packet updates for kernel, nscd, bind, ntp, spamassassin, and dhcpc

refpolicy/policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.7)
+policy_module(kernel,1.3.8)
 
 ########################################
 #
@@ -201,12 +201,12 @@ corenet_non_ipsec_sendrecv(kernel_t)
 corenet_raw_sendrecv_all_if(kernel_t)
 corenet_raw_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_if(kernel_t)
-
 # Kernel-generated traffic e.g., TCP resets:
 corenet_tcp_sendrecv_all_if(kernel_t)
 corenet_tcp_sendrecv_all_nodes(kernel_t)
 corenet_raw_send_generic_node(kernel_t)
 corenet_raw_send_multicast_node(kernel_t)
+corenet_send_all_packets(kernel_t)
 
 dev_read_sysfs(kernel_t)
 dev_search_usbfs(kernel_t)

refpolicy/policy/modules/services/bind.te

@@ -1,5 +1,5 @@
 
-policy_module(bind,1.1.4)
+policy_module(bind,1.1.5)
 
 ########################################
 #
@@ -112,6 +112,10 @@ corenet_tcp_bind_dns_port(named_t)
 corenet_udp_bind_dns_port(named_t)
 corenet_tcp_bind_rndc_port(named_t)
 corenet_tcp_connect_all_ports(named_t)
+corenet_sendrecv_dns_server_packets(named_t)
+corenet_sendrecv_dns_client_packets(named_t)
+corenet_sendrecv_rndc_server_packets(named_t)
+corenet_sendrecv_rndc_client_packets(named_t)
 
 dev_read_sysfs(named_t)
 dev_read_rand(named_t)
@@ -244,6 +248,7 @@ corenet_tcp_sendrecv_all_if(ndc_t)
 corenet_tcp_sendrecv_all_nodes(ndc_t)
 corenet_tcp_sendrecv_all_ports(ndc_t)
 corenet_tcp_connect_rndc_port(ndc_t)
+corenet_sendrecv_rndc_client_packets(ndc_t)
 
 fs_getattr_xattr_fs(ndc_t)
 

refpolicy/policy/modules/services/nscd.te

@@ -1,5 +1,5 @@
 
-policy_module(nscd,1.2.2)
+policy_module(nscd,1.2.3)
 
 gen_require(`
 	class nscd all_nscd_perms;
@@ -68,17 +68,13 @@ term_dontaudit_use_console(nscd_t)
 # for when /etc/passwd has just been updated and has the wrong type
 auth_getattr_shadow(nscd_t)
 
+corenet_non_ipsec_sendrecv(nscd_t)
 corenet_tcp_sendrecv_all_if(nscd_t)
 corenet_udp_sendrecv_all_if(nscd_t)
-corenet_raw_sendrecv_all_if(nscd_t)
 corenet_tcp_sendrecv_all_nodes(nscd_t)
 corenet_udp_sendrecv_all_nodes(nscd_t)
-corenet_raw_sendrecv_all_nodes(nscd_t)
 corenet_tcp_sendrecv_all_ports(nscd_t)
 corenet_udp_sendrecv_all_ports(nscd_t)
-corenet_non_ipsec_sendrecv(nscd_t)
-corenet_tcp_bind_all_nodes(nscd_t)
-corenet_udp_bind_all_nodes(nscd_t)
 corenet_tcp_connect_all_ports(nscd_t)
 corenet_rw_tun_tap_dev(nscd_t)
 
@@ -108,6 +104,7 @@ seutil_read_config(nscd_t)
 seutil_read_default_contexts(nscd_t)
 seutil_sigchld_newrole(nscd_t)
 
+sysnet_dns_name_resolve(nscd_t)
 sysnet_read_config(nscd_t)
 
 userdom_dontaudit_use_unpriv_user_fds(nscd_t)

refpolicy/policy/modules/services/ntp.te

@@ -1,5 +1,5 @@
 
-policy_module(ntp,1.1.0)
+policy_module(ntp,1.1.1)
 
 ########################################
 #
@@ -63,19 +63,19 @@ files_pid_filetrans(ntpd_t,ntpd_var_run_t,file)
 kernel_read_kernel_sysctls(ntpd_t)
 kernel_read_system_state(ntpd_t)
 
+corenet_non_ipsec_sendrecv(ntpd_t)
 corenet_tcp_sendrecv_all_if(ntpd_t)
 corenet_udp_sendrecv_all_if(ntpd_t)
-corenet_raw_sendrecv_all_if(ntpd_t)
 corenet_tcp_sendrecv_all_nodes(ntpd_t)
 corenet_udp_sendrecv_all_nodes(ntpd_t)
-corenet_raw_sendrecv_all_nodes(ntpd_t)
 corenet_tcp_sendrecv_all_ports(ntpd_t)
 corenet_udp_sendrecv_all_ports(ntpd_t)
-corenet_non_ipsec_sendrecv(ntpd_t)
 corenet_tcp_bind_all_nodes(ntpd_t)
 corenet_udp_bind_all_nodes(ntpd_t)
 corenet_udp_bind_ntp_port(ntpd_t)
 corenet_tcp_connect_ntp_port(ntpd_t)
+corenet_sendrecv_ntp_server_packets(ntpd_t)
+corenet_sendrecv_ntp_client_packets(ntpd_t)
 
 dev_read_sysfs(ntpd_t)
 # for SSP

refpolicy/policy/modules/services/spamassassin.te

@@ -1,5 +1,5 @@
 
-policy_module(spamassassin,1.3.6)
+policy_module(spamassassin,1.3.7)
 
 ########################################
 #
@@ -61,24 +61,22 @@ kernel_read_all_sysctls(spamd_t)
 kernel_read_system_state(spamd_t)
 kernel_tcp_recvfrom(spamd_t)
 
+corenet_non_ipsec_sendrecv(spamd_t)
 corenet_tcp_sendrecv_all_if(spamd_t)
 corenet_udp_sendrecv_all_if(spamd_t)
-corenet_raw_sendrecv_all_if(spamd_t)
 corenet_tcp_sendrecv_all_nodes(spamd_t)
 corenet_udp_sendrecv_all_nodes(spamd_t)
-corenet_raw_sendrecv_all_nodes(spamd_t)
 corenet_tcp_sendrecv_all_ports(spamd_t)
 corenet_udp_sendrecv_all_ports(spamd_t)
-corenet_non_ipsec_sendrecv(spamd_t)
 corenet_tcp_bind_all_nodes(spamd_t)
 corenet_udp_bind_all_nodes(spamd_t)
 corenet_tcp_bind_spamd_port(spamd_t)
+corenet_tcp_connect_razor_port(spamd_t)
 # spamassassin 3.1 needs this for its
 # DnsResolver.pm module which binds to
 # random ports >= 1024.
 corenet_udp_bind_generic_port(spamd_t)
 corenet_udp_bind_imaze_port(spamd_t)
-corenet_tcp_connect_razor_port(spamd_t)
 
 dev_read_sysfs(spamd_t)
 dev_read_urand(spamd_t)
@@ -114,6 +112,7 @@ miscfiles_read_localization(spamd_t)
 
 sysnet_read_config(spamd_t)
 sysnet_use_ldap(spamd_t)
+sysnet_dns_name_resolve(spamd_t)
 
 userdom_use_unpriv_users_fds(spamd_t)
 userdom_search_unpriv_users_home_dirs(spamd_t)

refpolicy/policy/modules/system/sysnetwork.te

@@ -1,5 +1,5 @@
 
-policy_module(sysnetwork,1.1.5)
+policy_module(sysnetwork,1.1.6)
 
 ########################################
 #
@@ -91,6 +91,7 @@ kernel_read_network_state(dhcpc_t)
 kernel_read_kernel_sysctls(dhcpc_t)
 kernel_use_fds(dhcpc_t)
 
+corenet_non_ipsec_sendrecv(dhcpc_t)
 corenet_tcp_sendrecv_all_if(dhcpc_t)
 corenet_raw_sendrecv_all_if(dhcpc_t)
 corenet_udp_sendrecv_all_if(dhcpc_t)
@@ -99,11 +100,11 @@ corenet_raw_sendrecv_all_nodes(dhcpc_t)
 corenet_udp_sendrecv_all_nodes(dhcpc_t)
 corenet_tcp_sendrecv_all_ports(dhcpc_t)
 corenet_udp_sendrecv_all_ports(dhcpc_t)
-corenet_non_ipsec_sendrecv(dhcpc_t)
 corenet_tcp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_dhcpc_port(dhcpc_t)
 corenet_tcp_connect_all_ports(dhcpc_t)
+corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
 
 dev_read_sysfs(dhcpc_t)
 # for SSP: