From a56055e362347f6391b8c3e70b1540c71724bc30 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 14 Nov 2007 13:40:25 +0000
Subject: [PATCH] trunk: rearrange the bottom of domain.if and fix
 domain_ipsec_labels().

---
 policy/modules/kernel/domain.if | 88 ++++++++++++++++++---------------
 policy/modules/kernel/domain.te |  2 +-
 2 files changed, 49 insertions(+), 41 deletions(-)

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 069f6a3e..0b74810e 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -1229,6 +1229,54 @@ interface(`domain_entry_file_spec_domtrans',`
 	domain_transition_pattern($1,entry_type,$2)
 ')
 
+########################################
+## <summary>
+##	Ability to mmap a low area of the address space,
+##      as configured by /proc/sys/kernel/mmap_min_addr.
+##      Preventing such mappings helps protect against
+##      exploiting null deref bugs in the kernel.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to mmap low memory.
+##	</summary>
+## </param>
+#
+interface(`domain_mmap_low',`
+	gen_require(`
+		attribute mmap_low_domain_type;
+	')
+
+	allow $1 self:memprotect mmap_zero;
+
+	typeattribute $1 mmap_low_domain_type;
+')
+
+########################################
+## <summary>
+##	Allow specified type to receive labeled
+##	networking packets from all domains, over
+##	all protocols (TCP, UDP, etc)
+## </summary>
+## <param name="type">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`domain_all_recvfrom_all_domains',`
+	gen_require(`
+		attribute domain;
+ 	')
+
+	# IPSEC-based labeled networking 
+	allow $1 domain:association recvfrom;
+
+	# Netlabel (CIPSO)-based labeled networking
+	# currently only supports MLS portion of label
+	corenet_all_recvfrom_netlabel($1)
+')
+
 ########################################
 ## <summary>
 ##	Unconfined access to domains.
@@ -1255,43 +1303,3 @@ interface(`domain_unconfined',`
 	typeattribute $1 process_uncond_exempt;
 ')
 
-########################################
-## <summary>
-##	Ability to mmap a low area of the address space,
-##      as configured by /proc/sys/kernel/mmap_min_addr.
-##      Preventing such mappings helps protect against
-##      exploiting null deref bugs in the kernel.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed to mmap low memory.
-##	</summary>
-## </param>
-#
-interface(`domain_mmap_low',`
-	gen_require(`
-		attribute mmap_low_domain_type;
-	')
-
-	allow $1 self:memprotect mmap_zero;
-
-	typeattribute $1 mmap_low_domain_type;
-')
-
-########################################
-## <summary>
-##	Allow specified type to associate ipsec packets from any domain
-## </summary>
-## <param name="type">
-##	<summary>
-##	Type of subject to be allowed this.
-##	</summary>
-## </param>
-#
-interface(`domain_ipsec_labels',`
-	gen_require(`
-		attribute domain;
- 	')
- 
-	allow $1 domain:association { sendto recvfrom };
-')
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 3fa734c0..17231cd2 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -1,5 +1,5 @@
 
-policy_module(domain,1.4.2)
+policy_module(domain,1.4.3)
 
 ########################################
 #