## Send generic client packets.
diff --git a/policy/modules/kernel/corenetwork.te.in b/policy/modules/kernel/corenetwork.te.in
index 610cd10f..31e961f5 100644
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -1,5 +1,5 @@
-policy_module(corenetwork,1.1.18)
+policy_module(corenetwork,1.1.19)
########################################
#
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 13da037e..14194f21 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -2203,6 +2203,128 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`
dontaudit $1 unlabeled_t:association { sendto recvfrom };
')
+########################################
+##
+## Receive TCP packets from a NetLabel connection.
+##
+##
+##
+## Receive TCP packets from a NetLabel connection, NetLabel is an
+## explicit packet labeling framework which implements CIPSO and
+## similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_tcp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_tcp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+##
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection.
+##
+##
+##
+## Do not audit attempts to receive TCP packets from a NetLabel
+## connection. NetLabel is an explicit packet labeling framework
+## which implements CIPSO and similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_dontaudit_tcp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:tcp_socket recvfrom;
+')
+
+########################################
+##
+## Receive UDP packets from a NetLabel connection.
+##
+##
+##
+## Receive UDP packets from a NetLabel connection, NetLabel is an
+## explicit packet labeling framework which implements CIPSO and
+## similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_udp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`kernel_udp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ allow $1 unlabeled_t:udp_socket recvfrom;
+')
+
+########################################
+##
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection.
+##
+##
+##
+## Do not audit attempts to receive UDP packets from a NetLabel
+## connection. NetLabel is an explicit packet labeling framework
+## which implements CIPSO and similar protocols.
+##
+##
+## The corenetwork interface
+## corenet_dontaudit_udp_recv_netlabel() should
+## be used instead of this one.
+##
+##
+##
+##
+## Domain to not audit.
+##
+##
+#
+interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`
+ gen_require(`
+ type unlabeled_t;
+ ')
+
+ dontaudit $1 unlabeled_t:udp_socket recvfrom;
+')
+
########################################
##
## Send and receive unlabeled packets.
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 6a79f9ab..b25eaac2 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -1,5 +1,5 @@
-policy_module(kernel,1.3.17)
+policy_module(kernel,1.3.18)
########################################
#
diff --git a/policy/modules/system/netlabel.fc b/policy/modules/system/netlabel.fc
new file mode 100644
index 00000000..b263a8af
--- /dev/null
+++ b/policy/modules/system/netlabel.fc
@@ -0,0 +1 @@
+/sbin/netlabelctl -- gen_context(system_u:object_r:netlabel_mgmt_exec_t,s0)
diff --git a/policy/modules/system/netlabel.if b/policy/modules/system/netlabel.if
new file mode 100644
index 00000000..2cb4b551
--- /dev/null
+++ b/policy/modules/system/netlabel.if
@@ -0,0 +1,55 @@
+## NetLabel/CIPSO labeled networking management
+
+########################################
+##
+## Execute netlabel_mgmt in the netlabel_mgmt domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`netlabel_domtrans_mgmt',`
+ gen_require(`
+ type netlabel_mgmt_t, netlabel_mgmt_exec_t;
+ ')
+
+ corecmd_search_sbin($1)
+ domain_auto_trans($1,netlabel_mgmt_exec_t,netlabel_mgmt_t)
+ allow netlabel_mgmt_t $1:fd use;
+ allow netlabel_mgmt_t $1:fifo_file rw_file_perms;
+ allow netlabel_mgmt_t $1:process sigchld;
+')
+
+########################################
+##
+## Execute netlabel_mgmt in the netlabel_mgmt domain, and
+## allow the specified role the netlabel_mgmt domain.
+##
+##
+##
+## Domain allowed access.
+##
+##
+##
+##
+## The role to be allowed the netlabel_mgmt domain.
+##
+##
+##
+##
+## The type of the terminal allow the netlabel_mgmt domain to use.
+##
+##
+##
+#
+interface(`netlabel_run_mgmt',`
+ gen_require(`
+ type netlabel_mgmt_t;
+ ')
+
+ netlabel_domtrans_mgmt($1)
+ role $2 types netlabel_mgmt_t;
+ allow netlabel_mgmt_t $3:chr_file rw_term_perms;
+')
diff --git a/policy/modules/system/netlabel.te b/policy/modules/system/netlabel.te
new file mode 100644
index 00000000..464fb5ba
--- /dev/null
+++ b/policy/modules/system/netlabel.te
@@ -0,0 +1,28 @@
+
+policy_module(netlabel,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type netlabel_mgmt_t;
+type netlabel_mgmt_exec_t;
+domain_type(netlabel_mgmt_t)
+domain_entry_file(netlabel_mgmt_t,netlabel_mgmt_exec_t)
+
+########################################
+#
+# NetLabel Management Tools Local policy
+#
+
+# modify the network subsystem configuration
+allow netlabel_mgmt_t self:capability net_admin;
+allow netlabel_mgmt_t self:netlink_socket create_socket_perms;
+
+kernel_read_network_state(netlabel_mgmt_t)
+
+libs_use_ld_so(netlabel_mgmt_t)
+libs_use_shared_libs(netlabel_mgmt_t)
+
+seutil_use_newrole_fds(netlabel_mgmt_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6497d33b..87137bcf 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -514,6 +514,12 @@ template(`userdom_basic_networking_template',`
corenet_udp_sendrecv_all_ports($1_t)
corenet_tcp_connect_all_ports($1_t)
corenet_sendrecv_all_client_packets($1_t)
+
+ ifdef(`enable_mls',`
+ # netlabel/CIPSO labeled networking
+ corenet_tcp_recv_netlabel($1_t)
+ corenet_udp_recv_netlabel($1_t)
+ ')
')
#######################################
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index b07abb67..1bbcaf15 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain,1.3.36)
+policy_module(userdomain,1.3.37)
gen_require(`
role sysadm_r, staff_r, user_r;
@@ -155,6 +155,7 @@ ifdef(`strict_policy',`
logging_read_generic_logs(secadm_t)
userdom_dontaudit_append_staff_home_content_files(secadm_t)
userdom_dontaudit_read_sysadm_home_content_files(secadm_t)
+ netlabel_run_mgmt(secadm_t,secadm_r, { secadm_tty_device_t secadm_devpts_t })
',`
logging_manage_audit_log(sysadm_t)
logging_manage_audit_config(sysadm_t)