trunk: Unified labeled networking policy from Paul Moore.

The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
2007-06-27 15:23:21 +00:00 · 2007-06-27 15:23:21 +00:00 · 1900668638
commit 1900668638
parent 2c3ac47d45
184 changed files with 943 additions and 424 deletions
--- a/2
+++ b/2
@ -1,3 +1,5 @@
+- Unified labeled networking policy from Paul Moore.
+- Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
 - Xen updates from Dan Walsh.
 - Filesystem updates from Dan Walsh.
 - Large samba update from Dan Walsh.
--- a/policy/mls
+++ b/policy/mls
@ -182,11 +182,12 @@ mlsconstrain { socket tcp_socket udp_socket rawip_socket netlink_socket packet_s
 	 (( t1 == mlsnetwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
 	 ( t1 == mlsnetwrite ));

-# used by netlabel to restrict normal domains to same level connections
+# used by netlabel to restrict normal domains to same level connections unless the connection is unlabeled
 mlsconstrain { tcp_socket udp_socket rawip_socket } recvfrom
 	(( l1 eq l2 ) or
 	 (( t1 == mlsnetreadtoclr ) and ( h1 dom l2 )) or
-	 ( t1 == mlsnetread ));
+	 ( t1 == mlsnetread ) or
+	 ( t2 == unlabeled_t ));

 # these access vectors have no MLS restrictions
 # { socket tcp_socket udp_socket rawip_socket netlink_socket packet_socket key_socket unix_stream_socket unix_dgram_socket netlink_route_socket netlink_firewall_socket netlink_tcpdiag_socket netlink_nflog_socket netlink_xfrm_socket netlink_selinux_socket netlink_audit_socket netlink_ip6fw_socket netlink_dnrt_socket } { ioctl create lock append bind sendto send_msg name_bind }
--- a/policy/modules/admin/amanda.te
+++ b/policy/modules/admin/amanda.te
@ -1,5 +1,5 @@

-policy_module(amanda,1.5.0)
+policy_module(amanda,1.5.1)

 #######################################
 #
@ -113,7 +113,8 @@ kernel_dontaudit_read_proc_symlinks(amanda_t)
 # Added for targeted policy
 term_use_unallocated_ttys(amanda_t)

-corenet_non_ipsec_sendrecv(amanda_t)
+corenet_all_recvfrom_unlabeled(amanda_t)
+corenet_all_recvfrom_netlabel(amanda_t)
 corenet_tcp_sendrecv_all_if(amanda_t)
 corenet_udp_sendrecv_all_if(amanda_t)
 corenet_raw_sendrecv_all_if(amanda_t)
@ -200,7 +201,8 @@ files_tmp_filetrans(amanda_recover_t,amanda_tmp_t,{ dir file lnk_file sock_file
 kernel_read_system_state(amanda_recover_t)
 kernel_read_kernel_sysctls(amanda_recover_t)

-corenet_non_ipsec_sendrecv(amanda_recover_t)
+corenet_all_recvfrom_unlabeled(amanda_recover_t)
+corenet_all_recvfrom_netlabel(amanda_recover_t)
 corenet_tcp_sendrecv_all_if(amanda_recover_t)
 corenet_udp_sendrecv_all_if(amanda_recover_t)
 corenet_tcp_sendrecv_all_nodes(amanda_recover_t)
--- a/policy/modules/admin/apt.te
+++ b/policy/modules/admin/apt.te
@ -1,5 +1,5 @@

-policy_module(apt,1.1.0)
+policy_module(apt,1.1.1)

 ########################################
 #
@ -72,7 +72,8 @@ kernel_read_kernel_sysctls(apt_t)
 corecmd_exec_bin(apt_t)
 corecmd_exec_shell(apt_t)

-corenet_non_ipsec_sendrecv(apt_t)
+corenet_all_recvfrom_unlabeled(apt_t)
+corenet_all_recvfrom_netlabel(apt_t)
 corenet_tcp_sendrecv_all_if(apt_t)
 corenet_udp_sendrecv_all_if(apt_t)
 corenet_tcp_sendrecv_all_nodes(apt_t)
--- a/policy/modules/admin/backup.te
+++ b/policy/modules/admin/backup.te
@ -1,5 +1,5 @@

-policy_module(backup,1.1.0)
+policy_module(backup,1.1.1)

 ########################################
 #
@ -36,7 +36,8 @@ kernel_read_kernel_sysctls(backup_t)

 corecmd_exec_bin(backup_t)

-corenet_non_ipsec_sendrecv(backup_t)
+corenet_all_recvfrom_unlabeled(backup_t)
+corenet_all_recvfrom_netlabel(backup_t)
 corenet_tcp_sendrecv_generic_if(backup_t)
 corenet_udp_sendrecv_generic_if(backup_t)
 corenet_raw_sendrecv_generic_if(backup_t)
--- a/policy/modules/admin/dpkg.te
+++ b/policy/modules/admin/dpkg.te
@ -1,5 +1,5 @@

-policy_module(dpkg,1.1.1)
+policy_module(dpkg,1.1.2)

 ########################################
 #
@ -90,7 +90,8 @@ kernel_read_kernel_sysctls(dpkg_t)
 corecmd_exec_all_executables(dpkg_t)

 # TODO: do we really need all networking?
-corenet_non_ipsec_sendrecv(dpkg_t)
+corenet_all_recvfrom_unlabeled(dpkg_t)
+corenet_all_recvfrom_netlabel(dpkg_t)
 corenet_tcp_sendrecv_all_if(dpkg_t)
 corenet_raw_sendrecv_all_if(dpkg_t)
 corenet_udp_sendrecv_all_if(dpkg_t)
--- a/policy/modules/admin/firstboot.te
+++ b/policy/modules/admin/firstboot.te
@ -1,5 +1,5 @@

-policy_module(firstboot,1.4.0)
+policy_module(firstboot,1.4.1)

 gen_require(`
 	class passwd rootok;
@ -41,7 +41,8 @@ unconfined_domain(firstboot_t)
 kernel_read_system_state(firstboot_t)
 kernel_read_kernel_sysctls(firstboot_t)

-corenet_non_ipsec_sendrecv(firstboot_t)
+corenet_all_recvfrom_unlabeled(firstboot_t)
+corenet_all_recvfrom_netlabel(firstboot_t)
 corenet_tcp_sendrecv_all_if(firstboot_t)
 corenet_tcp_sendrecv_all_nodes(firstboot_t)
 corenet_tcp_sendrecv_all_ports(firstboot_t)
--- a/policy/modules/admin/mrtg.te
+++ b/policy/modules/admin/mrtg.te
@ -1,5 +1,5 @@

-policy_module(mrtg,1.1.0)
+policy_module(mrtg,1.1.1)

 ########################################
 #
@ -63,7 +63,8 @@ kernel_read_kernel_sysctls(mrtg_t)
 corecmd_exec_bin(mrtg_t)
 corecmd_exec_shell(mrtg_t)

-corenet_non_ipsec_sendrecv(mrtg_t)
+corenet_all_recvfrom_unlabeled(mrtg_t)
+corenet_all_recvfrom_netlabel(mrtg_t)
 corenet_tcp_sendrecv_generic_if(mrtg_t)
 corenet_udp_sendrecv_generic_if(mrtg_t)
 corenet_tcp_sendrecv_all_nodes(mrtg_t)
--- a/policy/modules/admin/netutils.te
+++ b/policy/modules/admin/netutils.te
@ -1,5 +1,5 @@

-policy_module(netutils,1.4.1)
+policy_module(netutils,1.4.2)

 ########################################
 #
@ -53,7 +53,8 @@ files_tmp_filetrans(netutils_t, netutils_tmp_t, { file dir })

 kernel_search_proc(netutils_t)

-corenet_non_ipsec_sendrecv(netutils_t)
+corenet_all_recvfrom_unlabeled(netutils_t)
+corenet_all_recvfrom_netlabel(netutils_t)
 corenet_tcp_sendrecv_all_if(netutils_t)
 corenet_raw_sendrecv_all_if(netutils_t)
 corenet_udp_sendrecv_all_if(netutils_t)
@ -114,7 +115,8 @@ allow ping_t self:tcp_socket create_socket_perms;
 allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt };
 allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };

-corenet_non_ipsec_sendrecv(ping_t)
+corenet_all_recvfrom_unlabeled(ping_t)
+corenet_all_recvfrom_netlabel(ping_t)
 corenet_tcp_sendrecv_all_if(ping_t)
 corenet_raw_sendrecv_all_if(ping_t)
 corenet_raw_sendrecv_all_nodes(ping_t)
@ -184,7 +186,8 @@ allow traceroute_t self:udp_socket create_socket_perms;
 kernel_read_system_state(traceroute_t)
 kernel_read_network_state(traceroute_t)

-corenet_non_ipsec_sendrecv(traceroute_t)
+corenet_all_recvfrom_unlabeled(traceroute_t)
+corenet_all_recvfrom_netlabel(traceroute_t)
 corenet_tcp_sendrecv_all_if(traceroute_t)
 corenet_udp_sendrecv_all_if(traceroute_t)
 corenet_raw_sendrecv_all_if(traceroute_t)
--- a/policy/modules/admin/portage.if
+++ b/policy/modules/admin/portage.if
@ -152,7 +152,8 @@ interface(`portage_compile_domain',`
 	# really shouldnt need this but some packages test
 	# network access, such as during configure
 	# also distcc--need to reinvestigate confining distcc client
-	corenet_non_ipsec_sendrecv($1)
+	corenet_all_recvfrom_unlabeled($1)
+	corenet_all_recvfrom_netlabel($1)
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_udp_sendrecv_generic_if($1)
 	corenet_raw_sendrecv_generic_if($1)
@ -242,7 +243,8 @@ interface(`portage_fetch_domain',`

 	corecmd_exec_bin($1)

-	corenet_non_ipsec_sendrecv($1)
+	corenet_all_recvfrom_unlabeled($1)
+	corenet_all_recvfrom_netlabel($1)
 	corenet_tcp_sendrecv_generic_if($1)
 	corenet_tcp_sendrecv_all_nodes($1)
 	corenet_tcp_sendrecv_all_ports($1)
--- a/policy/modules/admin/portage.te
+++ b/policy/modules/admin/portage.te
@ -1,5 +1,5 @@

-policy_module(portage,1.2.0)
+policy_module(portage,1.2.1)

 ########################################
 #
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@ -1,5 +1,5 @@

-policy_module(rpm,1.6.1)
+policy_module(rpm,1.6.2)

 ########################################
 #
@ -91,7 +91,8 @@ kernel_read_kernel_sysctls(rpm_t)

 corecmd_exec_all_executables(rpm_t)

-corenet_non_ipsec_sendrecv(rpm_t)
+corenet_all_recvfrom_unlabeled(rpm_t)
+corenet_all_recvfrom_netlabel(rpm_t)
 corenet_tcp_sendrecv_all_if(rpm_t)
 corenet_raw_sendrecv_all_if(rpm_t)
 corenet_udp_sendrecv_all_if(rpm_t)
--- a/policy/modules/admin/sxid.te
+++ b/policy/modules/admin/sxid.te
@ -1,5 +1,5 @@

-policy_module(sxid,1.1.0)
+policy_module(sxid,1.1.1)

 ########################################
 #
@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(sxid_t)
 corecmd_exec_bin(sxid_t)
 corecmd_exec_shell(sxid_t)

-corenet_non_ipsec_sendrecv(sxid_t)
+corenet_all_recvfrom_unlabeled(sxid_t)
+corenet_all_recvfrom_netlabel(sxid_t)
 corenet_tcp_sendrecv_generic_if(sxid_t)
 corenet_udp_sendrecv_generic_if(sxid_t)
 corenet_tcp_sendrecv_all_nodes(sxid_t)
--- a/policy/modules/admin/vpn.te
+++ b/policy/modules/admin/vpn.te
@ -1,5 +1,5 @@

-policy_module(vpn,1.4.0)
+policy_module(vpn,1.4.1)

 ########################################
 #
@ -48,7 +48,8 @@ kernel_read_network_state(vpnc_t)
 kernel_read_kernel_sysctls(vpnc_t)
 kernel_rw_net_sysctls(vpnc_t)

-corenet_non_ipsec_sendrecv(vpnc_t)
+corenet_all_recvfrom_unlabeled(vpnc_t)
+corenet_all_recvfrom_netlabel(vpnc_t)
 corenet_tcp_sendrecv_all_if(vpnc_t)
 corenet_udp_sendrecv_all_if(vpnc_t)
 corenet_raw_sendrecv_all_if(vpnc_t)
--- a/policy/modules/apps/calamaris.te
+++ b/policy/modules/apps/calamaris.te
@ -1,5 +1,5 @@

-policy_module(calamaris,1.1.0)
+policy_module(calamaris,1.1.1)

 ########################################
 #
@ -40,7 +40,8 @@ kernel_read_system_state(calamaris_t)

 corecmd_exec_bin(calamaris_t)

-corenet_non_ipsec_sendrecv(calamaris_t)
+corenet_all_recvfrom_unlabeled(calamaris_t)
+corenet_all_recvfrom_netlabel(calamaris_t)
 corenet_tcp_sendrecv_generic_if(calamaris_t)
 corenet_udp_sendrecv_generic_if(calamaris_t)
 corenet_tcp_sendrecv_all_nodes(calamaris_t)
--- a/policy/modules/apps/evolution.if
+++ b/policy/modules/apps/evolution.if
@ -188,7 +188,8 @@ template(`evolution_per_role_template',`
 	# Run various programs
 	corecmd_exec_bin($1_evolution_t)

-	corenet_non_ipsec_sendrecv($1_evolution_t)
+	corenet_all_recvfrom_unlabeled($1_evolution_t)
+	corenet_all_recvfrom_netlabel($1_evolution_t)
 	corenet_tcp_sendrecv_generic_if($1_evolution_t)
 	corenet_udp_sendrecv_generic_if($1_evolution_t)
 	corenet_raw_sendrecv_generic_if($1_evolution_t)
@ -681,7 +682,8 @@ template(`evolution_per_role_template',`
 	corecmd_exec_shell($1_evolution_server_t)

 	# Obtain weather data via http (read server name from xml file in /usr)
-	corenet_non_ipsec_sendrecv($1_evolution_server_t)
+	corenet_all_recvfrom_unlabeled($1_evolution_server_t)
+	corenet_all_recvfrom_netlabel($1_evolution_server_t)
 	corenet_tcp_sendrecv_generic_if($1_evolution_server_t)
 	corenet_tcp_sendrecv_all_nodes($1_evolution_server_t)
 	corenet_tcp_sendrecv_http_port($1_evolution_server_t)
@ -758,7 +760,8 @@ template(`evolution_per_role_template',`
 	# Transition from user type
 	domain_auto_trans($2, evolution_webcal_exec_t, $1_evolution_webcal_t)

-	corenet_non_ipsec_sendrecv($1_evolution_webcal_t)
+	corenet_all_recvfrom_unlabeled($1_evolution_webcal_t)
+	corenet_all_recvfrom_netlabel($1_evolution_webcal_t)
 	corenet_tcp_sendrecv_generic_if($1_evolution_webcal_t)
 	corenet_raw_sendrecv_generic_if($1_evolution_webcal_t)
 	corenet_tcp_sendrecv_all_nodes($1_evolution_webcal_t)
--- a/policy/modules/apps/evolution.te
+++ b/policy/modules/apps/evolution.te
@ -1,5 +1,5 @@

-policy_module(evolution,1.2.0)
+policy_module(evolution,1.2.1)

 ########################################
 #
--- a/policy/modules/apps/games.if
+++ b/policy/modules/apps/games.if
@ -92,7 +92,8 @@ template(`games_per_role_template',`

 	corecmd_exec_bin($1_games_t)

-	corenet_non_ipsec_sendrecv($1_games_t)
+	corenet_all_recvfrom_unlabeled($1_games_t)
+	corenet_all_recvfrom_netlabel($1_games_t)
 	corenet_tcp_sendrecv_generic_if($1_games_t)
 	corenet_udp_sendrecv_generic_if($1_games_t)
 	corenet_tcp_sendrecv_all_nodes($1_games_t)
--- a/policy/modules/apps/games.te
+++ b/policy/modules/apps/games.te
@ -1,5 +1,5 @@

-policy_module(games,1.2.0)
+policy_module(games,1.2.1)

 ########################################
 #
--- a/policy/modules/apps/gift.if
+++ b/policy/modules/apps/gift.if
@ -96,7 +96,8 @@ template(`gift_per_role_template',`
 	kernel_read_system_state($1_giftd_t)

 	# Connect to gift daemon
-	corenet_non_ipsec_sendrecv($1_gift_t)
+	corenet_all_recvfrom_unlabeled($1_gift_t)
+	corenet_all_recvfrom_netlabel($1_gift_t)
 	corenet_tcp_sendrecv_generic_if($1_gift_t)
 	corenet_tcp_sendrecv_all_nodes($1_gift_t)
 	corenet_tcp_sendrecv_giftd_port($1_gift_t)
@ -155,7 +156,8 @@ template(`gift_per_role_template',`
 	kernel_read_kernel_sysctls($1_giftd_t)

 	# Serve content on various p2p networks. Ports can be random.
-	corenet_non_ipsec_sendrecv($1_giftd_t)
+	corenet_all_recvfrom_unlabeled($1_giftd_t)
+	corenet_all_recvfrom_netlabel($1_giftd_t)
 	corenet_tcp_sendrecv_generic_if($1_giftd_t)
 	corenet_udp_sendrecv_generic_if($1_giftd_t)
 	corenet_tcp_sendrecv_all_nodes($1_giftd_t)
--- a/policy/modules/apps/gift.te
+++ b/policy/modules/apps/gift.te
@ -1,5 +1,5 @@

-policy_module(gift,1.0.0)
+policy_module(gift,1.0.1)

 ########################################
 #
--- a/policy/modules/apps/gpg.if
+++ b/policy/modules/apps/gpg.if
@ -98,7 +98,8 @@ template(`gpg_per_role_template',`
 	# allow ps to show gpg
 	ps_process_pattern($2,$1_gpg_t)

-	corenet_non_ipsec_sendrecv($1_gpg_t)
+	corenet_all_recvfrom_unlabeled($1_gpg_t)
+	corenet_all_recvfrom_netlabel($1_gpg_t)
 	corenet_tcp_sendrecv_all_if($1_gpg_t)
 	corenet_udp_sendrecv_all_if($1_gpg_t)
 	corenet_tcp_sendrecv_all_nodes($1_gpg_t)
@ -161,6 +162,8 @@ template(`gpg_per_role_template',`

 	dontaudit $1_gpg_helper_t $1_gpg_secret_t:file read;

+	corenet_all_recvfrom_unlabeled($1_gpg_helper_t)
+	corenet_all_recvfrom_netlabel($1_gpg_helper_t)
 	corenet_tcp_sendrecv_all_if($1_gpg_helper_t)
 	corenet_raw_sendrecv_all_if($1_gpg_helper_t)
 	corenet_udp_sendrecv_all_if($1_gpg_helper_t)
@ -169,7 +172,6 @@ template(`gpg_per_role_template',`
 	corenet_raw_sendrecv_all_nodes($1_gpg_helper_t)
 	corenet_tcp_sendrecv_all_ports($1_gpg_helper_t)
 	corenet_udp_sendrecv_all_ports($1_gpg_helper_t)
-	corenet_non_ipsec_sendrecv($1_gpg_helper_t)
 	corenet_tcp_bind_all_nodes($1_gpg_helper_t)
 	corenet_udp_bind_all_nodes($1_gpg_helper_t)
 	corenet_tcp_connect_all_ports($1_gpg_helper_t)
--- a/policy/modules/apps/gpg.te
+++ b/policy/modules/apps/gpg.te
@ -1,5 +1,5 @@

-policy_module(gpg, 1.2.0)
+policy_module(gpg, 1.2.1)

 ########################################
 #
--- a/policy/modules/apps/irc.if
+++ b/policy/modules/apps/irc.if
@ -90,7 +90,8 @@ template(`irc_per_role_template',`
 	
 	kernel_read_proc_symlinks($1_irc_t)

-	corenet_non_ipsec_sendrecv($1_irc_t)
+	corenet_all_recvfrom_unlabeled($1_irc_t)
+	corenet_all_recvfrom_netlabel($1_irc_t)
 	corenet_tcp_sendrecv_generic_if($1_irc_t)
 	corenet_udp_sendrecv_generic_if($1_irc_t)
 	corenet_tcp_sendrecv_all_nodes($1_irc_t)
--- a/policy/modules/apps/irc.te
+++ b/policy/modules/apps/irc.te
@ -1,5 +1,5 @@

-policy_module(irc,1.1.0)
+policy_module(irc,1.1.1)

 ########################################
 #
--- a/policy/modules/apps/java.if
+++ b/policy/modules/apps/java.if
@ -97,7 +97,8 @@ template(`java_per_role_template',`
 	# Search bin directory under javaplugin for javaplugin executable
 	corecmd_search_bin($1_javaplugin_t)

-	corenet_non_ipsec_sendrecv($1_javaplugin_t)
+	corenet_all_recvfrom_unlabeled($1_javaplugin_t)
+	corenet_all_recvfrom_netlabel($1_javaplugin_t)
 	corenet_tcp_sendrecv_generic_if($1_javaplugin_t)
 	corenet_udp_sendrecv_generic_if($1_javaplugin_t)
 	corenet_tcp_sendrecv_all_nodes($1_javaplugin_t)
--- a/policy/modules/apps/java.te
+++ b/policy/modules/apps/java.te
@ -1,5 +1,5 @@

-policy_module(java,1.4.0)
+policy_module(java,1.4.1)

 ########################################
 #
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@ -126,7 +126,8 @@ template(`mozilla_per_role_template',`
 	corecmd_exec_bin($1_mozilla_t)

 	# Browse the web, connect to printer
-	corenet_non_ipsec_sendrecv($1_mozilla_t)
+	corenet_all_recvfrom_unlabeled($1_mozilla_t)
+	corenet_all_recvfrom_netlabel($1_mozilla_t)
 	corenet_tcp_sendrecv_generic_if($1_mozilla_t)
 	corenet_raw_sendrecv_generic_if($1_mozilla_t)
 	corenet_tcp_sendrecv_all_nodes($1_mozilla_t)
--- a/policy/modules/apps/mozilla.te
+++ b/policy/modules/apps/mozilla.te
@ -1,5 +1,5 @@

-policy_module(mozilla,1.2.1)
+policy_module(mozilla,1.2.2)

 ########################################
 #
--- a/policy/modules/apps/screen.if
+++ b/policy/modules/apps/screen.if
@ -111,7 +111,8 @@ template(`screen_per_role_template',`
 	corecmd_shell_domtrans($1_screen_t,$2)
 	corecmd_bin_domtrans($1_screen_t,$2)

-	corenet_non_ipsec_sendrecv($1_screen_t)
+	corenet_all_recvfrom_unlabeled($1_screen_t)
+	corenet_all_recvfrom_netlabel($1_screen_t)
 	corenet_tcp_sendrecv_generic_if($1_screen_t)
 	corenet_udp_sendrecv_generic_if($1_screen_t)
 	corenet_tcp_sendrecv_all_nodes($1_screen_t)
--- a/policy/modules/apps/screen.te
+++ b/policy/modules/apps/screen.te
@ -1,5 +1,5 @@

-policy_module(screen,1.1.0)
+policy_module(screen,1.1.1)

 ########################################
 #
--- a/policy/modules/apps/thunderbird.if
+++ b/policy/modules/apps/thunderbird.if
@ -105,7 +105,8 @@ template(`thunderbird_per_role_template',`
 	# Startup shellscript
 	corecmd_exec_shell($1_thunderbird_t)

-	corenet_non_ipsec_sendrecv($1_thunderbird_t)
+	corenet_all_recvfrom_unlabeled($1_thunderbird_t)
+	corenet_all_recvfrom_netlabel($1_thunderbird_t)
 	corenet_tcp_sendrecv_generic_if($1_thunderbird_t)
 	corenet_tcp_sendrecv_all_nodes($1_thunderbird_t)
 	corenet_tcp_sendrecv_ipp_port($1_thunderbird_t)
--- a/policy/modules/apps/thunderbird.te
+++ b/policy/modules/apps/thunderbird.te
@ -1,5 +1,5 @@

-policy_module(thunderbird,1.2.0)
+policy_module(thunderbird,1.2.1)

 ########################################
 #
--- a/policy/modules/apps/uml.if
+++ b/policy/modules/apps/uml.if
@ -152,7 +152,8 @@ template(`uml_per_role_template',`
 	# for xterm
 	corecmd_exec_bin($1_uml_t)

-	corenet_non_ipsec_sendrecv($1_uml_t)
+	corenet_all_recvfrom_unlabeled($1_uml_t)
+	corenet_all_recvfrom_netlabel($1_uml_t)
 	corenet_tcp_sendrecv_generic_if($1_uml_t)
 	corenet_udp_sendrecv_generic_if($1_uml_t)
 	corenet_tcp_sendrecv_all_nodes($1_uml_t)
--- a/policy/modules/apps/uml.te
+++ b/policy/modules/apps/uml.te
@ -1,5 +1,5 @@

-policy_module(uml,1.2.0)
+policy_module(uml,1.2.1)

 ########################################
 #
--- a/policy/modules/apps/vmware.te
+++ b/policy/modules/apps/vmware.te
@ -1,5 +1,5 @@

-policy_module(vmware,1.1.0)
+policy_module(vmware,1.1.1)

 ########################################
 #
@ -45,7 +45,8 @@ kernel_read_kernel_sysctls(vmware_host_t)
 kernel_list_proc(vmware_host_t)
 kernel_read_proc_symlinks(vmware_host_t)

-corenet_non_ipsec_sendrecv(vmware_host_t)
+corenet_all_recvfrom_unlabeled(vmware_host_t)
+corenet_all_recvfrom_netlabel(vmware_host_t)
 corenet_tcp_sendrecv_generic_if(vmware_host_t)
 corenet_udp_sendrecv_generic_if(vmware_host_t)
 corenet_raw_sendrecv_generic_if(vmware_host_t)
--- a/policy/modules/apps/webalizer.te
+++ b/policy/modules/apps/webalizer.te
@ -1,5 +1,5 @@

-policy_module(webalizer,1.4.0)
+policy_module(webalizer,1.4.1)

 ########################################
 #
@ -61,7 +61,8 @@ files_var_lib_filetrans(webalizer_t,webalizer_var_lib_t,file)
 kernel_read_kernel_sysctls(webalizer_t)
 kernel_read_system_state(webalizer_t)

-corenet_non_ipsec_sendrecv(webalizer_t)
+corenet_all_recvfrom_unlabeled(webalizer_t)
+corenet_all_recvfrom_netlabel(webalizer_t)
 corenet_tcp_sendrecv_all_if(webalizer_t)
 corenet_tcp_sendrecv_all_nodes(webalizer_t)
 corenet_tcp_sendrecv_all_ports(webalizer_t)
--- a/policy/modules/apps/yam.te
+++ b/policy/modules/apps/yam.te
@ -1,5 +1,5 @@

-policy_module(yam,1.0.0)
+policy_module(yam,1.0.1)

 ########################################
 #
@ -60,7 +60,8 @@ corecmd_exec_bin(yam_t)

 # Rsync and lftp need to network.  They also set files attributes to
 # match whats on the remote server.
-corenet_non_ipsec_sendrecv(yam_t)
+corenet_all_recvfrom_unlabeled(yam_t)
+corenet_all_recvfrom_netlabel(yam_t)
 corenet_tcp_sendrecv_generic_if(yam_t)
 corenet_tcp_sendrecv_all_nodes(yam_t)
 corenet_tcp_sendrecv_all_ports(yam_t)
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@ -1565,6 +1565,17 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
 ##	non-encrypted (no IPSEC) network
 ##	session.
 ## </summary>
+## <desc>
+##	<p>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.  (Deprecated)
+##	</p>
+##	<p>
+##	The corenet_all_recvfrom_unlabeled() interface should be used instead
+##	of this one.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
@ -1572,7 +1583,8 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
 ## </param>
 #
 interface(`corenet_non_ipsec_sendrecv',`
-	kernel_sendrecv_unlabeled_association($1)
+	refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
+	corenet_all_recvfrom_unlabeled($1)
 ')

 ########################################
@ -1581,6 +1593,17 @@ interface(`corenet_non_ipsec_sendrecv',`
 ##	messages on a non-encrypted (no IPSEC) network
 ##	session.
 ## </summary>
+## <desc>
+##	<p>
+##	Do not audit attempts to send and receive
+##	messages on a non-encrypted (no IPSEC) network
+##	session.
+##	</p>
+##	<p>
+##	The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
+##	used instead of this one.
+##	</p>
+## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain to not audit.
@ -1588,7 +1611,8 @@ interface(`corenet_non_ipsec_sendrecv',`
 ## </param>
 #
 interface(`corenet_dontaudit_non_ipsec_sendrecv',`
-	kernel_dontaudit_sendrecv_unlabeled_association($1)
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
+	corenet_dontaudit_all_recvfrom_unlabeled($1)
 ')

 ########################################
@ -1602,7 +1626,45 @@ interface(`corenet_dontaudit_non_ipsec_sendrecv',`
 ## </param>
 #
 interface(`corenet_tcp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
+	corenet_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive TCP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive TCP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_tcp_recvfrom_unlabeled',`
 	kernel_tcp_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
 ')

 ########################################
@ -1617,7 +1679,47 @@ interface(`corenet_tcp_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_tcp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
+	corenet_dontaudit_tcp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:tcp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive TCP packets from an unlabeled
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
 	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
 ')

 ########################################
@ -1631,7 +1733,45 @@ interface(`corenet_dontaudit_tcp_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_udp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
+	corenet_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive UDP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_udp_recvfrom_unlabeled',`
 	kernel_udp_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
 ')

 ########################################
@ -1646,7 +1786,47 @@ interface(`corenet_udp_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_udp_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
+	corenet_dontaudit_udp_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:udp_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive UDP packets from an unlabeled
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
 	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
 ')

 ########################################
@ -1660,7 +1840,45 @@ interface(`corenet_dontaudit_udp_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_raw_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
+	corenet_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Receive Raw IP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Receive Raw IP packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_raw_recvfrom_unlabeled',`
 	kernel_raw_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
 ')

 ########################################
@ -1675,7 +1893,126 @@ interface(`corenet_raw_recv_netlabel',`
 ## </param>
 #
 interface(`corenet_dontaudit_raw_recv_netlabel',`
+	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
+	corenet_dontaudit_raw_recvfrom_netlabel($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive Raw IP packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive Raw IP packets from an unlabeled
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_raw_recvfrom_unlabeled',`
 	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##      Receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_unlabeled',`
+	kernel_tcp_recvfrom_unlabeled($1)
+	kernel_udp_recvfrom_unlabeled($1)
+	kernel_raw_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##      Receive packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_all_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive packets from an unlabeled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
+	kernel_dontaudit_tcp_recvfrom_unlabeled($1)
+	kernel_dontaudit_udp_recvfrom_unlabeled($1)
+	kernel_dontaudit_raw_recvfrom_unlabeled($1)
+
+	# XXX - at some point the oubound/send access check will be removed
+	# but for right now we need to keep this in place so as not to break
+	# older systems
+	kernel_dontaudit_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to receive packets from a NetLabel
+##      connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_all_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:{ tcp_socket udp_socket rawip_socket } recvfrom;
 ')

 ########################################
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@ -1,5 +1,5 @@

-policy_module(corenetwork,1.2.9)
+policy_module(corenetwork,1.2.10)

 ########################################
 #
@ -36,6 +36,13 @@ dev_node(tun_tap_device_t)
 #
 type client_packet_t, packet_type, client_packet_type;

+#
+# The netlabel_peer_t is used by the kernel's NetLabel subsystem for network
+# connections using NetLabel which do not carry full SELinux contexts.
+#
+type netlabel_peer_t;
+sid netmsg gen_context(system_u:object_r:netlabel_peer_t,mls_systemhigh)
+
 #
 # port_t is the default type of INET port numbers.
 #
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@ -2198,17 +2198,14 @@ interface(`kernel_dontaudit_sendrecv_unlabeled_association',`

 ########################################
 ## <summary>
-##      Receive TCP packets from a NetLabel connection.
+##      Receive TCP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
 ##	<p>
-##      Receive TCP packets from a NetLabel connection, NetLabel is an
-##      explicit packet labeling framework which implements CIPSO and
-##      similar protocols.
+##      Receive TCP packets from an unlabeled connection.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_tcp_recv_netlabel() should
+##	The corenetwork interface corenet_tcp_recv_unlabeled() should
 ##	be used instead of this one.
 ##	</p>
 ## </desc>
@ -2228,19 +2225,17 @@ interface(`kernel_tcp_recvfrom_unlabeled',`

 ########################################
 ## <summary>
-##      Do not audit attempts to receive TCP packets from a NetLabel
-##      connection.
+##      Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
 ## </summary>
 ## <desc>
 ##	<p>
-##      Do not audit attempts to receive TCP packets from a NetLabel
-##      connection.  NetLabel is an explicit packet labeling framework
-##      which implements CIPSO and similar protocols.
+##      Do not audit attempts to receive TCP packets from an unlabeled
+##	connection.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_dontaudit_tcp_recv_netlabel() should
-##	be used instead of this one.
+##	The corenetwork interface corenet_dontaudit_tcp_recv_unlabeled()
+##	should be used instead of this one.
 ##	</p>
 ## </desc>
 ## <param name="domain">
@ -2259,17 +2254,14 @@ interface(`kernel_dontaudit_tcp_recvfrom_unlabeled',`

 ########################################
 ## <summary>
-##      Receive UDP packets from a NetLabel connection.
+##      Receive UDP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
 ##	<p>
-##      Receive UDP packets from a NetLabel connection, NetLabel is an
-##      explicit packet labeling framework which implements CIPSO and
-##      similar protocols.
+##      Receive UDP packets from an unlabeled connection.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_udp_recv_netlabel() should
+##	The corenetwork interface corenet_udp_recv_unlabeled() should
 ##	be used instead of this one.
 ##	</p>
 ## </desc>
@ -2289,19 +2281,17 @@ interface(`kernel_udp_recvfrom_unlabeled',`

 ########################################
 ## <summary>
-##      Do not audit attempts to receive UDP packets from a NetLabel
-##      connection.
+##      Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
 ## </summary>
 ## <desc>
 ##	<p>
-##      Do not audit attempts to receive UDP packets from a NetLabel
-##      connection.  NetLabel is an explicit packet labeling framework
-##      which implements CIPSO and similar protocols.
+##      Do not audit attempts to receive UDP packets from an unlabeled
+##	connection.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_dontaudit_udp_recv_netlabel() should
-##	be used instead of this one.
+##	The corenetwork interface corenet_dontaudit_udp_recv_unlabeled()
+##	should be used instead of this one.
 ##	</p>
 ## </desc>
 ## <param name="domain">
@ -2320,17 +2310,14 @@ interface(`kernel_dontaudit_udp_recvfrom_unlabeled',`

 ########################################
 ## <summary>
-##      Receive Raw IP packets from a NetLabel connection.
+##      Receive Raw IP packets from an unlabeled connection.
 ## </summary>
 ## <desc>
 ##	<p>
-##      Receive Raw IP packets from a NetLabel connection, NetLabel is an
-##      explicit packet labeling framework which implements CIPSO and
-##      similar protocols.
+##      Receive Raw IP packets from an unlabeled connection.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_raw_recv_netlabel() should
+##	The corenetwork interface corenet_raw_recv_unlabeled() should
 ##	be used instead of this one.
 ##	</p>
 ## </desc>
@ -2350,19 +2337,17 @@ interface(`kernel_raw_recvfrom_unlabeled',`

 ########################################
 ## <summary>
-##      Do not audit attempts to receive Raw IP packets from a NetLabel
-##      connection.
+##      Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
 ## </summary>
 ## <desc>
 ##	<p>
-##      Do not audit attempts to receive Raw IP packets from a NetLabel
-##      connection.  NetLabel is an explicit packet labeling framework
-##      which implements CIPSO and similar protocols.
+##      Do not audit attempts to receive Raw IP packets from an unlabeled
+##	connection.
 ##      </p>
 ##	<p>
-##	The corenetwork interface
-##	corenet_dontaudit_raw_recv_netlabel() should
-##	be used instead of this one.
+##	The corenetwork interface corenet_dontaudit_raw_recv_unlabeled()
+##	should be used instead of this one.
 ##	</p>
 ## </desc>
 ## <param name="domain">
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@ -1,5 +1,5 @@

-policy_module(kernel,1.6.1)
+policy_module(kernel,1.6.2)

 ########################################
 #
@ -153,7 +153,6 @@ sid icmp_socket		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid igmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid init		gen_context(system_u:object_r:unlabeled_t,s0)
 sid kmod		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
-sid netmsg		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid policy		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid scmp_packet		gen_context(system_u:object_r:unlabeled_t,mls_systemhigh)
 sid sysctl_modprobe 	gen_context(system_u:object_r:unlabeled_t,s0)
@ -206,7 +205,8 @@ allow kernel_t unlabeled_t:dir mounton;
 # connections with invalidated labels:
 allow kernel_t unlabeled_t:packet send;

-corenet_non_ipsec_sendrecv(kernel_t)
+corenet_all_recvfrom_unlabeled(kernel_t)
+corenet_all_recvfrom_netlabel(kernel_t)
 # Kernel-generated traffic e.g., ICMP replies:
 corenet_raw_sendrecv_all_if(kernel_t)
 corenet_raw_sendrecv_all_nodes(kernel_t)
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@ -1,5 +1,5 @@

-policy_module(afs,1.1.0)
+policy_module(afs,1.1.1)

 ########################################
 #
@ -89,7 +89,8 @@ domtrans_pattern(afs_bosserver_t, afs_vlserver_exec_t, afs_vlserver_t)

 kernel_read_kernel_sysctls(afs_bosserver_t)

-corenet_non_ipsec_sendrecv(afs_bosserver_t)
+corenet_all_recvfrom_unlabeled(afs_bosserver_t)
+corenet_all_recvfrom_netlabel(afs_bosserver_t)
 corenet_tcp_sendrecv_generic_if(afs_bosserver_t)
 corenet_udp_sendrecv_generic_if(afs_bosserver_t)
 corenet_tcp_sendrecv_all_nodes(afs_bosserver_t)
@ -153,7 +154,8 @@ corenet_tcp_sendrecv_all_nodes(afs_fsserver_t)
 corenet_udp_sendrecv_all_nodes(afs_fsserver_t)
 corenet_tcp_sendrecv_all_ports(afs_fsserver_t)
 corenet_udp_sendrecv_all_ports(afs_fsserver_t)
-corenet_non_ipsec_sendrecv(afs_fsserver_t)
+corenet_all_recvfrom_unlabeled(afs_fsserver_t)
+corenet_all_recvfrom_netlabel(afs_fsserver_t)
 corenet_tcp_bind_all_nodes(afs_fsserver_t)
 corenet_udp_bind_all_nodes(afs_fsserver_t)
 corenet_tcp_bind_afs_fs_port(afs_fsserver_t)
@ -206,7 +208,8 @@ manage_files_pattern(afs_kaserver_t,afs_logfile_t,afs_logfile_t)

 kernel_read_kernel_sysctls(afs_kaserver_t)

-corenet_non_ipsec_sendrecv(afs_kaserver_t)
+corenet_all_recvfrom_unlabeled(afs_kaserver_t)
+corenet_all_recvfrom_netlabel(afs_kaserver_t)
 corenet_tcp_sendrecv_generic_if(afs_kaserver_t)
 corenet_udp_sendrecv_generic_if(afs_kaserver_t)
 corenet_tcp_sendrecv_all_nodes(afs_kaserver_t)
@ -253,7 +256,8 @@ manage_files_pattern(afs_ptserver_t,afs_logfile_t,afs_logfile_t)
 manage_files_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t)
 filetrans_pattern(afs_ptserver_t,afs_dbdir_t,afs_pt_db_t,file)

-corenet_non_ipsec_sendrecv(afs_ptserver_t)
+corenet_all_recvfrom_unlabeled(afs_ptserver_t)
+corenet_all_recvfrom_netlabel(afs_ptserver_t)
 corenet_tcp_sendrecv_generic_if(afs_ptserver_t)
 corenet_udp_sendrecv_generic_if(afs_ptserver_t)
 corenet_tcp_sendrecv_all_nodes(afs_ptserver_t)
@ -294,7 +298,8 @@ manage_files_pattern(afs_vlserver_t,afs_logfile_t,afs_logfile_t)
 manage_files_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t)
 filetrans_pattern(afs_vlserver_t,afs_dbdir_t,afs_vl_db_t,file)

-corenet_non_ipsec_sendrecv(afs_vlserver_t)
+corenet_all_recvfrom_unlabeled(afs_vlserver_t)
+corenet_all_recvfrom_netlabel(afs_vlserver_t)
 corenet_tcp_sendrecv_generic_if(afs_vlserver_t)
 corenet_udp_sendrecv_generic_if(afs_vlserver_t)
 corenet_tcp_sendrecv_all_nodes(afs_vlserver_t)
--- a/policy/modules/services/amavis.te
+++ b/policy/modules/services/amavis.te
@ -1,5 +1,5 @@

-policy_module(amavis,1.2.2)
+policy_module(amavis,1.2.3)

 ########################################
 #
@ -100,7 +100,8 @@ kernel_dontaudit_read_system_state(amavis_t)
 # find perl
 corecmd_exec_bin(amavis_t)

-corenet_non_ipsec_sendrecv(amavis_t)
+corenet_all_recvfrom_unlabeled(amavis_t)
+corenet_all_recvfrom_netlabel(amavis_t)
 corenet_tcp_sendrecv_all_if(amavis_t)
 corenet_tcp_sendrecv_all_nodes(amavis_t)
 corenet_tcp_bind_all_nodes(amavis_t)
--- a/policy/modules/services/apache.if
+++ b/policy/modules/services/apache.if
@ -181,7 +181,8 @@ template(`apache_content_template',`
 		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
 		allow httpd_$1_script_t self:udp_socket create_socket_perms;

-		corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+		corenet_all_recvfrom_netlabel(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
 		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
@ -200,7 +201,8 @@ template(`apache_content_template',`
 		allow httpd_$1_script_t self:tcp_socket create_stream_socket_perms;
 		allow httpd_$1_script_t self:udp_socket create_socket_perms;

-		corenet_non_ipsec_sendrecv(httpd_$1_script_t)
+		corenet_all_recvfrom_unlabeled(httpd_$1_script_t)
+		corenet_all_recvfrom_netlabel(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_if(httpd_$1_script_t)
 		corenet_udp_sendrecv_all_if(httpd_$1_script_t)
 		corenet_tcp_sendrecv_all_nodes(httpd_$1_script_t)
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@ -1,5 +1,5 @@

-policy_module(apache,1.6.0)
+policy_module(apache,1.6.1)

 #
 # NOTES: 
@ -298,7 +298,8 @@ kernel_read_kernel_sysctls(httpd_t)
 # for modules that want to access /proc/meminfo
 kernel_read_system_state(httpd_t)

-corenet_non_ipsec_sendrecv(httpd_t)
+corenet_all_recvfrom_unlabeled(httpd_t)
+corenet_all_recvfrom_netlabel(httpd_t)
 corenet_tcp_sendrecv_all_if(httpd_t)
 corenet_udp_sendrecv_all_if(httpd_t)
 corenet_tcp_sendrecv_all_nodes(httpd_t)
@ -641,7 +642,8 @@ tunable_policy(`httpd_can_network_connect',`
 	allow httpd_suexec_t self:tcp_socket create_stream_socket_perms;
 	allow httpd_suexec_t self:udp_socket create_socket_perms;

-	corenet_non_ipsec_sendrecv(httpd_suexec_t)
+	corenet_all_recvfrom_unlabeled(httpd_suexec_t)
+	corenet_all_recvfrom_netlabel(httpd_suexec_t)
 	corenet_tcp_sendrecv_all_if(httpd_suexec_t)
 	corenet_udp_sendrecv_all_if(httpd_suexec_t)
 	corenet_tcp_sendrecv_all_nodes(httpd_suexec_t)
--- a/policy/modules/services/apcupsd.te
+++ b/policy/modules/services/apcupsd.te
@ -1,5 +1,5 @@

-policy_module(apcupsd,1.0.1)
+policy_module(apcupsd,1.0.2)

 ########################################
 #
@ -39,7 +39,8 @@ logging_log_filetrans(apcupsd_t,apcupsd_log_t,{ file dir })
 manage_files_pattern(apcupsd_t,apcupsd_var_run_t,apcupsd_var_run_t)
 files_pid_filetrans(apcupsd_t,apcupsd_var_run_t, file)

-corenet_non_ipsec_sendrecv(apcupsd_t)
+corenet_all_recvfrom_unlabeled(apcupsd_t)
+corenet_all_recvfrom_netlabel(apcupsd_t)
 corenet_tcp_sendrecv_generic_if(apcupsd_t)
 corenet_tcp_sendrecv_all_nodes(apcupsd_t)
 corenet_tcp_sendrecv_all_ports(apcupsd_t)
--- a/policy/modules/services/arpwatch.te
+++ b/policy/modules/services/arpwatch.te
@ -1,5 +1,5 @@

-policy_module(arpwatch,1.3.1)
+policy_module(arpwatch,1.3.2)

 ########################################
 #
@ -47,7 +47,8 @@ kernel_read_kernel_sysctls(arpwatch_t)
 kernel_list_proc(arpwatch_t)
 kernel_read_proc_symlinks(arpwatch_t)

-corenet_non_ipsec_sendrecv(arpwatch_t)
+corenet_all_recvfrom_unlabeled(arpwatch_t)
+corenet_all_recvfrom_netlabel(arpwatch_t)
 corenet_tcp_sendrecv_all_if(arpwatch_t)
 corenet_udp_sendrecv_all_if(arpwatch_t)
 corenet_raw_sendrecv_all_if(arpwatch_t)
--- a/policy/modules/services/asterisk.te
+++ b/policy/modules/services/asterisk.te
@ -1,5 +1,5 @@

-policy_module(asterisk,1.2.0)
+policy_module(asterisk,1.2.1)

 ########################################
 #
@ -82,7 +82,8 @@ kernel_read_kernel_sysctls(asterisk_t)
 corecmd_exec_bin(asterisk_t)
 corecmd_search_bin(asterisk_t)

-corenet_non_ipsec_sendrecv(asterisk_t)
+corenet_all_recvfrom_unlabeled(asterisk_t)
+corenet_all_recvfrom_netlabel(asterisk_t)
 corenet_tcp_sendrecv_generic_if(asterisk_t)
 corenet_udp_sendrecv_generic_if(asterisk_t)
 corenet_tcp_sendrecv_all_nodes(asterisk_t)
--- a/policy/modules/services/automount.te
+++ b/policy/modules/services/automount.te
@ -1,5 +1,5 @@

-policy_module(automount,1.5.0)
+policy_module(automount,1.5.1)

 ########################################
 #
@ -76,7 +76,8 @@ fs_unmount_all_fs(automount_t)
 corecmd_exec_bin(automount_t)
 corecmd_exec_shell(automount_t)

-corenet_non_ipsec_sendrecv(automount_t)
+corenet_all_recvfrom_unlabeled(automount_t)
+corenet_all_recvfrom_netlabel(automount_t)
 corenet_tcp_sendrecv_generic_if(automount_t)
 corenet_udp_sendrecv_generic_if(automount_t)
 corenet_tcp_sendrecv_all_nodes(automount_t)
--- a/policy/modules/services/avahi.te
+++ b/policy/modules/services/avahi.te
@ -1,5 +1,5 @@

-policy_module(avahi,1.5.3)
+policy_module(avahi,1.5.4)

 ########################################
 #
@ -37,7 +37,8 @@ kernel_list_proc(avahi_t)
 kernel_read_proc_symlinks(avahi_t)
 kernel_read_network_state(avahi_t)

-corenet_non_ipsec_sendrecv(avahi_t)
+corenet_all_recvfrom_unlabeled(avahi_t)
+corenet_all_recvfrom_netlabel(avahi_t)
 corenet_tcp_sendrecv_all_if(avahi_t)
 corenet_udp_sendrecv_all_if(avahi_t)
 corenet_tcp_sendrecv_all_nodes(avahi_t)
--- a/policy/modules/services/bind.te
+++ b/policy/modules/services/bind.te
@ -1,5 +1,5 @@

-policy_module(bind,1.4.0)
+policy_module(bind,1.4.1)

 ########################################
 #
@ -101,7 +101,8 @@ kernel_read_kernel_sysctls(named_t)
 kernel_read_system_state(named_t)
 kernel_read_network_state(named_t)

-corenet_non_ipsec_sendrecv(named_t)
+corenet_all_recvfrom_unlabeled(named_t)
+corenet_all_recvfrom_netlabel(named_t)
 corenet_tcp_sendrecv_all_if(named_t)
 corenet_udp_sendrecv_all_if(named_t)
 corenet_tcp_sendrecv_all_nodes(named_t)
@ -231,7 +232,8 @@ allow ndc_t named_zone_t:dir search;

 kernel_read_kernel_sysctls(ndc_t)

-corenet_non_ipsec_sendrecv(ndc_t)
+corenet_all_recvfrom_unlabeled(ndc_t)
+corenet_all_recvfrom_netlabel(ndc_t)
 corenet_tcp_sendrecv_all_if(ndc_t)
 corenet_tcp_sendrecv_all_nodes(ndc_t)
 corenet_tcp_sendrecv_all_ports(ndc_t)
--- a/policy/modules/services/bluetooth.te
+++ b/policy/modules/services/bluetooth.te
@ -1,5 +1,5 @@

-policy_module(bluetooth,1.5.1)
+policy_module(bluetooth,1.5.2)

 ########################################
 #
@ -81,7 +81,8 @@ files_pid_filetrans(bluetooth_t, bluetooth_var_run_t, { file sock_file })
 kernel_read_kernel_sysctls(bluetooth_t)
 kernel_read_system_state(bluetooth_t)

-corenet_non_ipsec_sendrecv(bluetooth_t)
+corenet_all_recvfrom_unlabeled(bluetooth_t)
+corenet_all_recvfrom_netlabel(bluetooth_t)
 corenet_tcp_sendrecv_all_if(bluetooth_t)
 corenet_udp_sendrecv_all_if(bluetooth_t)
 corenet_raw_sendrecv_all_if(bluetooth_t)
--- a/policy/modules/services/canna.te
+++ b/policy/modules/services/canna.te
@ -1,5 +1,5 @@

-policy_module(canna,1.4.0)
+policy_module(canna,1.4.1)

 ########################################
 #
@ -47,7 +47,8 @@ files_pid_filetrans(canna_t, canna_var_run_t, { file sock_file })
 kernel_read_kernel_sysctls(canna_t)
 kernel_read_system_state(canna_t)

-corenet_non_ipsec_sendrecv(canna_t)
+corenet_all_recvfrom_unlabeled(canna_t)
+corenet_all_recvfrom_netlabel(canna_t)
 corenet_tcp_sendrecv_all_if(canna_t)
 corenet_tcp_sendrecv_all_nodes(canna_t)
 corenet_tcp_sendrecv_all_ports(canna_t)
--- a/policy/modules/services/ccs.te
+++ b/policy/modules/services/ccs.te
@ -1,5 +1,5 @@

-policy_module(ccs,1.1.0)
+policy_module(ccs,1.1.1)

 ########################################
 #
@ -77,7 +77,8 @@ kernel_read_kernel_sysctls(ccs_t)
 corecmd_list_bin(ccs_t)
 corecmd_exec_bin(ccs_t)

-corenet_non_ipsec_sendrecv(ccs_t)
+corenet_all_recvfrom_unlabeled(ccs_t)
+corenet_all_recvfrom_netlabel(ccs_t)
 corenet_tcp_sendrecv_all_if(ccs_t)
 corenet_udp_sendrecv_all_if(ccs_t)
 corenet_tcp_sendrecv_all_nodes(ccs_t)
--- a/policy/modules/services/cipe.te
+++ b/policy/modules/services/cipe.te
@ -1,5 +1,5 @@

-policy_module(cipe,1.2.0)
+policy_module(cipe,1.2.1)

 ########################################
 #
@ -29,7 +29,8 @@ kernel_read_system_state(ciped_t)
 corecmd_exec_shell(ciped_t)
 corecmd_exec_bin(ciped_t)

-corenet_non_ipsec_sendrecv(ciped_t)
+corenet_all_recvfrom_unlabeled(ciped_t)
+corenet_all_recvfrom_netlabel(ciped_t)
 corenet_udp_sendrecv_generic_if(ciped_t)
 corenet_udp_sendrecv_all_nodes(ciped_t)
 corenet_udp_sendrecv_all_ports(ciped_t)
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@ -1,5 +1,5 @@

-policy_module(clamav,1.3.1)
+policy_module(clamav,1.3.2)

 ########################################
 #
@ -86,7 +86,8 @@ files_pid_filetrans(clamd_t,clamd_var_run_t,file)
 kernel_dontaudit_list_proc(clamd_t)
 kernel_read_sysctl(clamd_t)

-corenet_non_ipsec_sendrecv(clamd_t)
+corenet_all_recvfrom_unlabeled(clamd_t)
+corenet_all_recvfrom_netlabel(clamd_t)
 corenet_tcp_sendrecv_all_if(clamd_t)
 corenet_tcp_sendrecv_all_nodes(clamd_t)
 corenet_tcp_sendrecv_all_ports(clamd_t)
@ -160,7 +161,8 @@ allow freshclam_t freshclam_var_log_t:dir setattr;
 allow freshclam_t clamd_var_log_t:dir search_dir_perms;
 logging_log_filetrans(freshclam_t,freshclam_var_log_t,file)

-corenet_non_ipsec_sendrecv(freshclam_t)
+corenet_all_recvfrom_unlabeled(freshclam_t)
+corenet_all_recvfrom_netlabel(freshclam_t)
 corenet_tcp_sendrecv_all_if(freshclam_t)
 corenet_tcp_sendrecv_all_nodes(freshclam_t)
 corenet_tcp_sendrecv_all_ports(freshclam_t)
--- a/policy/modules/services/clockspeed.te
+++ b/policy/modules/services/clockspeed.te
@ -1,5 +1,5 @@

-policy_module(clockspeed,1.1.0)
+policy_module(clockspeed,1.1.1)

 ########################################
 #
@ -28,7 +28,8 @@ allow clockspeed_cli_t self:udp_socket create_socket_perms;

 read_files_pattern(clockspeed_cli_t,clockspeed_var_lib_t,clockspeed_var_lib_t)

-corenet_non_ipsec_sendrecv(clockspeed_cli_t)
+corenet_all_recvfrom_unlabeled(clockspeed_cli_t)
+corenet_all_recvfrom_netlabel(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_if(clockspeed_cli_t)
 corenet_udp_sendrecv_generic_node(clockspeed_cli_t)
 corenet_udp_sendrecv_ntp_port(clockspeed_cli_t)
@ -55,7 +56,8 @@ allow clockspeed_srv_t self:unix_stream_socket create_socket_perms;
 manage_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)
 manage_fifo_files_pattern(clockspeed_srv_t,clockspeed_var_lib_t,clockspeed_var_lib_t)

-corenet_non_ipsec_sendrecv(clockspeed_srv_t)
+corenet_all_recvfrom_unlabeled(clockspeed_srv_t)
+corenet_all_recvfrom_netlabel(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_if(clockspeed_srv_t)
 corenet_udp_sendrecv_generic_node(clockspeed_srv_t)
 corenet_udp_sendrecv_ntp_port(clockspeed_srv_t)
--- a/policy/modules/services/comsat.te
+++ b/policy/modules/services/comsat.te
@ -1,5 +1,5 @@

-policy_module(comsat,1.2.0)
+policy_module(comsat,1.2.1)

 ########################################
 #
@ -40,7 +40,8 @@ kernel_read_kernel_sysctls(comsat_t)
 kernel_read_network_state(comsat_t)
 kernel_read_system_state(comsat_t)

-corenet_non_ipsec_sendrecv(comsat_t)
+corenet_all_recvfrom_unlabeled(comsat_t)
+corenet_all_recvfrom_netlabel(comsat_t)
 corenet_tcp_sendrecv_all_if(comsat_t)
 corenet_udp_sendrecv_all_if(comsat_t)
 corenet_tcp_sendrecv_all_nodes(comsat_t)
--- a/policy/modules/services/courier.if
+++ b/policy/modules/services/courier.if
@ -48,7 +48,8 @@ template(`courier_domain_template',`

 	corecmd_exec_bin(courier_$1_t)

-	corenet_non_ipsec_sendrecv(courier_$1_t)
+	corenet_all_recvfrom_unlabeled(courier_$1_t)
+	corenet_all_recvfrom_netlabel(courier_$1_t)
 	corenet_tcp_sendrecv_generic_if(courier_$1_t)
 	corenet_udp_sendrecv_generic_if(courier_$1_t)
 	corenet_tcp_sendrecv_all_nodes(courier_$1_t)
--- a/policy/modules/services/courier.te
+++ b/policy/modules/services/courier.te
@ -1,5 +1,5 @@

-policy_module(courier,1.2.0)
+policy_module(courier,1.2.1)

 ########################################
 #
--- a/policy/modules/services/cron.if
+++ b/policy/modules/services/cron.if
@ -94,7 +94,8 @@ template(`cron_per_role_template',`
 	# ps does not need to access /boot when run from cron
 	files_dontaudit_search_boot($1_crond_t)

-	corenet_non_ipsec_sendrecv($1_crond_t)
+	corenet_all_recvfrom_unlabeled($1_crond_t)
+	corenet_all_recvfrom_netlabel($1_crond_t)
 	corenet_tcp_sendrecv_all_if($1_crond_t)
 	corenet_udp_sendrecv_all_if($1_crond_t)
 	corenet_tcp_sendrecv_all_nodes($1_crond_t)
--- a/policy/modules/services/cron.te
+++ b/policy/modules/services/cron.te
@ -1,5 +1,5 @@

-policy_module(cron,1.6.1)
+policy_module(cron,1.6.2)

 gen_require(`
 	class passwd rootok;
@ -327,7 +327,8 @@ ifdef(`targeted_policy',`

 	corecmd_exec_all_executables(system_crond_t)

-	corenet_non_ipsec_sendrecv(system_crond_t)
+	corenet_all_recvfrom_unlabeled(system_crond_t)
+	corenet_all_recvfrom_netlabel(system_crond_t)
 	corenet_tcp_sendrecv_all_if(system_crond_t)
 	corenet_udp_sendrecv_all_if(system_crond_t)
 	corenet_tcp_sendrecv_all_nodes(system_crond_t)
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@ -1,5 +1,5 @@

-policy_module(cups,1.6.1)
+policy_module(cups,1.6.2)

 ########################################
 #
@ -133,7 +133,8 @@ kernel_read_system_state(cupsd_t)
 kernel_read_network_state(cupsd_t)
 kernel_read_all_sysctls(cupsd_t)

-corenet_non_ipsec_sendrecv(cupsd_t)
+corenet_all_recvfrom_unlabeled(cupsd_t)
+corenet_all_recvfrom_netlabel(cupsd_t)
 corenet_tcp_sendrecv_all_if(cupsd_t)
 corenet_udp_sendrecv_all_if(cupsd_t)
 corenet_raw_sendrecv_all_if(cupsd_t)
@ -340,7 +341,8 @@ files_pid_filetrans(cupsd_config_t,cupsd_config_var_run_t,file)
 kernel_read_system_state(cupsd_config_t)
 kernel_read_kernel_sysctls(cupsd_config_t)

-corenet_non_ipsec_sendrecv(cupsd_config_t)
+corenet_all_recvfrom_unlabeled(cupsd_config_t)
+corenet_all_recvfrom_netlabel(cupsd_config_t)
 corenet_tcp_sendrecv_all_if(cupsd_config_t)
 corenet_tcp_sendrecv_all_nodes(cupsd_config_t)
 corenet_tcp_sendrecv_all_ports(cupsd_config_t)
@ -491,7 +493,8 @@ kernel_read_kernel_sysctls(cupsd_lpd_t)
 kernel_read_system_state(cupsd_lpd_t)
 kernel_read_network_state(cupsd_lpd_t)

-corenet_non_ipsec_sendrecv(cupsd_lpd_t)
+corenet_all_recvfrom_unlabeled(cupsd_lpd_t)
+corenet_all_recvfrom_netlabel(cupsd_lpd_t)
 corenet_tcp_sendrecv_all_if(cupsd_lpd_t)
 corenet_udp_sendrecv_all_if(cupsd_lpd_t)
 corenet_tcp_sendrecv_all_nodes(cupsd_lpd_t)
@ -564,7 +567,8 @@ files_pid_filetrans(hplip_t,hplip_var_run_t,file)
 kernel_read_system_state(hplip_t)
 kernel_read_kernel_sysctls(hplip_t)

-corenet_non_ipsec_sendrecv(hplip_t)
+corenet_all_recvfrom_unlabeled(hplip_t)
+corenet_all_recvfrom_netlabel(hplip_t)
 corenet_tcp_sendrecv_all_if(hplip_t)
 corenet_udp_sendrecv_all_if(hplip_t)
 corenet_raw_sendrecv_all_if(hplip_t)
@ -661,7 +665,8 @@ kernel_read_kernel_sysctls(ptal_t)
 kernel_list_proc(ptal_t)
 kernel_read_proc_symlinks(ptal_t)

-corenet_non_ipsec_sendrecv(ptal_t)
+corenet_all_recvfrom_unlabeled(ptal_t)
+corenet_all_recvfrom_netlabel(ptal_t)
 corenet_tcp_sendrecv_all_if(ptal_t)
 corenet_tcp_sendrecv_all_nodes(ptal_t)
 corenet_tcp_sendrecv_all_ports(ptal_t)
--- a/policy/modules/services/cvs.te
+++ b/policy/modules/services/cvs.te
@ -1,5 +1,5 @@

-policy_module(cvs,1.4.0)
+policy_module(cvs,1.4.1)

 ########################################
 #
@ -54,7 +54,8 @@ kernel_read_kernel_sysctls(cvs_t)
 kernel_read_system_state(cvs_t)
 kernel_read_network_state(cvs_t)

-corenet_non_ipsec_sendrecv(cvs_t)
+corenet_all_recvfrom_unlabeled(cvs_t)
+corenet_all_recvfrom_netlabel(cvs_t)
 corenet_tcp_sendrecv_all_if(cvs_t)
 corenet_udp_sendrecv_all_if(cvs_t)
 corenet_tcp_sendrecv_all_nodes(cvs_t)
--- a/policy/modules/services/cyrus.te
+++ b/policy/modules/services/cyrus.te
@ -1,5 +1,5 @@

-policy_module(cyrus,1.3.1)
+policy_module(cyrus,1.3.2)

 ########################################
 #
@ -61,7 +61,8 @@ kernel_read_kernel_sysctls(cyrus_t)
 kernel_read_system_state(cyrus_t)
 kernel_read_all_sysctls(cyrus_t)

-corenet_non_ipsec_sendrecv(cyrus_t)
+corenet_all_recvfrom_unlabeled(cyrus_t)
+corenet_all_recvfrom_netlabel(cyrus_t)
 corenet_tcp_sendrecv_all_if(cyrus_t)
 corenet_udp_sendrecv_all_if(cyrus_t)
 corenet_tcp_sendrecv_all_nodes(cyrus_t)
--- a/policy/modules/services/dante.te
+++ b/policy/modules/services/dante.te
@ -1,5 +1,5 @@

-policy_module(dante,1.2.0)
+policy_module(dante,1.2.1)

 ########################################
 #
@ -38,7 +38,8 @@ kernel_read_kernel_sysctls(dante_t)
 kernel_list_proc(dante_t)
 kernel_read_proc_symlinks(dante_t)

-corenet_non_ipsec_sendrecv(dante_t)
+corenet_all_recvfrom_unlabeled(dante_t)
+corenet_all_recvfrom_netlabel(dante_t)
 corenet_tcp_sendrecv_generic_if(dante_t)
 corenet_udp_sendrecv_generic_if(dante_t)
 corenet_tcp_sendrecv_all_nodes(dante_t)
--- a/policy/modules/services/dbskk.te
+++ b/policy/modules/services/dbskk.te
@ -1,5 +1,5 @@

-policy_module(dbskk,1.2.0)
+policy_module(dbskk,1.2.1)

 ########################################
 #
@ -48,7 +48,8 @@ kernel_read_kernel_sysctls(dbskkd_t)
 kernel_read_system_state(dbskkd_t)
 kernel_read_network_state(dbskkd_t)

-corenet_non_ipsec_sendrecv(dbskkd_t)
+corenet_all_recvfrom_unlabeled(dbskkd_t)
+corenet_all_recvfrom_netlabel(dbskkd_t)
 corenet_tcp_sendrecv_all_if(dbskkd_t)
 corenet_udp_sendrecv_all_if(dbskkd_t)
 corenet_tcp_sendrecv_all_nodes(dbskkd_t)
--- a/policy/modules/services/dbus.if
+++ b/policy/modules/services/dbus.if
@ -107,7 +107,8 @@ template(`dbus_per_role_template',`
 	corecmd_read_bin_pipes($1_dbusd_t)
 	corecmd_read_bin_sockets($1_dbusd_t)

-	corenet_non_ipsec_sendrecv($1_dbusd_t)
+	corenet_all_recvfrom_unlabeled($1_dbusd_t)
+	corenet_all_recvfrom_netlabel($1_dbusd_t)
 	corenet_tcp_sendrecv_all_if($1_dbusd_t)
 	corenet_tcp_sendrecv_all_nodes($1_dbusd_t)
 	corenet_tcp_sendrecv_all_ports($1_dbusd_t)
@ -269,7 +270,6 @@ template(`dbus_send_user_bus',`
 	allow $2 $1_dbusd_t:dbus send_msg;
 ')

-
 ########################################
 ## <summary>
 ##	Read dbus configuration.
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@ -1,5 +1,5 @@

-policy_module(dbus,1.5.1)
+policy_module(dbus,1.5.2)

 gen_require(`
 	class dbus { send_msg acquire_svc };
--- a/policy/modules/services/dcc.te
+++ b/policy/modules/services/dcc.te
@ -1,5 +1,5 @@

-policy_module(dcc,1.2.0)
+policy_module(dcc,1.2.1)

 ########################################
 #
@ -99,7 +99,8 @@ allow cdcc_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)
 read_lnk_files_pattern(cdcc_t,dcc_var_t,dcc_var_t)

-corenet_non_ipsec_sendrecv(cdcc_t)
+corenet_all_recvfrom_unlabeled(cdcc_t)
+corenet_all_recvfrom_netlabel(cdcc_t)
 corenet_udp_sendrecv_generic_if(cdcc_t)
 corenet_udp_sendrecv_all_nodes(cdcc_t)
 corenet_udp_sendrecv_all_ports(cdcc_t)
@ -141,7 +142,8 @@ allow dcc_client_t dcc_var_t:dir list_dir_perms;
 read_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)
 read_lnk_files_pattern(dcc_client_t,dcc_var_t,dcc_var_t)

-corenet_non_ipsec_sendrecv(dcc_client_t)
+corenet_all_recvfrom_unlabeled(dcc_client_t)
+corenet_all_recvfrom_netlabel(dcc_client_t)
 corenet_udp_sendrecv_generic_if(dcc_client_t)
 corenet_udp_sendrecv_all_nodes(dcc_client_t)
 corenet_udp_sendrecv_all_ports(dcc_client_t)
@ -183,7 +185,8 @@ manage_lnk_files_pattern(dcc_dbclean_t,dcc_var_t,dcc_var_t)

 kernel_read_system_state(dcc_dbclean_t)

-corenet_non_ipsec_sendrecv(dcc_dbclean_t)
+corenet_all_recvfrom_unlabeled(dcc_dbclean_t)
+corenet_all_recvfrom_netlabel(dcc_dbclean_t)
 corenet_udp_sendrecv_generic_if(dcc_dbclean_t)
 corenet_udp_sendrecv_all_nodes(dcc_dbclean_t)
 corenet_udp_sendrecv_all_ports(dcc_dbclean_t)
@ -243,7 +246,8 @@ files_pid_filetrans(dccd_t,dccd_var_run_t,file)
 kernel_read_system_state(dccd_t)
 kernel_read_kernel_sysctls(dccd_t)

-corenet_non_ipsec_sendrecv(dccd_t)
+corenet_all_recvfrom_unlabeled(dccd_t)
+corenet_all_recvfrom_netlabel(dccd_t)
 corenet_udp_sendrecv_generic_if(dccd_t)
 corenet_udp_sendrecv_all_nodes(dccd_t)
 corenet_udp_sendrecv_all_ports(dccd_t)
@ -324,7 +328,8 @@ files_pid_filetrans(dccifd_t,dccifd_var_run_t,file)
 kernel_read_system_state(dccifd_t)
 kernel_read_kernel_sysctls(dccifd_t)

-corenet_non_ipsec_sendrecv(dccifd_t)
+corenet_all_recvfrom_unlabeled(dccifd_t)
+corenet_all_recvfrom_netlabel(dccifd_t)
 corenet_udp_sendrecv_generic_if(dccifd_t)
 corenet_udp_sendrecv_all_nodes(dccifd_t)
 corenet_udp_sendrecv_all_ports(dccifd_t)
@ -401,7 +406,8 @@ files_pid_filetrans(dccm_t,dccm_var_run_t,file)
 kernel_read_system_state(dccm_t)
 kernel_read_kernel_sysctls(dccm_t)

-corenet_non_ipsec_sendrecv(dccm_t)
+corenet_all_recvfrom_unlabeled(dccm_t)
+corenet_all_recvfrom_netlabel(dccm_t)
 corenet_udp_sendrecv_generic_if(dccm_t)
 corenet_udp_sendrecv_all_nodes(dccm_t)
 corenet_udp_sendrecv_all_ports(dccm_t)
--- a/policy/modules/services/ddclient.te
+++ b/policy/modules/services/ddclient.te
@ -1,5 +1,5 @@

-policy_module(ddclient,1.2.0)
+policy_module(ddclient,1.2.1)

 ########################################
 #
@ -64,7 +64,8 @@ kernel_read_kernel_sysctls(ddclient_t)
 corecmd_exec_shell(ddclient_t)
 corecmd_exec_bin(ddclient_t)

-corenet_non_ipsec_sendrecv(ddclient_t)
+corenet_all_recvfrom_unlabeled(ddclient_t)
+corenet_all_recvfrom_netlabel(ddclient_t)
 corenet_tcp_sendrecv_generic_if(ddclient_t)
 corenet_udp_sendrecv_generic_if(ddclient_t)
 corenet_tcp_sendrecv_all_nodes(ddclient_t)
--- a/policy/modules/services/dhcp.te
+++ b/policy/modules/services/dhcp.te
@ -1,5 +1,5 @@

-policy_module(dhcp,1.3.0)
+policy_module(dhcp,1.3.1)

 ########################################
 #
@ -52,7 +52,8 @@ files_pid_filetrans(dhcpd_t,dhcpd_var_run_t,file)
 kernel_read_system_state(dhcpd_t)
 kernel_read_kernel_sysctls(dhcpd_t)

-corenet_non_ipsec_sendrecv(dhcpd_t)
+corenet_all_recvfrom_unlabeled(dhcpd_t)
+corenet_all_recvfrom_netlabel(dhcpd_t)
 corenet_tcp_sendrecv_all_if(dhcpd_t)
 corenet_udp_sendrecv_all_if(dhcpd_t)
 corenet_raw_sendrecv_all_if(dhcpd_t)
--- a/policy/modules/services/dictd.te
+++ b/policy/modules/services/dictd.te
@ -1,5 +1,5 @@

-policy_module(dictd,1.3.0)
+policy_module(dictd,1.3.1)

 ########################################
 #
@ -37,7 +37,8 @@ allow dictd_t dictd_var_lib_t:file read_file_perms;
 kernel_read_system_state(dictd_t)
 kernel_read_kernel_sysctls(dictd_t)

-corenet_non_ipsec_sendrecv(dictd_t)
+corenet_all_recvfrom_unlabeled(dictd_t)
+corenet_all_recvfrom_netlabel(dictd_t)
 corenet_tcp_sendrecv_all_if(dictd_t)
 corenet_raw_sendrecv_all_if(dictd_t)
 corenet_udp_sendrecv_all_if(dictd_t)
--- a/policy/modules/services/distcc.te
+++ b/policy/modules/services/distcc.te
@ -1,5 +1,5 @@

-policy_module(distcc,1.3.1)
+policy_module(distcc,1.3.2)

 ########################################
 #
@ -45,7 +45,8 @@ files_pid_filetrans(distccd_t,distccd_var_run_t,file)
 kernel_read_system_state(distccd_t)
 kernel_read_kernel_sysctls(distccd_t)

-corenet_non_ipsec_sendrecv(distccd_t)
+corenet_all_recvfrom_unlabeled(distccd_t)
+corenet_all_recvfrom_netlabel(distccd_t)
 corenet_tcp_sendrecv_all_if(distccd_t)
 corenet_udp_sendrecv_all_if(distccd_t)
 corenet_tcp_sendrecv_all_nodes(distccd_t)
--- a/policy/modules/services/djbdns.if
+++ b/policy/modules/services/djbdns.if
@ -32,7 +32,8 @@ template(`djbdns_daemontools_domain_template',`
 	allow djbdns_$1_t djbdns_$1_conf_t:dir list_dir_perms;
 	allow djbdns_$1_t djbdns_$1_conf_t:file read_file_perms;

-	corenet_non_ipsec_sendrecv(djbdns_$1_t)
+	corenet_all_recvfrom_unlabeled(djbdns_$1_t)
+	corenet_all_recvfrom_netlabel(djbdns_$1_t)
 	corenet_tcp_sendrecv_all_if(djbdns_$1_t)
 	corenet_udp_sendrecv_all_if(djbdns_$1_t)
 	corenet_tcp_sendrecv_all_nodes(djbdns_$1_t)
--- a/policy/modules/services/djbdns.te
+++ b/policy/modules/services/djbdns.te
@ -1,5 +1,5 @@

-policy_module(djbdns,1.1.0)
+policy_module(djbdns,1.1.1)

 ########################################
 #
--- a/policy/modules/services/dnsmasq.te
+++ b/policy/modules/services/dnsmasq.te
@ -1,5 +1,5 @@

-policy_module(dnsmasq,1.3.0)
+policy_module(dnsmasq,1.3.1)

 ########################################
 #
@ -42,7 +42,8 @@ kernel_read_kernel_sysctls(dnsmasq_t)
 kernel_list_proc(dnsmasq_t)
 kernel_read_proc_symlinks(dnsmasq_t)

-corenet_non_ipsec_sendrecv(dnsmasq_t)
+corenet_all_recvfrom_unlabeled(dnsmasq_t)
+corenet_all_recvfrom_netlabel(dnsmasq_t)
 corenet_tcp_sendrecv_generic_if(dnsmasq_t)
 corenet_udp_sendrecv_generic_if(dnsmasq_t)
 corenet_raw_sendrecv_generic_if(dnsmasq_t)
--- a/policy/modules/services/dovecot.te
+++ b/policy/modules/services/dovecot.te
@ -1,5 +1,5 @@

-policy_module(dovecot,1.5.1)
+policy_module(dovecot,1.5.2)

 ########################################
 #
@ -70,7 +70,8 @@ files_pid_filetrans(dovecot_t,dovecot_var_run_t,file)
 kernel_read_kernel_sysctls(dovecot_t)
 kernel_read_system_state(dovecot_t)

-corenet_non_ipsec_sendrecv(dovecot_t)
+corenet_all_recvfrom_unlabeled(dovecot_t)
+corenet_all_recvfrom_netlabel(dovecot_t)
 corenet_tcp_sendrecv_all_if(dovecot_t)
 corenet_tcp_sendrecv_all_nodes(dovecot_t)
 corenet_tcp_sendrecv_all_ports(dovecot_t)
--- a/policy/modules/services/fetchmail.te
+++ b/policy/modules/services/fetchmail.te
@ -1,5 +1,5 @@

-policy_module(fetchmail,1.3.0)
+policy_module(fetchmail,1.3.1)

 ########################################
 #
@ -46,7 +46,8 @@ kernel_getattr_proc_files(fetchmail_t)
 kernel_read_proc_symlinks(fetchmail_t)
 kernel_dontaudit_read_system_state(fetchmail_t)

-corenet_non_ipsec_sendrecv(fetchmail_t)
+corenet_all_recvfrom_unlabeled(fetchmail_t)
+corenet_all_recvfrom_netlabel(fetchmail_t)
 corenet_tcp_sendrecv_generic_if(fetchmail_t)
 corenet_udp_sendrecv_generic_if(fetchmail_t)
 corenet_tcp_sendrecv_all_nodes(fetchmail_t)
--- a/policy/modules/services/finger.te
+++ b/policy/modules/services/finger.te
@ -1,5 +1,5 @@

-policy_module(finger,1.3.0)
+policy_module(finger,1.3.1)

 ########################################
 #
@ -47,7 +47,8 @@ logging_log_filetrans(fingerd_t,fingerd_log_t,file)
 kernel_read_kernel_sysctls(fingerd_t)
 kernel_read_system_state(fingerd_t)

-corenet_non_ipsec_sendrecv(fingerd_t)
+corenet_all_recvfrom_unlabeled(fingerd_t)
+corenet_all_recvfrom_netlabel(fingerd_t)
 corenet_tcp_sendrecv_all_if(fingerd_t)
 corenet_udp_sendrecv_all_if(fingerd_t)
 corenet_tcp_sendrecv_all_nodes(fingerd_t)
--- a/policy/modules/services/ftp.te
+++ b/policy/modules/services/ftp.te
@ -1,5 +1,5 @@

-policy_module(ftp,1.5.0)
+policy_module(ftp,1.5.1)

 ########################################
 #
@ -128,7 +128,8 @@ dev_read_urand(ftpd_t)

 corecmd_exec_bin(ftpd_t)

-corenet_non_ipsec_sendrecv(ftpd_t)
+corenet_all_recvfrom_unlabeled(ftpd_t)
+corenet_all_recvfrom_netlabel(ftpd_t)
 corenet_tcp_sendrecv_all_if(ftpd_t)
 corenet_udp_sendrecv_all_if(ftpd_t)
 corenet_tcp_sendrecv_all_nodes(ftpd_t)
--- a/policy/modules/services/gatekeeper.te
+++ b/policy/modules/services/gatekeeper.te
@ -1,5 +1,5 @@

-policy_module(gatekeeper,1.2.0)
+policy_module(gatekeeper,1.2.1)

 ########################################
 #
@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(gatekeeper_t)

 corecmd_list_bin(gatekeeper_t)

-corenet_non_ipsec_sendrecv(gatekeeper_t)
+corenet_all_recvfrom_unlabeled(gatekeeper_t)
+corenet_all_recvfrom_netlabel(gatekeeper_t)
 corenet_tcp_sendrecv_generic_if(gatekeeper_t)
 corenet_udp_sendrecv_generic_if(gatekeeper_t)
 corenet_tcp_sendrecv_all_nodes(gatekeeper_t)
--- a/policy/modules/services/hal.te
+++ b/policy/modules/services/hal.te
@ -1,5 +1,5 @@

-policy_module(hal,1.6.2)
+policy_module(hal,1.6.3)

 ########################################
 #
@ -91,7 +91,8 @@ auth_read_pam_console_data(hald_t)

 corecmd_exec_all_executables(hald_t)

-corenet_non_ipsec_sendrecv(hald_t)
+corenet_all_recvfrom_unlabeled(hald_t)
+corenet_all_recvfrom_netlabel(hald_t)
 corenet_tcp_sendrecv_all_if(hald_t)
 corenet_udp_sendrecv_all_if(hald_t)
 corenet_tcp_sendrecv_all_nodes(hald_t)
--- a/policy/modules/services/howl.te
+++ b/policy/modules/services/howl.te
@ -1,5 +1,5 @@

-policy_module(howl,1.3.0)
+policy_module(howl,1.3.1)

 ########################################
 #
@ -34,7 +34,8 @@ kernel_load_module(howl_t)
 kernel_list_proc(howl_t)
 kernel_read_proc_symlinks(howl_t)

-corenet_non_ipsec_sendrecv(howl_t)
+corenet_all_recvfrom_unlabeled(howl_t)
+corenet_all_recvfrom_netlabel(howl_t)
 corenet_tcp_sendrecv_all_if(howl_t)
 corenet_udp_sendrecv_all_if(howl_t)
 corenet_tcp_sendrecv_all_nodes(howl_t)
--- a/policy/modules/services/i18n_input.te
+++ b/policy/modules/services/i18n_input.te
@ -1,5 +1,5 @@

-policy_module(i18n_input,1.3.0)
+policy_module(i18n_input,1.3.1)

 ########################################
 #
@ -37,7 +37,8 @@ can_exec(i18n_input_t, i18n_input_exec_t)
 kernel_read_kernel_sysctls(i18n_input_t)
 kernel_read_system_state(i18n_input_t)

-corenet_non_ipsec_sendrecv(i18n_input_t)
+corenet_all_recvfrom_unlabeled(i18n_input_t)
+corenet_all_recvfrom_netlabel(i18n_input_t)
 corenet_tcp_sendrecv_generic_if(i18n_input_t)
 corenet_udp_sendrecv_generic_if(i18n_input_t)
 corenet_tcp_sendrecv_all_nodes(i18n_input_t)
--- a/policy/modules/services/imaze.te
+++ b/policy/modules/services/imaze.te
@ -1,5 +1,5 @@

-policy_module(imaze,1.2.0)
+policy_module(imaze,1.2.1)

 ########################################
 #
@ -55,7 +55,8 @@ kernel_read_kernel_sysctls(imazesrv_t)
 kernel_list_proc(imazesrv_t)
 kernel_read_proc_symlinks(imazesrv_t)

-corenet_non_ipsec_sendrecv(imazesrv_t)
+corenet_all_recvfrom_unlabeled(imazesrv_t)
+corenet_all_recvfrom_netlabel(imazesrv_t)
 corenet_tcp_sendrecv_generic_if(imazesrv_t)
 corenet_udp_sendrecv_generic_if(imazesrv_t)
 corenet_tcp_sendrecv_all_nodes(imazesrv_t)
--- a/policy/modules/services/inetd.te
+++ b/policy/modules/services/inetd.te
@ -1,5 +1,5 @@

-policy_module(inetd,1.3.0)
+policy_module(inetd,1.3.1)

 ########################################
 #
@ -60,7 +60,8 @@ kernel_read_system_state(inetd_t)
 kernel_tcp_recvfrom_unlabeled(inetd_t)

 # base networking:
-corenet_non_ipsec_sendrecv(inetd_t)
+corenet_all_recvfrom_unlabeled(inetd_t)
+corenet_all_recvfrom_netlabel(inetd_t)
 corenet_tcp_sendrecv_all_if(inetd_t)
 corenet_udp_sendrecv_all_if(inetd_t)
 corenet_tcp_sendrecv_all_nodes(inetd_t)
@ -81,7 +82,6 @@ corenet_tcp_bind_dbskkd_port(inetd_t)
 corenet_udp_bind_dbskkd_port(inetd_t)
 corenet_udp_bind_ftp_port(inetd_t)
 corenet_tcp_bind_inetd_child_port(inetd_t)
-corenet_tcp_bind_inetd_child_port(inetd_t)
 corenet_udp_bind_ktalkd_port(inetd_t)
 corenet_tcp_bind_printer_port(inetd_t)
 corenet_udp_bind_rsh_port(inetd_t)
@ -143,11 +143,6 @@ sysnet_read_config(inetd_t)
 userdom_dontaudit_use_unpriv_user_fds(inetd_t)
 userdom_dontaudit_search_sysadm_home_dirs(inetd_t)

-ifdef(`enable_mls',`
- 	corenet_tcp_recv_netlabel(inetd_t)
-  	corenet_udp_recv_netlabel(inetd_t)
-')
-
 ifdef(`targeted_policy',`
 	term_dontaudit_use_unallocated_ttys(inetd_t)
 	term_dontaudit_use_generic_ptys(inetd_t)
@ -200,7 +195,8 @@ kernel_read_kernel_sysctls(inetd_child_t)
 kernel_read_system_state(inetd_child_t)
 kernel_read_network_state(inetd_child_t)

-corenet_non_ipsec_sendrecv(inetd_child_t)
+corenet_all_recvfrom_unlabeled(inetd_child_t)
+corenet_all_recvfrom_netlabel(inetd_child_t)
 corenet_tcp_sendrecv_all_if(inetd_child_t)
 corenet_udp_sendrecv_all_if(inetd_child_t)
 corenet_tcp_sendrecv_all_nodes(inetd_child_t)
--- a/policy/modules/services/inn.te
+++ b/policy/modules/services/inn.te
@ -1,5 +1,5 @@

-policy_module(inn,1.3.0)
+policy_module(inn,1.3.1)

 ########################################
 #
@ -63,7 +63,8 @@ manage_lnk_files_pattern(innd_t,news_spool_t,news_spool_t)
 kernel_read_kernel_sysctls(innd_t)
 kernel_read_system_state(innd_t)

-corenet_non_ipsec_sendrecv(innd_t)
+corenet_all_recvfrom_unlabeled(innd_t)
+corenet_all_recvfrom_netlabel(innd_t)
 corenet_tcp_sendrecv_all_if(innd_t)
 corenet_udp_sendrecv_all_if(innd_t)
 corenet_tcp_sendrecv_all_nodes(innd_t)
--- a/policy/modules/services/ircd.te
+++ b/policy/modules/services/ircd.te
@ -1,5 +1,5 @@

-policy_module(ircd,1.2.0)
+policy_module(ircd,1.2.1)

 ########################################
 #
@ -50,7 +50,8 @@ kernel_read_kernel_sysctls(ircd_t)

 corecmd_search_bin(ircd_t)

-corenet_non_ipsec_sendrecv(ircd_t)
+corenet_all_recvfrom_unlabeled(ircd_t)
+corenet_all_recvfrom_netlabel(ircd_t)
 corenet_tcp_sendrecv_generic_if(ircd_t)
 corenet_udp_sendrecv_generic_if(ircd_t)
 corenet_tcp_sendrecv_all_nodes(ircd_t)
--- a/policy/modules/services/jabber.te
+++ b/policy/modules/services/jabber.te
@ -1,5 +1,5 @@

-policy_module(jabber,1.2.0)
+policy_module(jabber,1.2.1)

 ########################################
 #
@ -44,7 +44,8 @@ kernel_read_kernel_sysctls(jabberd_t)
 kernel_list_proc(jabberd_t)
 kernel_read_proc_symlinks(jabberd_t)

-corenet_non_ipsec_sendrecv(jabberd_t)
+corenet_all_recvfrom_unlabeled(jabberd_t)
+corenet_all_recvfrom_netlabel(jabberd_t)
 corenet_tcp_sendrecv_generic_if(jabberd_t)
 corenet_udp_sendrecv_generic_if(jabberd_t)
 corenet_tcp_sendrecv_all_nodes(jabberd_t)
--- a/policy/modules/services/kerberos.if
+++ b/policy/modules/services/kerberos.if
@ -47,7 +47,8 @@ interface(`kerberos_use',`
 		allow $1 self:tcp_socket create_socket_perms;
 		allow $1 self:udp_socket create_socket_perms;

-		corenet_non_ipsec_sendrecv($1)
+		corenet_all_recvfrom_unlabeled($1)
+		corenet_all_recvfrom_netlabel($1)
 		corenet_tcp_sendrecv_all_if($1)
 		corenet_udp_sendrecv_all_if($1)
 		corenet_tcp_sendrecv_all_nodes($1)
--- a/policy/modules/services/kerberos.te
+++ b/policy/modules/services/kerberos.te
@ -1,5 +1,5 @@

-policy_module(kerberos,1.4.0)
+policy_module(kerberos,1.4.1)

 ########################################
 #
@ -92,7 +92,8 @@ kernel_read_kernel_sysctls(kadmind_t)
 kernel_list_proc(kadmind_t)
 kernel_read_proc_symlinks(kadmind_t)

-corenet_non_ipsec_sendrecv(kadmind_t)
+corenet_all_recvfrom_unlabeled(kadmind_t)
+corenet_all_recvfrom_netlabel(kadmind_t)
 corenet_tcp_sendrecv_all_if(kadmind_t)
 corenet_udp_sendrecv_all_if(kadmind_t)
 corenet_tcp_sendrecv_all_nodes(kadmind_t)
@ -192,7 +193,8 @@ kernel_search_network_sysctl(krb5kdc_t)

 corecmd_exec_bin(krb5kdc_t)

-corenet_non_ipsec_sendrecv(krb5kdc_t)
+corenet_all_recvfrom_unlabeled(krb5kdc_t)
+corenet_all_recvfrom_netlabel(krb5kdc_t)
 corenet_tcp_sendrecv_all_if(krb5kdc_t)
 corenet_udp_sendrecv_all_if(krb5kdc_t)
 corenet_tcp_sendrecv_all_nodes(krb5kdc_t)
--- a/policy/modules/services/ktalk.te
+++ b/policy/modules/services/ktalk.te
@ -1,5 +1,5 @@

-policy_module(ktalk,1.4.0)
+policy_module(ktalk,1.4.1)

 ########################################
 #
@ -53,7 +53,8 @@ kernel_read_kernel_sysctls(ktalkd_t)
 kernel_read_system_state(ktalkd_t)
 kernel_read_network_state(ktalkd_t)

-corenet_non_ipsec_sendrecv(ktalkd_t)
+corenet_all_recvfrom_unlabeled(ktalkd_t)
+corenet_all_recvfrom_netlabel(ktalkd_t)
 corenet_tcp_sendrecv_all_if(ktalkd_t)
 corenet_udp_sendrecv_all_if(ktalkd_t)
 corenet_tcp_sendrecv_all_nodes(ktalkd_t)
--- a/policy/modules/services/ldap.te
+++ b/policy/modules/services/ldap.te
@ -1,5 +1,5 @@

-policy_module(ldap,1.4.0)
+policy_module(ldap,1.4.1)

 ########################################
 #
@ -77,7 +77,8 @@ files_pid_filetrans(slapd_t,slapd_var_run_t,{ file sock_file })
 kernel_read_system_state(slapd_t)
 kernel_read_kernel_sysctls(slapd_t)

-corenet_non_ipsec_sendrecv(slapd_t)
+corenet_all_recvfrom_unlabeled(slapd_t)
+corenet_all_recvfrom_netlabel(slapd_t)
 corenet_tcp_sendrecv_all_if(slapd_t)
 corenet_udp_sendrecv_all_if(slapd_t)
 corenet_tcp_sendrecv_all_nodes(slapd_t)
--- a/policy/modules/services/lpd.if
+++ b/policy/modules/services/lpd.if
@ -104,7 +104,8 @@ template(`lpd_per_role_template',`

 	kernel_read_kernel_sysctls($1_lpr_t)

-	corenet_non_ipsec_sendrecv($1_lpr_t)
+	corenet_all_recvfrom_unlabeled($1_lpr_t)
+	corenet_all_recvfrom_netlabel($1_lpr_t)
 	corenet_tcp_sendrecv_generic_if($1_lpr_t)
 	corenet_udp_sendrecv_generic_if($1_lpr_t)
 	corenet_tcp_sendrecv_all_nodes($1_lpr_t)
--- a/policy/modules/services/lpd.te
+++ b/policy/modules/services/lpd.te
@ -1,5 +1,5 @@

-policy_module(lpd,1.5.0)
+policy_module(lpd,1.5.1)

 ########################################
 #
@ -72,7 +72,8 @@ allow checkpc_t printconf_t:dir { getattr search read };

 kernel_read_system_state(checkpc_t)

-corenet_non_ipsec_sendrecv(checkpc_t)
+corenet_all_recvfrom_unlabeled(checkpc_t)
+corenet_all_recvfrom_netlabel(checkpc_t)
 corenet_tcp_sendrecv_all_if(checkpc_t)
 corenet_udp_sendrecv_all_if(checkpc_t)
 corenet_tcp_sendrecv_all_nodes(checkpc_t)
@ -157,7 +158,8 @@ kernel_read_kernel_sysctls(lpd_t)
 # bash wants access to /proc/meminfo
 kernel_read_system_state(lpd_t)

-corenet_non_ipsec_sendrecv(lpd_t)
+corenet_all_recvfrom_unlabeled(lpd_t)
+corenet_all_recvfrom_netlabel(lpd_t)
 corenet_tcp_sendrecv_all_if(lpd_t)
 corenet_udp_sendrecv_all_if(lpd_t)
 corenet_tcp_sendrecv_all_nodes(lpd_t)
--- a/policy/modules/services/mailman.if
+++ b/policy/modules/services/mailman.if
@ -48,7 +48,8 @@ template(`mailman_domain_template', `
 	kernel_read_kernel_sysctls(mailman_$1_t)
 	kernel_read_system_state(mailman_$1_t)

-	corenet_non_ipsec_sendrecv(mailman_$1_t)
+	corenet_all_recvfrom_unlabeled(mailman_$1_t)
+	corenet_all_recvfrom_netlabel(mailman_$1_t)
 	corenet_tcp_sendrecv_all_if(mailman_$1_t)
 	corenet_udp_sendrecv_all_if(mailman_$1_t)
 	corenet_raw_sendrecv_all_if(mailman_$1_t)
--- a/policy/modules/services/mailman.te
+++ b/policy/modules/services/mailman.te
@ -1,5 +1,5 @@

-policy_module(mailman,1.2.1)
+policy_module(mailman,1.2.2)

 ########################################
 #
--- a/policy/modules/services/monop.te
+++ b/policy/modules/services/monop.te
@ -1,5 +1,5 @@

-policy_module(monop,1.2.0)
+policy_module(monop,1.2.1)

 ########################################
 #
@ -43,7 +43,8 @@ kernel_read_kernel_sysctls(monopd_t)
 kernel_list_proc(monopd_t)
 kernel_read_proc_symlinks(monopd_t)

-corenet_non_ipsec_sendrecv(monopd_t)
+corenet_all_recvfrom_unlabeled(monopd_t)
+corenet_all_recvfrom_netlabel(monopd_t)
 corenet_tcp_sendrecv_generic_if(monopd_t)
 corenet_udp_sendrecv_generic_if(monopd_t)
 corenet_tcp_sendrecv_all_nodes(monopd_t)
--- a/Show More
+++ b/Show More