break packet_t into server_packet_t client_packet_t, and cover add packets to system modules where they make sense.

refpolicy/policy/modules/kernel/corenetwork.if.in

@@ -1310,7 +1310,7 @@ interface(`corenet_non_ipsec_sendrecv',`
 
 ########################################
 ## <summary>
-##	Send generic packets.
+##	Send generic client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1318,17 +1318,17 @@ interface(`corenet_non_ipsec_sendrecv',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_send_generic_packets',`
+interface(`corenet_send_generic_client_packets',`
 	gen_require(`
-		type packet_t;
+		type client_packet_t;
 	')
 
-	allow $1 packet_t:packet send;
+	allow $1 client_packet_t:packet send;
 ')
 
 ########################################
 ## <summary>
-##	Receive generic packets.
+##	Receive generic client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1336,17 +1336,17 @@ interface(`corenet_send_generic_packets',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_receive_generic_packets',`
+interface(`corenet_receive_generic_client_packets',`
 	gen_require(`
-		type packet_t;
+		type client_packet_t;
 	')
 
-	allow $1 packet_t:packet recv;
+	allow $1 client_packet_t:packet recv;
 ')
 
 ########################################
 ## <summary>
-##	Send and receive generic packets.
+##	Send and receive generic client packets.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1354,14 +1354,14 @@ interface(`corenet_receive_generic_packets',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_sendrecv_generic_packets',`
-	corenet_send_generic_packets($1)
-	corenet_receive_generic_packets($1)
+interface(`corenet_sendrecv_generic_client_packets',`
+	corenet_send_generic_client_packets($1)
+	corenet_receive_generic_client_packets($1)
 ')
 
 ########################################
 ## <summary>
-##	Relabel packets to the generic packet type.
+##	Relabel packets to the generic client packet type.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -1369,12 +1369,81 @@ interface(`corenet_sendrecv_generic_packets',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_relabelto_generic_packets',`
+interface(`corenet_relabelto_generic_client_packets',`
 	gen_require(`
-		type packet_t;
+		type client_packet_t;
 	')
 
-	allow $1 packet_t:packet relabelto;
+	allow $1 client_packet_t:packet relabelto;
+')
+
+########################################
+## <summary>
+##	Send generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_send_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet send;
+')
+
+########################################
+## <summary>
+##	Receive generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_receive_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet recv;
+')
+
+########################################
+## <summary>
+##	Send and receive generic server packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_generic_server_packets',`
+	corenet_send_generic_server_packets($1)
+	corenet_receive_generic_server_packets($1)
+')
+
+########################################
+## <summary>
+##	Relabel packets to the generic server packet type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_relabelto_generic_server_packets',`
+	gen_require(`
+		type server_packet_t;
+	')
+
+	allow $1 server_packet_t:packet relabelto;
 ')
 
 ########################################

refpolicy/policy/modules/kernel/corenetwork.te.in

@@ -1,5 +1,5 @@
 
-policy_module(corenetwork,1.1.10)
+policy_module(corenetwork,1.1.11)
 
 ########################################
 #
@@ -32,9 +32,9 @@ dev_node(tun_tap_device_t)
 #
 
 #
-# packet_t is the default type of IPv4 and IPv6 packets.
+# client_packet_t is the default type of IPv4 and IPv6 client packets.
 #
-type packet_t, packet_type;
+type client_packet_t, packet_type, client_packet_type;
 
 #
 # port_t is the default type of INET port numbers.
@@ -47,6 +47,11 @@ sid port gen_context(system_u:object_r:port_t,s0)
 #
 type reserved_port_t, port_type, reserved_port_type;
 
+#
+# server_packet_t is the default type of IPv4 and IPv6 server packets.
+#
+type server_packet_t, packet_type, server_packet_type;
+
 network_port(afs_bos, udp,7007,s0)
 network_port(afs_fs, tcp,2040,s0, udp,7000,s0, udp,7005,s0)
 network_port(afs_ka, udp,7004,s0)

refpolicy/policy/modules/kernel/kernel.te

@@ -1,5 +1,5 @@
 
-policy_module(kernel,1.3.9)
+policy_module(kernel,1.3.10)
 
 ########################################
 #
@@ -288,7 +288,7 @@ optional_policy(`
 	corenet_udp_sendrecv_all_ports(kernel_t)
 	corenet_udp_bind_all_nodes(kernel_t)
 	corenet_sendrecv_portmap_client_packets(kernel_t)
-	corenet_sendrecv_generic_packets(kernel_t)
+	corenet_sendrecv_generic_server_packets(kernel_t)
 
 	auth_dontaudit_getattr_shadow(kernel_t)
 

refpolicy/policy/modules/services/rpc.if

@@ -72,7 +72,7 @@ template(`rpc_domain_template', `
 	corenet_tcp_bind_generic_port($1_t)
 	corenet_udp_bind_generic_port($1_t)
 	corenet_udp_bind_reserved_port($1_t)
-	corenet_sendrecv_generic_packets($1_t)
+	corenet_sendrecv_generic_server_packets($1_t)
 
 	fs_search_auto_mountpoints($1_t)
 

refpolicy/policy/modules/services/rpc.te

@@ -1,5 +1,5 @@
 
-policy_module(rpc,1.2.6)
+policy_module(rpc,1.2.7)
 
 ########################################
 #

refpolicy/policy/modules/system/hotplug.te

@@ -1,5 +1,5 @@
 
-policy_module(hotplug,1.2.0)
+policy_module(hotplug,1.2.1)
 
 ########################################
 #
@@ -52,17 +52,13 @@ kernel_read_net_sysctls(hotplug_t)
 
 files_read_kernel_modules(hotplug_t)
 
+corenet_non_ipsec_sendrecv(hotplug_t)
 corenet_tcp_sendrecv_all_if(hotplug_t)
 corenet_udp_sendrecv_all_if(hotplug_t)
-corenet_raw_sendrecv_all_if(hotplug_t)
 corenet_tcp_sendrecv_all_nodes(hotplug_t)
 corenet_udp_sendrecv_all_nodes(hotplug_t)
-corenet_raw_sendrecv_all_nodes(hotplug_t)
 corenet_tcp_sendrecv_all_ports(hotplug_t)
 corenet_udp_sendrecv_all_ports(hotplug_t)
-corenet_non_ipsec_sendrecv(hotplug_t)
-corenet_tcp_bind_all_nodes(hotplug_t)
-corenet_udp_bind_all_nodes(hotplug_t)
 
 dev_rw_sysfs(hotplug_t)
 dev_read_usbfs(hotplug_t)

refpolicy/policy/modules/system/init.te

@@ -1,5 +1,5 @@
 
-policy_module(init,1.3.15)
+policy_module(init,1.3.16)
 
 gen_require(`
 	class passwd rootok;
@@ -249,18 +249,15 @@ kernel_dontaudit_getattr_message_if(initrc_t)
 
 files_read_kernel_symbol_table(initrc_t)
 
+corenet_non_ipsec_sendrecv(initrc_t)
 corenet_tcp_sendrecv_all_if(initrc_t)
-corenet_raw_sendrecv_all_if(initrc_t)
 corenet_udp_sendrecv_all_if(initrc_t)
 corenet_tcp_sendrecv_all_nodes(initrc_t)
-corenet_raw_sendrecv_all_nodes(initrc_t)
 corenet_udp_sendrecv_all_nodes(initrc_t)
 corenet_tcp_sendrecv_all_ports(initrc_t)
 corenet_udp_sendrecv_all_ports(initrc_t)
-corenet_non_ipsec_sendrecv(initrc_t)
-corenet_tcp_bind_all_nodes(initrc_t)
-corenet_udp_bind_all_nodes(initrc_t)
 corenet_tcp_connect_all_ports(initrc_t)
+corenet_sendrecv_all_client_packets(initrc_t)
 
 dev_read_rand(initrc_t)
 dev_read_urand(initrc_t)

refpolicy/policy/modules/system/ipsec.te

@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.1.0)
+policy_module(ipsec,1.1.1)
 
 ########################################
 #
@@ -83,15 +83,17 @@ kernel_getattr_core_if(ipsec_t)
 kernel_getattr_message_if(ipsec_t)
 
 # Pluto needs network access
+corenet_non_ipsec_sendrecv(ipsec_t)
 corenet_tcp_sendrecv_all_if(ipsec_t)
 corenet_raw_sendrecv_all_if(ipsec_t)
 corenet_tcp_sendrecv_all_nodes(ipsec_t)
 corenet_raw_sendrecv_all_nodes(ipsec_t)
 corenet_tcp_sendrecv_all_ports(ipsec_t)
-corenet_non_ipsec_sendrecv(ipsec_t)
 corenet_tcp_bind_all_nodes(ipsec_t)
-corenet_udp_bind_reserved_port(ipsec_t)
-corenet_udp_bind_isakmp_port(ipsec_t)
+corenet_tcp_bind_reserved_port(ipsec_t)
+corenet_tcp_bind_isakmp_port(ipsec_t)
+corenet_sendrecv_generic_server_packets(ipsec_t)
+corenet_sendrecv_isakmp_server_packets(ipsec_t)
 
 dev_read_sysfs(ipsec_t)
 dev_read_rand(ipsec_t)

refpolicy/policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.3.4)
+policy_module(logging,1.3.5)
 
 ########################################
 #
@@ -260,7 +260,7 @@ allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_file_perms;
-allow syslogd_t self:udp_socket { connected_socket_perms connect };
+allow syslogd_t self:udp_socket create_socket_perms;
 
 # Create and bind to /dev/log or /var/run/log.
 allow syslogd_t devlog_t:sock_file create_file_perms;
@@ -306,15 +306,15 @@ init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
 term_write_all_user_ttys(syslogd_t)
 
-corenet_raw_sendrecv_all_if(syslogd_t)
+corenet_non_ipsec_sendrecv(syslogd_t)
 corenet_udp_sendrecv_all_if(syslogd_t)
-corenet_raw_sendrecv_all_nodes(syslogd_t)
 corenet_udp_sendrecv_all_nodes(syslogd_t)
 corenet_udp_sendrecv_all_ports(syslogd_t)
-corenet_non_ipsec_sendrecv(syslogd_t)
 corenet_udp_bind_all_nodes(syslogd_t)
-corenet_tcp_bind_syslogd_port(syslogd_t)
 corenet_udp_bind_syslogd_port(syslogd_t)
+# syslog-ng can send or receive logs
+corenet_sendrecv_syslogd_client_packets(syslogd_t)
+corenet_sendrecv_syslogd_server_packets(syslogd_t)
 
 fs_getattr_all_fs(syslogd_t)
 

refpolicy/policy/modules/system/lvm.te

@@ -1,5 +1,5 @@
 
-policy_module(lvm,1.3.2)
+policy_module(lvm,1.3.3)
 
 ########################################
 #
@@ -61,6 +61,7 @@ kernel_read_kernel_sysctls(clvmd_t)
 kernel_list_proc(clvmd_t)
 kernel_read_proc_symlinks(clvmd_t)
 
+corenet_non_ipsec_sendrecv(clvmd_t)
 corenet_tcp_sendrecv_all_if(clvmd_t)
 corenet_udp_sendrecv_all_if(clvmd_t)
 corenet_raw_sendrecv_all_if(clvmd_t)
@@ -69,11 +70,10 @@ corenet_udp_sendrecv_all_nodes(clvmd_t)
 corenet_raw_sendrecv_all_nodes(clvmd_t)
 corenet_tcp_sendrecv_all_ports(clvmd_t)
 corenet_udp_sendrecv_all_ports(clvmd_t)
-corenet_non_ipsec_sendrecv(clvmd_t)
 corenet_tcp_bind_all_nodes(clvmd_t)
-corenet_udp_bind_all_nodes(clvmd_t)
 corenet_tcp_bind_reserved_port(clvmd_t)
 corenet_dontaudit_tcp_bind_all_reserved_ports(clvmd_t)
+corenet_sendrecv_generic_server_packets(clvmd_t)
 
 dev_read_sysfs(clvmd_t)
 

refpolicy/policy/modules/system/mount.te

@@ -1,5 +1,5 @@
 
-policy_module(mount,1.3.5)
+policy_module(mount,1.3.6)
 
 ########################################
 #
@@ -35,9 +35,6 @@ files_tmp_filetrans(mount_t,mount_tmp_t,{ file dir })
 kernel_read_system_state(mount_t)
 kernel_dontaudit_getattr_core_if(mount_t)
 
-corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
-corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
-
 dev_getattr_all_blk_files(mount_t)
 dev_list_all_dev_nodes(mount_t)
 dev_rw_lvm_control(mount_t)
@@ -136,6 +133,8 @@ optional_policy(`
 	corenet_udp_bind_reserved_port(mount_t)
 	corenet_tcp_bind_all_rpc_ports(mount_t)
 	corenet_udp_bind_all_rpc_ports(mount_t)
+	corenet_dontaudit_tcp_bind_all_reserved_ports(mount_t)
+	corenet_dontaudit_udp_bind_all_reserved_ports(mount_t)
 	corenet_tcp_connect_all_ports(mount_t)
 
 	fs_search_rpc(mount_t)

refpolicy/policy/modules/system/userdomain.if

@@ -176,7 +176,6 @@ template(`base_user_template',`
 	corenet_udp_bind_all_nodes($1_t)
 	corenet_udp_bind_generic_port($1_t)
 	corenet_tcp_connect_all_ports($1_t)
-	corenet_sendrecv_generic_packets($1_t)
 	corenet_sendrecv_all_client_packets($1_t)
 
 	dev_read_input($1_t)

refpolicy/policy/modules/system/userdomain.te

@@ -1,5 +1,5 @@
 
-policy_module(userdomain,1.3.25)
+policy_module(userdomain,1.3.26)
 
 gen_require(`
 	role sysadm_r, staff_r, user_r;

refpolicy/policy/modules/system/xen.te

@@ -1,5 +1,5 @@
 
-policy_module(xen,1.0.4)
+policy_module(xen,1.0.5)
 
 ########################################
 #
@@ -113,12 +113,14 @@ corecmd_exec_sbin(xend_t)
 corecmd_exec_bin(xend_t)
 corecmd_exec_shell(xend_t)
 
+corenet_non_ipsec_sendrecv(xend_t)
 corenet_tcp_sendrecv_all_if(xend_t)
 corenet_tcp_sendrecv_all_nodes(xend_t)
 corenet_tcp_sendrecv_all_ports(xend_t)
-corenet_non_ipsec_sendrecv(xend_t)
 corenet_tcp_bind_xen_port(xend_t)
 corenet_tcp_bind_soundd_port(xend_t)
+corenet_sendrecv_xen_server_packets(xend_t)
+corenet_sendrecv_soundd_server_packets(xend_t)
 
 dev_read_urand(xend_t)
 dev_manage_xen(xend_t)

refpolicy/support/gennetfilter.py

@@ -11,7 +11,8 @@ import sys,string,getopt,re
 
 NETPORT = re.compile("^network_port\(\s*\w+\s*(\s*,\s*\w+\s*,\s*\w+\s*,\s*\w+\s*)+\s*\)\s*(#|$)")
 
-DEFAULT_PACKET = "packet_t"
+DEFAULT_INPUT_PACKET = "server_packet_t"
+DEFAULT_OUTPUT_PACKET = "client_packet_t"
 DEFAULT_MCS = "s0"
 DEFAULT_MLS = "s0"
 
@@ -42,7 +43,7 @@ class Packet:
 		self.ports = ports
 
 def print_input_rules(packets,mls,mcs):
-	line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
+	line = "-A selinux_new_input -j SECMARK --selctx system_u:object_r:"+DEFAULT_INPUT_PACKET
 	if mls:
 		line += ":"+DEFAULT_MLS
 	elif mcs:
@@ -63,7 +64,7 @@ def print_input_rules(packets,mls,mcs):
 	print "-A selinux_new_input -j RETURN"
 
 def print_output_rules(packets,mls,mcs):
-	line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_PACKET
+	line = "-A selinux_new_output -j SECMARK --selctx system_u:object_r:"+DEFAULT_OUTPUT_PACKET
 	if mls:
 		line += ":"+DEFAULT_MLS
 	elif mcs: