initial addition of packet policy, allow unconfined to send unlabeled packets.

refpolicy/policy/modules/kernel/corenetwork.if.in

@@ -1218,22 +1218,6 @@ interface(`corenet_rw_ppp_dev',`
 	allow $1 ppp_device_t:chr_file rw_file_perms;
 ')
 
-########################################
-## <summary>
-##	Send and receive messages on a
-##	non-encrypted (no IPSEC) network
-##	session.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`corenet_non_ipsec_sendrecv',`
-	kernel_sendrecv_unlabeled_association($1)
-')
-
 ########################################
 ## <summary>
 ##	Bind TCP sockets to all RPC ports.
@@ -1308,6 +1292,43 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
 	dontaudit $1 rpc_port_type:udp_socket name_bind;
 ')
 
+########################################
+## <summary>
+##	Send and receive messages on a
+##	non-encrypted (no IPSEC) network
+##	session.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_non_ipsec_sendrecv',`
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sendrecv_unlabeled_packets',`
+	kernel_sendrecv_unlabeled_packets($1)
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to network objects.

refpolicy/policy/modules/kernel/corenetwork.te.in

@@ -8,6 +8,7 @@ policy_module(corenetwork,1.1.8)
 
 attribute netif_type;
 attribute node_type;
+attribute packet_type;
 attribute port_type;
 attribute reserved_port_type;
 attribute rpc_port_type;
@@ -174,10 +175,9 @@ network_node(unspec, s0, ::, ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
 type netif_t, netif_type;
 sid netif gen_context(system_u:object_r:netif_t,s0 - s15:c0.c255)
 
-ifdef(`enable_mls', `
+ifdef(`enable_mls',`
 network_interface(lo, lo,s0 - s15:c0.c255)
 ')
-#network_interface(eth0, eth0,s0)
 
 ########################################
 #
@@ -186,6 +186,7 @@ network_interface(lo, lo,s0 - s15:c0.c255)
 
 allow corenet_unconfined_type node_type:node *;
 allow corenet_unconfined_type netif_type:netif *;
+allow corenet_unconfined_type packet_type:packet *;
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
@@ -194,3 +195,4 @@ allow corenet_unconfined_type port_type:{ tcp_socket udp_socket } name_bind;
 allow corenet_unconfined_type node_type:{ tcp_socket udp_socket } node_bind;
 
 corenet_non_ipsec_sendrecv(corenet_unconfined_type)
+corenet_sendrecv_unlabeled_packets(corenet_unconfined_type)

refpolicy/policy/modules/kernel/kernel.if

@@ -2049,6 +2049,36 @@ interface(`kernel_sendrecv_unlabeled_association',`
 	allow $1 unlabeled_t:association { sendto recvfrom };
 ')
 
+########################################
+## <summary>
+##	Send and receive unlabeled packets.
+## </summary>
+## <desc>
+##	<p>
+##	Send and receive unlabeled packets.
+##	These packets do not match any netfilter
+##	SECMARK rules.
+##	</p>
+##	<p>
+##	The corenetwork interface
+##	corenet_sendrecv_unlabeled_packets() should
+##	be used instead of this one.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_sendrecv_unlabeled_packets',`
+	gen_require(`
+		type unlabeled_t;
+	')
+
+	allow $1 unlabeled_t:packet { send recv };
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to kernel module resources.