenet_non_ipsec_sendrecv(jabberd_t)
corenet_tcp_sendrecv_generic_if(jabberd_t)
corenet_udp_sendrecv_generic_if(jabberd_t)
Index: refpolicy_svn_repo/policy/modules/services/kerberos.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/kerberos.if
+++ refpolicy_svn_repo/policy/modules/services/kerberos.if
@@ -47,6 +47,10 @@ interface(`kerberos_use',`
allow $1 self:tcp_socket create_socket_perms;
allow $1 self:udp_socket create_socket_perms;
+ corenet_tcp_recv_unlabeled($1)
+ corenet_udp_recv_unlabeled($1)
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
Index: refpolicy_svn_repo/policy/modules/services/kerberos.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/kerberos.te
+++ refpolicy_svn_repo/policy/modules/services/kerberos.te
@@ -92,6 +92,10 @@ kernel_read_kernel_sysctls(kadmind_t)
kernel_list_proc(kadmind_t)
kernel_read_proc_symlinks(kadmind_t)
+corenet_tcp_recv_unlabeled(kadmind_t)
+corenet_udp_recv_unlabeled(kadmind_t)
+corenet_tcp_recv_netlabel(kadmind_t)
+corenet_udp_recv_netlabel(kadmind_t)
corenet_non_ipsec_sendrecv(kadmind_t)
corenet_tcp_sendrecv_all_if(kadmind_t)
corenet_udp_sendrecv_all_if(kadmind_t)
@@ -192,6 +196,10 @@ kernel_search_network_sysctl(krb5kdc_t)
corecmd_exec_bin(krb5kdc_t)
+corenet_tcp_recv_unlabeled(krb5kdc_t)
+corenet_udp_recv_unlabeled(krb5kdc_t)
+corenet_tcp_recv_netlabel(krb5kdc_t)
+corenet_udp_recv_netlabel(krb5kdc_t)
corenet_non_ipsec_sendrecv(krb5kdc_t)
corenet_tcp_sendrecv_all_if(krb5kdc_t)
corenet_udp_sendrecv_all_if(krb5kdc_t)
Index: refpolicy_svn_repo/policy/modules/services/ktalk.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ktalk.te
+++ refpolicy_svn_repo/policy/modules/services/ktalk.te
@@ -53,6 +53,10 @@ kernel_read_kernel_sysctls(ktalkd_t)
kernel_read_system_state(ktalkd_t)
kernel_read_network_state(ktalkd_t)
+corenet_tcp_recv_unlabeled(ktalkd_t)
+corenet_udp_recv_unlabeled(ktalkd_t)
+corenet_tcp_recv_netlabel(ktalkd_t)
+corenet_udp_recv_netlabel(ktalkd_t)
corenet_non_ipsec_sendrecv(ktalkd_t)
corenet_tcp_sendrecv_all_if(ktalkd_t)
corenet_udp_sendrecv_all_if(ktalkd_t)
Index: refpolicy_svn_repo/policy/modules/services/ldap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ldap.te
+++ refpolicy_svn_repo/policy/modules/services/ldap.te
@@ -77,6 +77,10 @@ files_pid_filetrans(slapd_t,slapd_var_ru
kernel_read_system_state(slapd_t)
kernel_read_kernel_sysctls(slapd_t)
+corenet_tcp_recv_unlabeled(slapd_t)
+corenet_udp_recv_unlabeled(slapd_t)
+corenet_tcp_recv_netlabel(slapd_t)
+corenet_udp_recv_netlabel(slapd_t)
corenet_non_ipsec_sendrecv(slapd_t)
corenet_tcp_sendrecv_all_if(slapd_t)
corenet_udp_sendrecv_all_if(slapd_t)
Index: refpolicy_svn_repo/policy/modules/services/lpd.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/lpd.if
+++ refpolicy_svn_repo/policy/modules/services/lpd.if
@@ -104,6 +104,10 @@ template(`lpd_per_role_template',`
kernel_read_kernel_sysctls($1_lpr_t)
+ corenet_tcp_recv_unlabeled($1_lpr_t)
+ corenet_udp_recv_unlabeled($1_lpr_t)
+ corenet_tcp_recv_netlabel($1_lpr_t)
+ corenet_udp_recv_netlabel($1_lpr_t)
corenet_non_ipsec_sendrecv($1_lpr_t)
corenet_tcp_sendrecv_generic_if($1_lpr_t)
corenet_udp_sendrecv_generic_if($1_lpr_t)
Index: refpolicy_svn_repo/policy/modules/services/lpd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/lpd.te
+++ refpolicy_svn_repo/policy/modules/services/lpd.te
@@ -72,6 +72,10 @@ allow checkpc_t printconf_t:dir { getatt
kernel_read_system_state(checkpc_t)
+corenet_tcp_recv_unlabeled(checkpc_t)
+corenet_udp_recv_unlabeled(checkpc_t)
+corenet_tcp_recv_netlabel(checkpc_t)
+corenet_udp_recv_netlabel(checkpc_t)
corenet_non_ipsec_sendrecv(checkpc_t)
corenet_tcp_sendrecv_all_if(checkpc_t)
corenet_udp_sendrecv_all_if(checkpc_t)
@@ -157,6 +161,10 @@ kernel_read_kernel_sysctls(lpd_t)
# bash wants access to /proc/meminfo
kernel_read_system_state(lpd_t)
+corenet_tcp_recv_unlabeled(lpd_t)
+corenet_udp_recv_unlabeled(lpd_t)
+corenet_tcp_recv_netlabel(lpd_t)
+corenet_udp_recv_netlabel(lpd_t)
corenet_non_ipsec_sendrecv(lpd_t)
corenet_tcp_sendrecv_all_if(lpd_t)
corenet_udp_sendrecv_all_if(lpd_t)
Index: refpolicy_svn_repo/policy/modules/services/mailman.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mailman.if
+++ refpolicy_svn_repo/policy/modules/services/mailman.if
@@ -48,6 +48,10 @@ template(`mailman_domain_template', `
kernel_read_kernel_sysctls(mailman_$1_t)
kernel_read_system_state(mailman_$1_t)
+ corenet_tcp_recv_unlabeled(mailman_$1_t)
+ corenet_udp_recv_unlabeled(mailman_$1_t)
+ corenet_tcp_recv_netlabel(mailman_$1_t)
+ corenet_udp_recv_netlabel(mailman_$1_t)
corenet_non_ipsec_sendrecv(mailman_$1_t)
corenet_tcp_sendrecv_all_if(mailman_$1_t)
corenet_udp_sendrecv_all_if(mailman_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/monop.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/monop.te
+++ refpolicy_svn_repo/policy/modules/services/monop.te
@@ -43,6 +43,10 @@ kernel_read_kernel_sysctls(monopd_t)
kernel_list_proc(monopd_t)
kernel_read_proc_symlinks(monopd_t)
+corenet_tcp_recv_unlabeled(monopd_t)
+corenet_udp_recv_unlabeled(monopd_t)
+corenet_tcp_recv_netlabel(monopd_t)
+corenet_udp_recv_netlabel(monopd_t)
corenet_non_ipsec_sendrecv(monopd_t)
corenet_tcp_sendrecv_generic_if(monopd_t)
corenet_udp_sendrecv_generic_if(monopd_t)
Index: refpolicy_svn_repo/policy/modules/services/mta.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mta.if
+++ refpolicy_svn_repo/policy/modules/services/mta.if
@@ -72,6 +72,8 @@ template(`mta_base_mail_template',`
kernel_read_kernel_sysctls($1_mail_t)
+ corenet_tcp_recv_unlabeled($1_mail_t)
+ corenet_tcp_recv_netlabel($1_mail_t)
corenet_non_ipsec_sendrecv($1_mail_t)
corenet_tcp_sendrecv_all_if($1_mail_t)
corenet_tcp_sendrecv_all_nodes($1_mail_t)
Index: refpolicy_svn_repo/policy/modules/services/munin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/munin.te
+++ refpolicy_svn_repo/policy/modules/services/munin.te
@@ -65,6 +65,10 @@ kernel_read_kernel_sysctls(munin_t)
corecmd_exec_bin(munin_t)
+corenet_tcp_recv_unlabeled(munin_t)
+corenet_udp_recv_unlabeled(munin_t)
+corenet_tcp_recv_netlabel(munin_t)
+corenet_udp_recv_netlabel(munin_t)
corenet_non_ipsec_sendrecv(munin_t)
corenet_tcp_sendrecv_generic_if(munin_t)
corenet_udp_sendrecv_generic_if(munin_t)
Index: refpolicy_svn_repo/policy/modules/services/mysql.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/mysql.te
+++ refpolicy_svn_repo/policy/modules/services/mysql.te
@@ -61,6 +61,10 @@ files_pid_filetrans(mysqld_t,mysqld_var_
kernel_read_system_state(mysqld_t)
kernel_read_kernel_sysctls(mysqld_t)
+corenet_tcp_recv_unlabeled(mysqld_t)
+corenet_udp_recv_unlabeled(mysqld_t)
+corenet_tcp_recv_netlabel(mysqld_t)
+corenet_udp_recv_netlabel(mysqld_t)
corenet_non_ipsec_sendrecv(mysqld_t)
corenet_tcp_sendrecv_all_if(mysqld_t)
corenet_udp_sendrecv_all_if(mysqld_t)
Index: refpolicy_svn_repo/policy/modules/services/nagios.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nagios.te
+++ refpolicy_svn_repo/policy/modules/services/nagios.te
@@ -66,6 +66,10 @@ kernel_read_kernel_sysctls(nagios_t)
corecmd_exec_bin(nagios_t)
corecmd_exec_shell(nagios_t)
+corenet_tcp_recv_unlabeled(nagios_t)
+corenet_udp_recv_unlabeled(nagios_t)
+corenet_tcp_recv_netlabel(nagios_t)
+corenet_udp_recv_netlabel(nagios_t)
corenet_non_ipsec_sendrecv(nagios_t)
corenet_tcp_sendrecv_generic_if(nagios_t)
corenet_udp_sendrecv_generic_if(nagios_t)
Index: refpolicy_svn_repo/policy/modules/services/nessus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nessus.te
+++ refpolicy_svn_repo/policy/modules/services/nessus.te
@@ -57,6 +57,12 @@ kernel_read_kernel_sysctls(nessusd_t)
# for nmap etc
corecmd_exec_bin(nessusd_t)
+corenet_tcp_recv_unlabeled(nessusd_t)
+corenet_udp_recv_unlabeled(nessusd_t)
+corenet_raw_recv_unlabeled(nessusd_t)
+corenet_tcp_recv_netlabel(nessusd_t)
+corenet_udp_recv_netlabel(nessusd_t)
+corenet_raw_recv_netlabel(nessusd_t)
corenet_non_ipsec_sendrecv(nessusd_t)
corenet_tcp_sendrecv_generic_if(nessusd_t)
corenet_udp_sendrecv_generic_if(nessusd_t)
Index: refpolicy_svn_repo/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/networkmanager.te
+++ refpolicy_svn_repo/policy/modules/services/networkmanager.te
@@ -41,6 +41,12 @@ kernel_read_network_state(NetworkManager
kernel_read_kernel_sysctls(NetworkManager_t)
kernel_load_module(NetworkManager_t)
+corenet_tcp_recv_unlabeled(NetworkManager_t)
+corenet_udp_recv_unlabeled(NetworkManager_t)
+corenet_raw_recv_unlabeled(NetworkManager_t)
+corenet_tcp_recv_netlabel(NetworkManager_t)
+corenet_udp_recv_netlabel(NetworkManager_t)
+corenet_raw_recv_netlabel(NetworkManager_t)
corenet_non_ipsec_sendrecv(NetworkManager_t)
corenet_tcp_sendrecv_all_if(NetworkManager_t)
corenet_udp_sendrecv_all_if(NetworkManager_t)
Index: refpolicy_svn_repo/policy/modules/services/nis.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nis.if
+++ refpolicy_svn_repo/policy/modules/services/nis.if
@@ -37,6 +37,10 @@ interface(`nis_use_ypbind_uncond',`
allow $1 var_yp_t:lnk_file { getattr read };
allow $1 var_yp_t:file read_file_perms;
+ corenet_tcp_recv_unlabeled($1)
+ corenet_udp_recv_unlabeled($1)
+ corenet_tcp_recv_netlabel($1)
+ corenet_udp_recv_netlabel($1)
corenet_non_ipsec_sendrecv($1)
corenet_tcp_sendrecv_all_if($1)
corenet_udp_sendrecv_all_if($1)
Index: refpolicy_svn_repo/policy/modules/services/nis.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nis.te
+++ refpolicy_svn_repo/policy/modules/services/nis.te
@@ -69,6 +69,10 @@ kernel_read_kernel_sysctls(ypbind_t)
kernel_list_proc(ypbind_t)
kernel_read_proc_symlinks(ypbind_t)
+corenet_tcp_recv_unlabeled(ypbind_t)
+corenet_udp_recv_unlabeled(ypbind_t)
+corenet_tcp_recv_netlabel(ypbind_t)
+corenet_udp_recv_netlabel(ypbind_t)
corenet_non_ipsec_sendrecv(ypbind_t)
corenet_tcp_sendrecv_all_if(ypbind_t)
corenet_udp_sendrecv_all_if(ypbind_t)
@@ -152,6 +156,10 @@ kernel_read_proc_symlinks(yppasswdd_t)
kernel_getattr_proc_files(yppasswdd_t)
kernel_read_kernel_sysctls(yppasswdd_t)
+corenet_tcp_recv_unlabeled(yppasswdd_t)
+corenet_udp_recv_unlabeled(yppasswdd_t)
+corenet_tcp_recv_netlabel(yppasswdd_t)
+corenet_udp_recv_netlabel(yppasswdd_t)
corenet_non_ipsec_sendrecv(yppasswdd_t)
corenet_tcp_sendrecv_generic_if(yppasswdd_t)
corenet_udp_sendrecv_generic_if(yppasswdd_t)
@@ -247,6 +255,10 @@ kernel_read_kernel_sysctls(ypserv_t)
kernel_list_proc(ypserv_t)
kernel_read_proc_symlinks(ypserv_t)
+corenet_tcp_recv_unlabeled(ypserv_t)
+corenet_udp_recv_unlabeled(ypserv_t)
+corenet_tcp_recv_netlabel(ypserv_t)
+corenet_udp_recv_netlabel(ypserv_t)
corenet_non_ipsec_sendrecv(ypserv_t)
corenet_tcp_sendrecv_all_if(ypserv_t)
corenet_udp_sendrecv_all_if(ypserv_t)
@@ -321,6 +333,10 @@ allow ypxfr_t ypserv_t:udp_socket { read
allow ypxfr_t ypserv_conf_t:file { getattr read };
+corenet_tcp_recv_unlabeled(ypxfr_t)
+corenet_udp_recv_unlabeled(ypxfr_t)
+corenet_tcp_recv_netlabel(ypxfr_t)
+corenet_udp_recv_netlabel(ypxfr_t)
corenet_non_ipsec_sendrecv(ypxfr_t)
corenet_tcp_sendrecv_all_if(ypxfr_t)
corenet_udp_sendrecv_all_if(ypxfr_t)
Index: refpolicy_svn_repo/policy/modules/services/nscd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nscd.te
+++ refpolicy_svn_repo/policy/modules/services/nscd.te
@@ -65,6 +65,10 @@ fs_search_auto_mountpoints(nscd_t)
auth_getattr_shadow(nscd_t)
auth_use_nsswitch(nscd_t)
+corenet_tcp_recv_unlabeled(nscd_t)
+corenet_udp_recv_unlabeled(nscd_t)
+corenet_tcp_recv_netlabel(nscd_t)
+corenet_udp_recv_netlabel(nscd_t)
corenet_non_ipsec_sendrecv(nscd_t)
corenet_tcp_sendrecv_all_if(nscd_t)
corenet_udp_sendrecv_all_if(nscd_t)
Index: refpolicy_svn_repo/policy/modules/services/nsd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nsd.te
+++ refpolicy_svn_repo/policy/modules/services/nsd.te
@@ -62,6 +62,10 @@ kernel_read_kernel_sysctls(nsd_t)
corecmd_exec_bin(nsd_t)
+corenet_tcp_recv_unlabeled(nsd_t)
+corenet_udp_recv_unlabeled(nsd_t)
+corenet_tcp_recv_netlabel(nsd_t)
+corenet_udp_recv_netlabel(nsd_t)
corenet_non_ipsec_sendrecv(nsd_t)
corenet_tcp_sendrecv_generic_if(nsd_t)
corenet_udp_sendrecv_generic_if(nsd_t)
@@ -148,6 +152,10 @@ kernel_read_system_state(nsd_crond_t)
corecmd_exec_bin(nsd_crond_t)
corecmd_exec_shell(nsd_crond_t)
+corenet_tcp_recv_unlabeled(nsd_crond_t)
+corenet_udp_recv_unlabeled(nsd_crond_t)
+corenet_tcp_recv_netlabel(nsd_crond_t)
+corenet_udp_recv_netlabel(nsd_crond_t)
corenet_non_ipsec_sendrecv(nsd_crond_t)
corenet_tcp_sendrecv_generic_if(nsd_crond_t)
corenet_udp_sendrecv_generic_if(nsd_crond_t)
Index: refpolicy_svn_repo/policy/modules/services/ntop.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ntop.te
+++ refpolicy_svn_repo/policy/modules/services/ntop.te
@@ -61,6 +61,12 @@ kernel_read_kernel_sysctls(ntop_t)
kernel_list_proc(ntop_t)
kernel_read_proc_symlinks(ntop_t)
+corenet_tcp_recv_unlabeled(ntop_t)
+corenet_udp_recv_unlabeled(ntop_t)
+corenet_raw_recv_unlabeled(ntop_t)
+corenet_tcp_recv_netlabel(ntop_t)
+corenet_udp_recv_netlabel(ntop_t)
+corenet_raw_recv_netlabel(ntop_t)
corenet_non_ipsec_sendrecv(ntop_t)
corenet_tcp_sendrecv_generic_if(ntop_t)
corenet_udp_sendrecv_generic_if(ntop_t)
Index: refpolicy_svn_repo/policy/modules/services/nx.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/nx.te
+++ refpolicy_svn_repo/policy/modules/services/nx.te
@@ -51,6 +51,10 @@ kernel_read_kernel_sysctls(nx_server_t)
corecmd_exec_shell(nx_server_t)
corecmd_exec_bin(nx_server_t)
+corenet_tcp_recv_unlabeled(nx_server_t)
+corenet_udp_recv_unlabeled(nx_server_t)
+corenet_tcp_recv_netlabel(nx_server_t)
+corenet_udp_recv_netlabel(nx_server_t)
corenet_non_ipsec_sendrecv(nx_server_t)
corenet_tcp_sendrecv_generic_if(nx_server_t)
corenet_udp_sendrecv_generic_if(nx_server_t)
Index: refpolicy_svn_repo/policy/modules/services/oav.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/oav.te
+++ refpolicy_svn_repo/policy/modules/services/oav.te
@@ -50,6 +50,10 @@ read_lnk_files_pattern(oav_update_t,oav_
corecmd_exec_all_executables(oav_update_t)
+corenet_tcp_recv_unlabeled(oav_update_t)
+corenet_udp_recv_unlabeled(oav_update_t)
+corenet_tcp_recv_netlabel(oav_update_t)
+corenet_udp_recv_netlabel(oav_update_t)
corenet_non_ipsec_sendrecv(oav_update_t)
corenet_tcp_sendrecv_generic_if(oav_update_t)
corenet_udp_sendrecv_generic_if(oav_update_t)
@@ -104,6 +108,10 @@ kernel_read_kernel_sysctls(scannerdaemon
# Can run kaffe
corecmd_exec_all_executables(scannerdaemon_t)
+corenet_tcp_recv_unlabeled(scannerdaemon_t)
+corenet_udp_recv_unlabeled(scannerdaemon_t)
+corenet_tcp_recv_netlabel(scannerdaemon_t)
+corenet_udp_recv_netlabel(scannerdaemon_t)
corenet_non_ipsec_sendrecv(scannerdaemon_t)
corenet_tcp_sendrecv_generic_if(scannerdaemon_t)
corenet_udp_sendrecv_generic_if(scannerdaemon_t)
Index: refpolicy_svn_repo/policy/modules/services/openvpn.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/openvpn.te
+++ refpolicy_svn_repo/policy/modules/services/openvpn.te
@@ -53,6 +53,10 @@ kernel_read_system_state(openvpn_t)
corecmd_exec_bin(openvpn_t)
corecmd_exec_shell(openvpn_t)
+corenet_tcp_recv_unlabeled(openvpn_t)
+corenet_udp_recv_unlabeled(openvpn_t)
+corenet_tcp_recv_netlabel(openvpn_t)
+corenet_udp_recv_netlabel(openvpn_t)
corenet_non_ipsec_sendrecv(openvpn_t)
corenet_tcp_sendrecv_all_if(openvpn_t)
corenet_udp_sendrecv_all_if(openvpn_t)
Index: refpolicy_svn_repo/policy/modules/services/pcscd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pcscd.te
+++ refpolicy_svn_repo/policy/modules/services/pcscd.te
@@ -31,10 +31,12 @@ manage_files_pattern(pcscd_t,pcscd_var_r
manage_sock_files_pattern(pcscd_t,pcscd_var_run_t,pcscd_var_run_t)
files_pid_filetrans(pcscd_t,pcscd_var_run_t, { file sock_file })
+corenet_tcp_recv_unlabeled(pcscd_t)
+corenet_tcp_recv_netlabel(pcscd_t)
+corenet_non_ipsec_sendrecv(pcscd_t)
corenet_tcp_sendrecv_all_if(pcscd_t)
corenet_tcp_sendrecv_all_nodes(pcscd_t)
corenet_tcp_sendrecv_all_ports(pcscd_t)
-corenet_non_ipsec_sendrecv(pcscd_t)
corenet_tcp_connect_http_port(pcscd_t)
dev_rw_generic_usb_dev(pcscd_t)
Index: refpolicy_svn_repo/policy/modules/services/pegasus.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pegasus.te
+++ refpolicy_svn_repo/policy/modules/services/pegasus.te
@@ -66,6 +66,8 @@ kernel_read_system_state(pegasus_t)
kernel_search_vm_sysctl(pegasus_t)
kernel_read_net_sysctls(pegasus_t)
+corenet_tcp_recv_unlabeled(pegasus_t)
+corenet_tcp_recv_netlabel(pegasus_t)
corenet_non_ipsec_sendrecv(pegasus_t)
corenet_tcp_sendrecv_all_if(pegasus_t)
corenet_tcp_sendrecv_all_nodes(pegasus_t)
Index: refpolicy_svn_repo/policy/modules/services/perdition.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/perdition.te
+++ refpolicy_svn_repo/policy/modules/services/perdition.te
@@ -37,6 +37,10 @@ kernel_read_kernel_sysctls(perdition_t)
kernel_list_proc(perdition_t)
kernel_read_proc_symlinks(perdition_t)
+corenet_tcp_recv_unlabeled(perdition_t)
+corenet_udp_recv_unlabeled(perdition_t)
+corenet_tcp_recv_netlabel(perdition_t)
+corenet_udp_recv_netlabel(perdition_t)
corenet_non_ipsec_sendrecv(perdition_t)
corenet_tcp_sendrecv_generic_if(perdition_t)
corenet_udp_sendrecv_generic_if(perdition_t)
Index: refpolicy_svn_repo/policy/modules/services/portmap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/portmap.te
+++ refpolicy_svn_repo/policy/modules/services/portmap.te
@@ -45,6 +45,10 @@ kernel_read_kernel_sysctls(portmap_t)
kernel_list_proc(portmap_t)
kernel_read_proc_symlinks(portmap_t)
+corenet_tcp_recv_unlabeled(portmap_t)
+corenet_udp_recv_unlabeled(portmap_t)
+corenet_tcp_recv_netlabel(portmap_t)
+corenet_udp_recv_netlabel(portmap_t)
corenet_non_ipsec_sendrecv(portmap_t)
corenet_tcp_sendrecv_all_if(portmap_t)
corenet_udp_sendrecv_all_if(portmap_t)
@@ -123,6 +127,11 @@ allow portmap_helper_t self:udp_socket c
allow portmap_helper_t portmap_var_run_t:file manage_file_perms;
files_pid_filetrans(portmap_helper_t,portmap_var_run_t,file)
+corenet_tcp_recv_unlabeled(portmap_helper_t)
+corenet_udp_recv_unlabeled(portmap_helper_t)
+corenet_tcp_recv_netlabel(portmap_helper_t)
+corenet_udp_recv_netlabel(portmap_helper_t)
+corenet_non_ipsec_sendrecv(portmap_helper_t)
corenet_tcp_sendrecv_all_if(portmap_helper_t)
corenet_udp_sendrecv_all_if(portmap_helper_t)
corenet_raw_sendrecv_all_if(portmap_helper_t)
@@ -131,7 +140,6 @@ corenet_udp_sendrecv_all_nodes(portmap_h
corenet_raw_sendrecv_all_nodes(portmap_helper_t)
corenet_tcp_sendrecv_all_ports(portmap_helper_t)
corenet_udp_sendrecv_all_ports(portmap_helper_t)
-corenet_non_ipsec_sendrecv(portmap_helper_t)
corenet_tcp_bind_all_nodes(portmap_helper_t)
corenet_udp_bind_all_nodes(portmap_helper_t)
corenet_tcp_bind_reserved_port(portmap_helper_t)
Index: refpolicy_svn_repo/policy/modules/services/portslave.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/portslave.te
+++ refpolicy_svn_repo/policy/modules/services/portslave.te
@@ -55,6 +55,10 @@ kernel_read_kernel_sysctls(portslave_t)
corecmd_exec_bin(portslave_t)
corecmd_exec_shell(portslave_t)
+corenet_tcp_recv_unlabeled(portslave_t)
+corenet_udp_recv_unlabeled(portslave_t)
+corenet_tcp_recv_netlabel(portslave_t)
+corenet_udp_recv_netlabel(portslave_t)
corenet_non_ipsec_sendrecv(portslave_t)
corenet_tcp_sendrecv_generic_if(portslave_t)
corenet_udp_sendrecv_generic_if(portslave_t)
Index: refpolicy_svn_repo/policy/modules/services/postfix.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postfix.if
+++ refpolicy_svn_repo/policy/modules/services/postfix.if
@@ -125,6 +125,10 @@ template(`postfix_server_domain_template
domtrans_pattern(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+ corenet_tcp_recv_unlabeled(postfix_$1_t)
+ corenet_udp_recv_unlabeled(postfix_$1_t)
+ corenet_tcp_recv_netlabel(postfix_$1_t)
+ corenet_udp_recv_netlabel(postfix_$1_t)
corenet_non_ipsec_sendrecv(postfix_$1_t)
corenet_tcp_sendrecv_all_if(postfix_$1_t)
corenet_udp_sendrecv_all_if(postfix_$1_t)
Index: refpolicy_svn_repo/policy/modules/services/postfix.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postfix.te
+++ refpolicy_svn_repo/policy/modules/services/postfix.te
@@ -133,6 +133,10 @@ rename_files_pattern(postfix_master_t,po
kernel_read_all_sysctls(postfix_master_t)
+corenet_tcp_recv_unlabeled(postfix_master_t)
+corenet_udp_recv_unlabeled(postfix_master_t)
+corenet_tcp_recv_netlabel(postfix_master_t)
+corenet_udp_recv_netlabel(postfix_master_t)
corenet_non_ipsec_sendrecv(postfix_master_t)
corenet_tcp_sendrecv_all_if(postfix_master_t)
corenet_udp_sendrecv_all_if(postfix_master_t)
@@ -309,6 +313,10 @@ kernel_read_kernel_sysctls(postfix_map_t
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
+corenet_tcp_recv_unlabeled(postfix_map_t)
+corenet_udp_recv_unlabeled(postfix_map_t)
+corenet_tcp_recv_netlabel(postfix_map_t)
+corenet_udp_recv_netlabel(postfix_map_t)
corenet_non_ipsec_sendrecv(postfix_map_t)
corenet_tcp_sendrecv_all_if(postfix_map_t)
corenet_udp_sendrecv_all_if(postfix_map_t)
Index: refpolicy_svn_repo/policy/modules/services/postgresql.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postgresql.te
+++ refpolicy_svn_repo/policy/modules/services/postgresql.te
@@ -82,6 +82,10 @@ kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
+corenet_tcp_recv_unlabeled(postgresql_t)
+corenet_udp_recv_unlabeled(postgresql_t)
+corenet_tcp_recv_netlabel(postgresql_t)
+corenet_udp_recv_netlabel(postgresql_t)
corenet_non_ipsec_sendrecv(postgresql_t)
corenet_tcp_sendrecv_all_if(postgresql_t)
corenet_udp_sendrecv_all_if(postgresql_t)
Index: refpolicy_svn_repo/policy/modules/services/postgrey.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/postgrey.te
+++ refpolicy_svn_repo/policy/modules/services/postgrey.te
@@ -46,6 +46,8 @@ kernel_read_kernel_sysctls(postgrey_t)
# for perl
corecmd_search_bin(postgrey_t)
+corenet_tcp_recv_unlabeled(postgrey_t)
+corenet_tcp_recv_netlabel(postgrey_t)
corenet_non_ipsec_sendrecv(postgrey_t)
corenet_tcp_sendrecv_generic_if(postgrey_t)
corenet_tcp_sendrecv_all_nodes(postgrey_t)
Index: refpolicy_svn_repo/policy/modules/services/ppp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ppp.te
+++ refpolicy_svn_repo/policy/modules/services/ppp.te
@@ -126,6 +126,12 @@ dev_read_urand(pppd_t)
dev_search_sysfs(pppd_t)
dev_read_sysfs(pppd_t)
+corenet_tcp_recv_unlabeled(pppd_t)
+corenet_udp_recv_unlabeled(pppd_t)
+corenet_raw_recv_unlabeled(pppd_t)
+corenet_tcp_recv_netlabel(pppd_t)
+corenet_udp_recv_netlabel(pppd_t)
+corenet_raw_recv_netlabel(pppd_t)
corenet_non_ipsec_sendrecv(pppd_t)
corenet_tcp_sendrecv_all_if(pppd_t)
corenet_raw_sendrecv_all_if(pppd_t)
@@ -261,6 +267,12 @@ kernel_read_proc_symlinks(pptp_t)
dev_read_sysfs(pptp_t)
+corenet_tcp_recv_unlabeled(pptp_t)
+corenet_udp_recv_unlabeled(pptp_t)
+corenet_raw_recv_unlabeled(pptp_t)
+corenet_tcp_recv_netlabel(pptp_t)
+corenet_udp_recv_netlabel(pptp_t)
+corenet_raw_recv_unlabeled(pptp_t)
corenet_non_ipsec_sendrecv(pptp_t)
corenet_tcp_sendrecv_all_if(pptp_t)
corenet_raw_sendrecv_all_if(pptp_t)
Index: refpolicy_svn_repo/policy/modules/services/privoxy.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/privoxy.te
+++ refpolicy_svn_repo/policy/modules/services/privoxy.te
@@ -40,6 +40,8 @@ kernel_read_kernel_sysctls(privoxy_t)
kernel_list_proc(privoxy_t)
kernel_read_proc_symlinks(privoxy_t)
+corenet_tcp_recv_unlabeled(privoxy_t)
+corenet_tcp_recv_netlabel(privoxy_t)
corenet_non_ipsec_sendrecv(privoxy_t)
corenet_tcp_sendrecv_all_if(privoxy_t)
corenet_tcp_sendrecv_all_nodes(privoxy_t)
Index: refpolicy_svn_repo/policy/modules/services/procmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/procmail.te
+++ refpolicy_svn_repo/policy/modules/services/procmail.te
@@ -34,6 +34,10 @@ files_tmp_filetrans(procmail_t, procmail
kernel_read_system_state(procmail_t)
kernel_read_kernel_sysctls(procmail_t)
+corenet_tcp_recv_unlabeled(procmail_t)
+corenet_udp_recv_unlabeled(procmail_t)
+corenet_tcp_recv_netlabel(procmail_t)
+corenet_udp_recv_netlabel(procmail_t)
corenet_non_ipsec_sendrecv(procmail_t)
corenet_tcp_sendrecv_all_if(procmail_t)
corenet_udp_sendrecv_all_if(procmail_t)
Index: refpolicy_svn_repo/policy/modules/services/pyzor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/pyzor.te
+++ refpolicy_svn_repo/policy/modules/services/pyzor.te
@@ -107,6 +107,8 @@ dev_read_urand(pyzord_t)
corecmd_exec_bin(pyzord_t)
+corenet_udp_recv_unlabeled(pyzord_t)
+corenet_udp_recv_netlabel(pyzord_t)
corenet_non_ipsec_sendrecv(pyzord_t)
corenet_udp_sendrecv_all_if(pyzord_t)
corenet_udp_sendrecv_all_nodes(pyzord_t)
Index: refpolicy_svn_repo/policy/modules/services/qmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/qmail.te
+++ refpolicy_svn_repo/policy/modules/services/qmail.te
@@ -171,6 +171,10 @@ allow qmail_remote_t self:udp_socket cre
rw_files_pattern(qmail_remote_t,qmail_spool_t,qmail_spool_t)
+corenet_tcp_recv_unlabeled(qmail_remote_t)
+corenet_udp_recv_unlabeled(qmail_remote_t)
+corenet_tcp_recv_netlabel(qmail_remote_t)
+corenet_udp_recv_netlabel(qmail_remote_t)
corenet_non_ipsec_sendrecv(qmail_remote_t)
corenet_tcp_sendrecv_generic_if(qmail_remote_t)
corenet_udp_sendrecv_generic_if(qmail_remote_t)
Index: refpolicy_svn_repo/policy/modules/services/radius.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/radius.te
+++ refpolicy_svn_repo/policy/modules/services/radius.te
@@ -58,6 +58,10 @@ files_pid_filetrans(radiusd_t,radiusd_va
kernel_read_kernel_sysctls(radiusd_t)
kernel_read_system_state(radiusd_t)
+corenet_tcp_recv_unlabeled(radiusd_t)
+corenet_udp_recv_unlabeled(radiusd_t)
+corenet_tcp_recv_netlabel(radiusd_t)
+corenet_udp_recv_netlabel(radiusd_t)
corenet_non_ipsec_sendrecv(radiusd_t)
corenet_tcp_sendrecv_all_if(radiusd_t)
corenet_udp_sendrecv_all_if(radiusd_t)
Index: refpolicy_svn_repo/policy/modules/services/radvd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/radvd.te
+++ refpolicy_svn_repo/policy/modules/services/radvd.te
@@ -38,6 +38,12 @@ kernel_read_net_sysctls(radvd_t)
kernel_read_network_state(radvd_t)
kernel_read_system_state(radvd_t)
+corenet_tcp_recv_unlabeled(radvd_t)
+corenet_udp_recv_unlabeled(radvd_t)
+corenet_raw_recv_unlabeled(radvd_t)
+corenet_tcp_recv_netlabel(radvd_t)
+corenet_udp_recv_netlabel(radvd_t)
+corenet_raw_recv_netlabel(radvd_t)
corenet_non_ipsec_sendrecv(radvd_t)
corenet_tcp_sendrecv_all_if(radvd_t)
corenet_udp_sendrecv_all_if(radvd_t)
Index: refpolicy_svn_repo/policy/modules/services/razor.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/razor.if
+++ refpolicy_svn_repo/policy/modules/services/razor.if
@@ -67,6 +67,10 @@ template(`razor_common_domain_template',
corecmd_exec_bin($1_t)
+ corenet_tcp_recv_unlabeled($1_t)
+ corenet_raw_recv_unlabeled($1_t)
+ corenet_tcp_recv_netlabel($1_t)
+ corenet_raw_recv_netlabel($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_generic_if($1_t)
corenet_raw_sendrecv_generic_if($1_t)
Index: refpolicy_svn_repo/policy/modules/services/razor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/razor.te
+++ refpolicy_svn_repo/policy/modules/services/razor.te
@@ -41,6 +41,10 @@ logging_log_filetrans(razor_t,razor_log_
manage_files_pattern(razor_t,razor_var_lib_t,razor_var_lib_t)
files_var_lib_filetrans(razor_t,razor_var_lib_t,file)
+corenet_tcp_recv_unlabeled(razor_t)
+corenet_raw_recv_unlabeled(razor_t)
+corenet_tcp_recv_netlabel(razor_t)
+corenet_raw_recv_netlabel(razor_t)
corenet_non_ipsec_sendrecv(razor_t)
corenet_tcp_sendrecv_generic_if(razor_t)
corenet_raw_sendrecv_generic_if(razor_t)
Index: refpolicy_svn_repo/policy/modules/services/rdisc.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rdisc.te
+++ refpolicy_svn_repo/policy/modules/services/rdisc.te
@@ -26,6 +26,10 @@ kernel_list_proc(rdisc_t)
kernel_read_proc_symlinks(rdisc_t)
kernel_read_kernel_sysctls(rdisc_t)
+corenet_udp_recv_unlabeled(rdisc_t)
+corenet_raw_recv_unlabeled(rdisc_t)
+corenet_udp_recv_netlabel(rdisc_t)
+corenet_raw_recv_netlabel(rdisc_t)
corenet_non_ipsec_sendrecv(rdisc_t)
corenet_udp_sendrecv_generic_if(rdisc_t)
corenet_raw_sendrecv_generic_if(rdisc_t)
Index: refpolicy_svn_repo/policy/modules/services/rhgb.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rhgb.te
+++ refpolicy_svn_repo/policy/modules/services/rhgb.te
@@ -44,6 +44,10 @@ kernel_read_system_state(rhgb_t)
corecmd_exec_bin(rhgb_t)
corecmd_exec_shell(rhgb_t)
+corenet_tcp_recv_unlabeled(rhgb_t)
+corenet_udp_recv_unlabeled(rhgb_t)
+corenet_tcp_recv_netlabel(rhgb_t)
+corenet_udp_recv_netlabel(rhgb_t)
corenet_non_ipsec_sendrecv(rhgb_t)
corenet_tcp_sendrecv_generic_if(rhgb_t)
corenet_udp_sendrecv_generic_if(rhgb_t)
Index: refpolicy_svn_repo/policy/modules/services/ricci.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ricci.te
+++ refpolicy_svn_repo/policy/modules/services/ricci.te
@@ -120,6 +120,10 @@ kernel_read_kernel_sysctls(ricci_t)
corecmd_exec_bin(ricci_t)
+corenet_tcp_recv_unlabeled(ricci_t)
+corenet_udp_recv_unlabeled(ricci_t)
+corenet_tcp_recv_netlabel(ricci_t)
+corenet_udp_recv_netlabel(ricci_t)
corenet_non_ipsec_sendrecv(ricci_t)
corenet_tcp_sendrecv_all_if(ricci_t)
corenet_tcp_sendrecv_all_nodes(ricci_t)
Index: refpolicy_svn_repo/policy/modules/services/rlogin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rlogin.te
+++ refpolicy_svn_repo/policy/modules/services/rlogin.te
@@ -50,6 +50,10 @@ kernel_read_kernel_sysctls(rlogind_t)
kernel_read_system_state(rlogind_t)
kernel_read_network_state(rlogind_t)
+corenet_tcp_recv_unlabeled(rlogind_t)
+corenet_udp_recv_unlabeled(rlogind_t)
+corenet_tcp_recv_netlabel(rlogind_t)
+corenet_udp_recv_netlabel(rlogind_t)
corenet_non_ipsec_sendrecv(rlogind_t)
corenet_tcp_sendrecv_all_if(rlogind_t)
corenet_udp_sendrecv_all_if(rlogind_t)
Index: refpolicy_svn_repo/policy/modules/services/roundup.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/roundup.te
+++ refpolicy_svn_repo/policy/modules/services/roundup.te
@@ -43,6 +43,12 @@ dev_read_sysfs(roundup_t)
# execute python
corecmd_exec_bin(roundup_t)
+corenet_tcp_recv_unlabeled(roundup_t)
+corenet_udp_recv_unlabeled(roundup_t)
+corenet_raw_recv_unlabeled(roundup_t)
+corenet_tcp_recv_netlabel(roundup_t)
+corenet_udp_recv_netlabel(roundup_t)
+corenet_raw_recv_netlabel(roundup_t)
corenet_non_ipsec_sendrecv(roundup_t)
corenet_tcp_sendrecv_generic_if(roundup_t)
corenet_udp_sendrecv_generic_if(roundup_t)
Index: refpolicy_svn_repo/policy/modules/services/rpc.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rpc.if
+++ refpolicy_svn_repo/policy/modules/services/rpc.if
@@ -70,6 +70,10 @@ template(`rpc_domain_template', `
dev_read_urand($1_t)
dev_read_rand($1_t)
+ corenet_tcp_recv_unlabeled($1_t)
+ corenet_udp_recv_unlabeled($1_t)
+ corenet_tcp_recv_netlabel($1_t)
+ corenet_udp_recv_netlabel($1_t)
corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
Index: refpolicy_svn_repo/policy/modules/services/rshd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rshd.te
+++ refpolicy_svn_repo/policy/modules/services/rshd.te
@@ -23,6 +23,10 @@ allow rshd_t self:tcp_socket create_stre
kernel_read_kernel_sysctls(rshd_t)
+corenet_tcp_recv_unlabeled(rshd_t)
+corenet_udp_recv_unlabeled(rshd_t)
+corenet_tcp_recv_netlabel(rshd_t)
+corenet_udp_recv_netlabel(rshd_t)
corenet_non_ipsec_sendrecv(rshd_t)
corenet_tcp_sendrecv_generic_if(rshd_t)
corenet_udp_sendrecv_generic_if(rshd_t)
Index: refpolicy_svn_repo/policy/modules/services/rsync.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rsync.te
+++ refpolicy_svn_repo/policy/modules/services/rsync.te
@@ -61,6 +61,10 @@ kernel_read_kernel_sysctls(rsync_t)
kernel_read_system_state(rsync_t)
kernel_read_network_state(rsync_t)
+corenet_tcp_recv_unlabeled(rsync_t)
+corenet_udp_recv_unlabeled(rsync_t)
+corenet_tcp_recv_netlabel(rsync_t)
+corenet_udp_recv_netlabel(rsync_t)
corenet_non_ipsec_sendrecv(rsync_t)
corenet_tcp_sendrecv_all_if(rsync_t)
corenet_udp_sendrecv_all_if(rsync_t)
Index: refpolicy_svn_repo/policy/modules/services/rwho.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/rwho.te
+++ refpolicy_svn_repo/policy/modules/services/rwho.te
@@ -32,6 +32,8 @@ files_spool_filetrans(rwho_t,rwho_spool_
kernel_read_system_state(rwho_t)
+corenet_udp_recv_unlabeled(rwho_t)
+corenet_udp_recv_netlabel(rwho_t)
corenet_non_ipsec_sendrecv(rwho_t)
corenet_udp_sendrecv_all_if(rwho_t)
corenet_udp_sendrecv_all_nodes(rwho_t)
Index: refpolicy_svn_repo/policy/modules/services/samba.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/samba.te
+++ refpolicy_svn_repo/policy/modules/services/samba.te
@@ -133,6 +133,11 @@ manage_lnk_files_pattern(samba_net_t,sam
kernel_read_proc_symlinks(samba_net_t)
+corenet_tcp_recv_unlabeled(samba_net_t)
+corenet_udp_recv_unlabeled(samba_net_t)
+corenet_tcp_recv_netlabel(samba_net_t)
+corenet_udp_recv_netlabel(samba_net_t)
+corenet_non_ipsec_sendrecv(samba_net_t)
corenet_tcp_sendrecv_all_if(samba_net_t)
corenet_udp_sendrecv_all_if(samba_net_t)
corenet_raw_sendrecv_all_if(samba_net_t)
@@ -141,7 +146,6 @@ corenet_udp_sendrecv_all_nodes(samba_net
corenet_raw_sendrecv_all_nodes(samba_net_t)
corenet_tcp_sendrecv_all_ports(samba_net_t)
corenet_udp_sendrecv_all_ports(samba_net_t)
-corenet_non_ipsec_sendrecv(samba_net_t)
corenet_tcp_bind_all_nodes(samba_net_t)
corenet_udp_bind_all_nodes(samba_net_t)
corenet_tcp_connect_smbd_port(samba_net_t)
@@ -241,6 +245,11 @@ kernel_read_kernel_sysctls(smbd_t)
kernel_read_software_raid_state(smbd_t)
kernel_read_system_state(smbd_t)
+corenet_tcp_recv_unlabeled(smbd_t)
+corenet_udp_recv_unlabeled(smbd_t)
+corenet_tcp_recv_netlabel(smbd_t)
+corenet_udp_recv_netlabel(smbd_t)
+corenet_non_ipsec_sendrecv(smbd_t)
corenet_tcp_sendrecv_all_if(smbd_t)
corenet_udp_sendrecv_all_if(smbd_t)
corenet_raw_sendrecv_all_if(smbd_t)
@@ -249,7 +258,6 @@ corenet_udp_sendrecv_all_nodes(smbd_t)
corenet_raw_sendrecv_all_nodes(smbd_t)
corenet_tcp_sendrecv_all_ports(smbd_t)
corenet_udp_sendrecv_all_ports(smbd_t)
-corenet_non_ipsec_sendrecv(smbd_t)
corenet_tcp_bind_all_nodes(smbd_t)
corenet_udp_bind_all_nodes(smbd_t)
corenet_tcp_bind_smbd_port(smbd_t)
@@ -380,6 +388,10 @@ kernel_read_network_state(nmbd_t)
kernel_read_software_raid_state(nmbd_t)
kernel_read_system_state(nmbd_t)
+corenet_tcp_recv_unlabeled(nmbd_t)
+corenet_udp_recv_unlabeled(nmbd_t)
+corenet_tcp_recv_netlabel(nmbd_t)
+corenet_udp_recv_netlabel(nmbd_t)
corenet_non_ipsec_sendrecv(nmbd_t)
corenet_tcp_sendrecv_all_if(nmbd_t)
corenet_udp_sendrecv_all_if(nmbd_t)
@@ -463,6 +475,11 @@ manage_lnk_files_pattern(smbmount_t,samb
kernel_read_system_state(smbmount_t)
+corenet_tcp_recv_unlabeled(smbmount_t)
+corenet_udp_recv_unlabeled(smbmount_t)
+corenet_tcp_recv_netlabel(smbmount_t)
+corenet_udp_recv_netlabel(smbmount_t)
+corenet_non_ipsec_sendrecv(smbmount_t)
corenet_tcp_sendrecv_all_if(smbmount_t)
corenet_raw_sendrecv_all_if(smbmount_t)
corenet_udp_sendrecv_all_if(smbmount_t)
@@ -471,7 +488,6 @@ corenet_raw_sendrecv_all_nodes(smbmount_
corenet_udp_sendrecv_all_nodes(smbmount_t)
corenet_tcp_sendrecv_all_ports(smbmount_t)
corenet_udp_sendrecv_all_ports(smbmount_t)
-corenet_non_ipsec_sendrecv(smbmount_t)
corenet_tcp_bind_all_nodes(smbmount_t)
corenet_udp_bind_all_nodes(smbmount_t)
corenet_tcp_connect_all_ports(smbmount_t)
@@ -566,6 +582,10 @@ kernel_read_network_state(swat_t)
corecmd_search_bin(swat_t)
+corenet_tcp_recv_unlabeled(swat_t)
+corenet_udp_recv_unlabeled(swat_t)
+corenet_tcp_recv_netlabel(swat_t)
+corenet_udp_recv_netlabel(swat_t)
corenet_non_ipsec_sendrecv(swat_t)
corenet_tcp_sendrecv_generic_if(swat_t)
corenet_udp_sendrecv_generic_if(swat_t)
@@ -663,6 +683,11 @@ kernel_read_kernel_sysctls(winbind_t)
kernel_list_proc(winbind_t)
kernel_read_proc_symlinks(winbind_t)
+corenet_tcp_recv_unlabeled(winbind_t)
+corenet_udp_recv_unlabeled(winbind_t)
+corenet_tcp_recv_netlabel(winbind_t)
+corenet_udp_recv_netlabel(winbind_t)
+corenet_non_ipsec_sendrecv(winbind_t)
corenet_tcp_sendrecv_all_if(winbind_t)
corenet_udp_sendrecv_all_if(winbind_t)
corenet_raw_sendrecv_all_if(winbind_t)
@@ -671,7 +696,6 @@ corenet_udp_sendrecv_all_nodes(winbind_t
corenet_raw_sendrecv_all_nodes(winbind_t)
corenet_tcp_sendrecv_all_ports(winbind_t)
corenet_udp_sendrecv_all_ports(winbind_t)
-corenet_non_ipsec_sendrecv(winbind_t)
corenet_tcp_bind_all_nodes(winbind_t)
corenet_udp_bind_all_nodes(winbind_t)
corenet_tcp_connect_smbd_port(winbind_t)
Index: refpolicy_svn_repo/policy/modules/services/sasl.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/sasl.te
+++ refpolicy_svn_repo/policy/modules/services/sasl.te
@@ -47,6 +47,8 @@ files_pid_filetrans(saslauthd_t,saslauth
kernel_read_kernel_sysctls(saslauthd_t)
kernel_read_system_state(saslauthd_t)
+corenet_tcp_recv_unlabeled(saslauthd_t)
+corenet_tcp_recv_netlabel(saslauthd_t)
corenet_non_ipsec_sendrecv(saslauthd_t)
corenet_tcp_sendrecv_all_if(saslauthd_t)
corenet_tcp_sendrecv_all_nodes(saslauthd_t)
Index: refpolicy_svn_repo/policy/modules/services/sendmail.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/sendmail.te
+++ refpolicy_svn_repo/policy/modules/services/sendmail.te
@@ -49,6 +49,8 @@ kernel_read_kernel_sysctls(sendmail_t)
# for piping mail to a command
kernel_read_system_state(sendmail_t)
+corenet_tcp_recv_unlabeled(sendmail_t)
+corenet_tcp_recv_netlabel(sendmail_t)
corenet_non_ipsec_sendrecv(sendmail_t)
corenet_tcp_sendrecv_all_if(sendmail_t)
corenet_tcp_sendrecv_all_nodes(sendmail_t)
Index: refpolicy_svn_repo/policy/modules/services/setroubleshoot.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/setroubleshoot.te
+++ refpolicy_svn_repo/policy/modules/services/setroubleshoot.te
@@ -58,6 +58,8 @@ kernel_read_network_state(setroubleshoot
corecmd_exec_bin(setroubleshootd_t)
corecmd_exec_shell(setroubleshootd_t)
+corenet_tcp_recv_unlabeled(setroubleshootd_t)
+corenet_tcp_recv_netlabel(setroubleshootd_t)
corenet_non_ipsec_sendrecv(setroubleshootd_t)
corenet_tcp_sendrecv_generic_if(setroubleshootd_t)
corenet_tcp_sendrecv_all_nodes(setroubleshootd_t)
Index: refpolicy_svn_repo/policy/modules/services/smartmon.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/smartmon.te
+++ refpolicy_svn_repo/policy/modules/services/smartmon.te
@@ -42,6 +42,8 @@ kernel_read_system_state(fsdaemon_t)
corecmd_exec_all_executables(fsdaemon_t)
+corenet_udp_recv_unlabeled(fsdaemon_t)
+corenet_udp_recv_netlabel(fsdaemon_t)
corenet_non_ipsec_sendrecv(fsdaemon_t)
corenet_udp_sendrecv_generic_if(fsdaemon_t)
corenet_udp_sendrecv_all_nodes(fsdaemon_t)
Index: refpolicy_svn_repo/policy/modules/services/snmp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/snmp.te
+++ refpolicy_svn_repo/policy/modules/services/snmp.te
@@ -58,6 +58,10 @@ kernel_read_network_state(snmpd_t)
corecmd_exec_bin(snmpd_t)
corecmd_exec_shell(snmpd_t)
+corenet_tcp_recv_unlabeled(snmpd_t)
+corenet_udp_recv_unlabeled(snmpd_t)
+corenet_tcp_recv_netlabel(snmpd_t)
+corenet_udp_recv_netlabel(snmpd_t)
corenet_non_ipsec_sendrecv(snmpd_t)
corenet_tcp_sendrecv_all_if(snmpd_t)
corenet_udp_sendrecv_all_if(snmpd_t)
Index: refpolicy_svn_repo/policy/modules/services/snort.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/snort.te
+++ refpolicy_svn_repo/policy/modules/services/snort.te
@@ -55,6 +55,12 @@ kernel_list_proc(snort_t)
kernel_read_proc_symlinks(snort_t)
kernel_dontaudit_read_system_state(snort_t)
+corenet_tcp_recv_unlabeled(snort_t)
+corenet_udp_recv_unlabeled(snort_t)
+corenet_raw_recv_unlabeled(snort_t)
+corenet_tcp_recv_netlabel(snort_t)
+corenet_udp_recv_netlabel(snort_t)
+corenet_raw_recv_netlabel(snort_t)
corenet_non_ipsec_sendrecv(snort_t)
corenet_tcp_sendrecv_generic_if(snort_t)
corenet_udp_sendrecv_generic_if(snort_t)
Index: refpolicy_svn_repo/policy/modules/services/soundserver.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/soundserver.te
+++ refpolicy_svn_repo/policy/modules/services/soundserver.te
@@ -62,6 +62,10 @@ kernel_read_kernel_sysctls(soundd_t)
kernel_list_proc(soundd_t)
kernel_read_proc_symlinks(soundd_t)
+corenet_tcp_recv_unlabeled(soundd_t)
+corenet_udp_recv_unlabeled(soundd_t)
+corenet_tcp_recv_netlabel(soundd_t)
+corenet_udp_recv_netlabel(soundd_t)
corenet_non_ipsec_sendrecv(soundd_t)
corenet_tcp_sendrecv_generic_if(soundd_t)
corenet_udp_sendrecv_generic_if(soundd_t)
Index: refpolicy_svn_repo/policy/modules/services/spamassassin.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/spamassassin.if
+++ refpolicy_svn_repo/policy/modules/services/spamassassin.if
@@ -97,6 +97,10 @@ template(`spamassassin_per_role_template
kernel_read_kernel_sysctls($1_spamc_t)
+ corenet_tcp_recv_unlabeled($1_spamc_t)
+ corenet_udp_recv_unlabeled($1_spamc_t)
+ corenet_tcp_recv_netlabel($1_spamc_t)
+ corenet_udp_recv_netlabel($1_spamc_t)
corenet_non_ipsec_sendrecv($1_spamc_t)
corenet_tcp_sendrecv_generic_if($1_spamc_t)
corenet_udp_sendrecv_generic_if($1_spamc_t)
@@ -267,6 +271,10 @@ template(`spamassassin_per_role_template
allow $1_spamassassin_t self:tcp_socket create_stream_socket_perms;
allow $1_spamassassin_t self:udp_socket create_socket_perms;
+ corenet_tcp_recv_unlabeled($1_spamassassin_t)
+ corenet_udp_recv_unlabeled($1_spamassassin_t)
+ corenet_tcp_recv_netlabel($1_spamassassin_t)
+ corenet_udp_recv_netlabel($1_spamassassin_t)
corenet_non_ipsec_sendrecv($1_spamassassin_t)
corenet_tcp_sendrecv_generic_if($1_spamassassin_t)
corenet_udp_sendrecv_generic_if($1_spamassassin_t)
Index: refpolicy_svn_repo/policy/modules/services/spamassassin.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/spamassassin.te
+++ refpolicy_svn_repo/policy/modules/services/spamassassin.te
@@ -93,6 +93,10 @@ files_pid_filetrans(spamd_t,spamd_var_ru
kernel_read_all_sysctls(spamd_t)
kernel_read_system_state(spamd_t)
+corenet_tcp_recv_unlabeled(spamd_t)
+corenet_udp_recv_unlabeled(spamd_t)
+corenet_tcp_recv_netlabel(spamd_t)
+corenet_udp_recv_netlabel(spamd_t)
corenet_non_ipsec_sendrecv(spamd_t)
corenet_tcp_sendrecv_all_if(spamd_t)
corenet_udp_sendrecv_all_if(spamd_t)
Index: refpolicy_svn_repo/policy/modules/services/squid.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/squid.te
+++ refpolicy_svn_repo/policy/modules/services/squid.te
@@ -75,6 +75,10 @@ kernel_read_system_state(squid_t)
files_dontaudit_getattr_boot_dirs(squid_t)
+corenet_tcp_recv_unlabeled(squid_t)
+corenet_udp_recv_unlabeled(squid_t)
+corenet_tcp_recv_netlabel(squid_t)
+corenet_udp_recv_netlabel(squid_t)
corenet_non_ipsec_sendrecv(squid_t)
corenet_tcp_sendrecv_all_if(squid_t)
corenet_udp_sendrecv_all_if(squid_t)
Index: refpolicy_svn_repo/policy/modules/services/ssh.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ssh.if
+++ refpolicy_svn_repo/policy/modules/services/ssh.if
@@ -109,6 +109,8 @@ template(`ssh_basic_client_template',`
kernel_read_kernel_sysctls($1_ssh_t)
+ corenet_tcp_recv_unlabeled($1_ssh_t)
+ corenet_tcp_recv_netlabel($1_ssh_t)
corenet_non_ipsec_sendrecv($1_ssh_t)
corenet_tcp_sendrecv_all_if($1_ssh_t)
corenet_tcp_sendrecv_all_nodes($1_ssh_t)
@@ -466,6 +468,11 @@ template(`ssh_server_template', `
kernel_read_kernel_sysctls($1_t)
+ corenet_tcp_recv_unlabeled($1_t)
+ corenet_udp_recv_unlabeled($1_t)
+ corenet_tcp_recv_netlabel($1_t)
+ corenet_udp_recv_netlabel($1_t)
+ corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_sendrecv_all_if($1_t)
corenet_udp_sendrecv_all_if($1_t)
corenet_raw_sendrecv_all_if($1_t)
@@ -474,7 +481,6 @@ template(`ssh_server_template', `
corenet_raw_sendrecv_all_nodes($1_t)
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_sendrecv_all_ports($1_t)
- corenet_non_ipsec_sendrecv($1_t)
corenet_tcp_bind_all_nodes($1_t)
corenet_udp_bind_all_nodes($1_t)
corenet_tcp_bind_ssh_port($1_t)
Index: refpolicy_svn_repo/policy/modules/services/stunnel.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/stunnel.te
+++ refpolicy_svn_repo/policy/modules/services/stunnel.te
@@ -55,6 +55,10 @@ kernel_read_kernel_sysctls(stunnel_t)
kernel_read_system_state(stunnel_t)
kernel_read_network_state(stunnel_t)
+corenet_tcp_recv_unlabeled(stunnel_t)
+corenet_udp_recv_unlabeled(stunnel_t)
+corenet_tcp_recv_netlabel(stunnel_t)
+corenet_udp_recv_netlabel(stunnel_t)
corenet_non_ipsec_sendrecv(stunnel_t)
corenet_tcp_sendrecv_all_if(stunnel_t)
corenet_udp_sendrecv_all_if(stunnel_t)
Index: refpolicy_svn_repo/policy/modules/services/tcpd.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tcpd.te
+++ refpolicy_svn_repo/policy/modules/services/tcpd.te
@@ -23,6 +23,8 @@ manage_dirs_pattern(tcpd_t,tcpd_tmp_t,tc
manage_files_pattern(tcpd_t,tcpd_tmp_t,tcpd_tmp_t)
files_tmp_filetrans(tcpd_t, tcpd_tmp_t, { file dir })
+corenet_tcp_recv_unlabeled(tcpd_t)
+corenet_tcp_recv_netlabel(tcpd_t)
corenet_non_ipsec_sendrecv(tcpd_t)
corenet_tcp_sendrecv_all_if(tcpd_t)
corenet_tcp_sendrecv_all_nodes(tcpd_t)
Index: refpolicy_svn_repo/policy/modules/services/telnet.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/telnet.te
+++ refpolicy_svn_repo/policy/modules/services/telnet.te
@@ -49,6 +49,10 @@ kernel_read_kernel_sysctls(telnetd_t)
kernel_read_system_state(telnetd_t)
kernel_read_network_state(telnetd_t)
+corenet_tcp_recv_unlabeled(telnetd_t)
+corenet_udp_recv_unlabeled(telnetd_t)
+corenet_tcp_recv_netlabel(telnetd_t)
+corenet_udp_recv_netlabel(telnetd_t)
corenet_non_ipsec_sendrecv(telnetd_t)
corenet_tcp_sendrecv_all_if(telnetd_t)
corenet_udp_sendrecv_all_if(telnetd_t)
Index: refpolicy_svn_repo/policy/modules/services/tftp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tftp.te
+++ refpolicy_svn_repo/policy/modules/services/tftp.te
@@ -39,6 +39,10 @@ kernel_read_kernel_sysctls(tftpd_t)
kernel_list_proc(tftpd_t)
kernel_read_proc_symlinks(tftpd_t)
+corenet_tcp_recv_unlabeled(tftpd_t)
+corenet_udp_recv_unlabeled(tftpd_t)
+corenet_tcp_recv_netlabel(tftpd_t)
+corenet_udp_recv_netlabel(tftpd_t)
corenet_non_ipsec_sendrecv(tftpd_t)
corenet_tcp_sendrecv_all_if(tftpd_t)
corenet_udp_sendrecv_all_if(tftpd_t)
Index: refpolicy_svn_repo/policy/modules/services/timidity.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/timidity.te
+++ refpolicy_svn_repo/policy/modules/services/timidity.te
@@ -39,6 +39,10 @@ kernel_read_kernel_sysctls(timidity_t)
# read /proc/cpuinfo
kernel_read_system_state(timidity_t)
+corenet_tcp_recv_unlabeled(timidity_t)
+corenet_udp_recv_unlabeled(timidity_t)
+corenet_tcp_recv_netlabel(timidity_t)
+corenet_udp_recv_netlabel(timidity_t)
corenet_non_ipsec_sendrecv(timidity_t)
corenet_tcp_sendrecv_generic_if(timidity_t)
corenet_udp_sendrecv_generic_if(timidity_t)
Index: refpolicy_svn_repo/policy/modules/services/tor.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/tor.te
+++ refpolicy_svn_repo/policy/modules/services/tor.te
@@ -63,6 +63,8 @@ files_pid_filetrans(tor_t,tor_var_run_t,
kernel_read_system_state(tor_t)
# networking basics
+corenet_tcp_recv_unlabeled(tor_t)
+corenet_tcp_recv_netlabel(tor_t)
corenet_non_ipsec_sendrecv(tor_t)
corenet_tcp_sendrecv_all_if(tor_t)
corenet_tcp_sendrecv_all_nodes(tor_t)
Index: refpolicy_svn_repo/policy/modules/services/transproxy.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/transproxy.te
+++ refpolicy_svn_repo/policy/modules/services/transproxy.te
@@ -30,6 +30,8 @@ kernel_read_kernel_sysctls(transproxy_t)
kernel_list_proc(transproxy_t)
kernel_read_proc_symlinks(transproxy_t)
+corenet_tcp_recv_unlabeled(transproxy_t)
+corenet_tcp_recv_netlabel(transproxy_t)
corenet_non_ipsec_sendrecv(transproxy_t)
corenet_tcp_sendrecv_generic_if(transproxy_t)
corenet_tcp_sendrecv_all_nodes(transproxy_t)
Index: refpolicy_svn_repo/policy/modules/services/ucspitcp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/ucspitcp.te
+++ refpolicy_svn_repo/policy/modules/services/ucspitcp.te
@@ -25,13 +25,17 @@ ucspitcp_service_domain(rblsmtpd_t, rbls
corecmd_search_bin(rblsmtpd_t)
+corenet_tcp_recv_unlabeled(rblsmtpd_t)
+corenet_udp_recv_unlabeled(rblsmtpd_t)
+corenet_tcp_recv_netlabel(rblsmtpd_t)
+corenet_udp_recv_netlabel(rblsmtpd_t)
+corenet_non_ipsec_sendrecv(rblsmtpd_t)
corenet_tcp_sendrecv_all_if(rblsmtpd_t)
corenet_udp_sendrecv_all_if(rblsmtpd_t)
corenet_tcp_sendrecv_all_nodes(rblsmtpd_t)
corenet_udp_sendrecv_all_nodes(rblsmtpd_t)
corenet_tcp_sendrecv_all_ports(rblsmtpd_t)
corenet_udp_sendrecv_all_ports(rblsmtpd_t)
-corenet_non_ipsec_sendrecv(rblsmtpd_t)
corenet_tcp_bind_all_nodes(rblsmtpd_t)
corenet_udp_bind_generic_port(rblsmtpd_t)
@@ -58,6 +62,10 @@ allow ucspitcp_t self:udp_socket create_
corecmd_search_bin(ucspitcp_t)
# base networking:
+corenet_tcp_recv_unlabeled(ucspitcp_t)
+corenet_udp_recv_unlabeled(ucspitcp_t)
+corenet_tcp_recv_netlabel(ucspitcp_t)
+corenet_udp_recv_netlabel(ucspitcp_t)
corenet_non_ipsec_sendrecv(ucspitcp_t)
corenet_tcp_sendrecv_all_if(ucspitcp_t)
corenet_udp_sendrecv_all_if(ucspitcp_t)
Index: refpolicy_svn_repo/policy/modules/services/uucp.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/uucp.te
+++ refpolicy_svn_repo/policy/modules/services/uucp.te
@@ -70,6 +70,10 @@ kernel_read_kernel_sysctls(uucpd_t)
kernel_read_system_state(uucpd_t)
kernel_read_network_state(uucpd_t)
+corenet_tcp_recv_unlabeled(uucpd_t)
+corenet_udp_recv_unlabeled(uucpd_t)
+corenet_tcp_recv_netlabel(uucpd_t)
+corenet_udp_recv_netlabel(uucpd_t)
corenet_non_ipsec_sendrecv(uucpd_t)
corenet_tcp_sendrecv_all_if(uucpd_t)
corenet_udp_sendrecv_all_if(uucpd_t)
Index: refpolicy_svn_repo/policy/modules/services/uwimap.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/uwimap.te
+++ refpolicy_svn_repo/policy/modules/services/uwimap.te
@@ -39,6 +39,8 @@ kernel_read_kernel_sysctls(imapd_t)
kernel_list_proc(imapd_t)
kernel_read_proc_symlinks(imapd_t)
+corenet_tcp_recv_unlabeled(imapd_t)
+corenet_tcp_recv_netlabel(imapd_t)
corenet_non_ipsec_sendrecv(imapd_t)
corenet_tcp_sendrecv_generic_if(imapd_t)
corenet_tcp_sendrecv_all_nodes(imapd_t)
Index: refpolicy_svn_repo/policy/modules/services/watchdog.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/watchdog.te
+++ refpolicy_svn_repo/policy/modules/services/watchdog.te
@@ -43,6 +43,10 @@ kernel_unmount_proc(watchdog_t)
corecmd_exec_shell(watchdog_t)
# cjp: why networking?
+corenet_tcp_recv_unlabeled(watchdog_t)
+corenet_udp_recv_unlabeled(watchdog_t)
+corenet_tcp_recv_netlabel(watchdog_t)
+corenet_udp_recv_netlabel(watchdog_t)
corenet_non_ipsec_sendrecv(watchdog_t)
corenet_tcp_sendrecv_generic_if(watchdog_t)
corenet_udp_sendrecv_generic_if(watchdog_t)
Index: refpolicy_svn_repo/policy/modules/services/xprint.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xprint.te
+++ refpolicy_svn_repo/policy/modules/services/xprint.te
@@ -33,6 +33,10 @@ kernel_read_kernel_sysctls(xprint_t)
corecmd_exec_bin(xprint_t)
corecmd_exec_shell(xprint_t)
+corenet_tcp_recv_unlabeled(xprint_t)
+corenet_udp_recv_unlabeled(xprint_t)
+corenet_tcp_recv_netlabel(xprint_t)
+corenet_udp_recv_netlabel(xprint_t)
corenet_non_ipsec_sendrecv(xprint_t)
corenet_tcp_sendrecv_generic_if(xprint_t)
corenet_udp_sendrecv_generic_if(xprint_t)
Index: refpolicy_svn_repo/policy/modules/services/xserver.if
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xserver.if
+++ refpolicy_svn_repo/policy/modules/services/xserver.if
@@ -94,6 +94,10 @@ template(`xserver_common_domain_template
corecmd_exec_bin($1_xserver_t)
corecmd_exec_shell($1_xserver_t)
+ corenet_tcp_recv_unlabeled($1_xserver_t)
+ corenet_udp_recv_unlabeled($1_xserver_t)
+ corenet_tcp_recv_netlabel($1_xserver_t)
+ corenet_udp_recv_netlabel($1_xserver_t)
corenet_non_ipsec_sendrecv($1_xserver_t)
corenet_tcp_sendrecv_generic_if($1_xserver_t)
corenet_udp_sendrecv_generic_if($1_xserver_t)
Index: refpolicy_svn_repo/policy/modules/services/xserver.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/xserver.te
+++ refpolicy_svn_repo/policy/modules/services/xserver.te
@@ -177,6 +177,10 @@ kernel_read_network_state(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
+corenet_tcp_recv_unlabeled(xdm_t)
+corenet_udp_recv_unlabeled(xdm_t)
+corenet_tcp_recv_netlabel(xdm_t)
+corenet_udp_recv_netlabel(xdm_t)
corenet_non_ipsec_sendrecv(xdm_t)
corenet_tcp_sendrecv_generic_if(xdm_t)
corenet_udp_sendrecv_generic_if(xdm_t)
Index: refpolicy_svn_repo/policy/modules/services/zebra.te
===================================================================
--- refpolicy_svn_repo.orig/policy/modules/services/zebra.te
+++ refpolicy_svn_repo/policy/modules/services/zebra.te
@@ -67,6 +67,12 @@ kernel_read_system_state(zebra_t)
kernel_read_kernel_sysctls(zebra_t)
kernel_rw_net_sysctls(zebra_t)
+corenet_tcp_recv_unlabeled(zebra_t)
+corenet_udp_recv_unlabeled(zebra_t)
+corenet_raw_recv_unlabeled(zebra_t)
+corenet_tcp_recv_netlabel(zebra_t)
+corenet_udp_recv_netlabel(zebra_t)
+corenet_raw_recv_netlabel(zebra_t)
corenet_non_ipsec_sendrecv(zebra_t)
corenet_tcp_sendrecv_all_if(zebra_t)
corenet_udp_sendrecv_all_if(zebra_t)
--
paul moore
linux security @ hp
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-06-14 20:23 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-06-14 19:55 [PATCH 0/5] NetLabel reference policy patches Paul Moore
2007-06-14 19:55 ` [PATCH 1/5] Use the netmsg initial SID for NetLabel connections Paul Moore
2007-06-19 14:13 ` Christopher J. PeBenito
2007-06-19 15:01 ` Paul Moore
2007-06-20 13:52 ` Christopher J. PeBenito
2007-06-20 16:55 ` Paul Moore
2007-06-14 19:55 ` [PATCH 2/5] Add NetLabel labeled and unlabeled support to the system domains Paul Moore
2007-06-14 19:55 ` Paul Moore [this message]
2007-06-14 19:55 ` [PATCH 4/5] Add NetLabel labeled and unlabeled support to the application domains Paul Moore
2007-06-14 19:55 ` [PATCH 5/5] Add NetLabel labeled and unlabeled support to the administrative domains Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070614200100.885758728@hp.com \
--to=paul.moore@hp.com \
--cc=cpebenito@tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.