trunk: add labeled networking support to unconfined.

policy/modules/kernel/domain.te

@@ -1,5 +1,5 @@
 
-policy_module(domain,1.4.3)
+policy_module(domain,1.4.4)
 
 ########################################
 #
@@ -145,3 +145,6 @@ allow unconfined_domain_type domain:lnk_file { read_lnk_file_perms ioctl lock };
 
 # act on all domains keys
 allow unconfined_domain_type domain:key *;
+
+# receive from all domains over labeled networking
+domain_all_recvfrom_all_domains(unconfined_domain_type)

policy/modules/system/ipsec.if

@@ -112,6 +112,24 @@ interface(`ipsec_manage_pid',`
 	manage_files_pattern($1,ipsec_var_run_t,ipsec_var_run_t)
 ')
 
+########################################
+## <summary>
+##      Allow to set an default security context of IPsec Policy.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`ipsec_setcontext_default_spd',`
+	gen_require(`
+		type ipsec_spd_t;
+	')
+
+	allow $1 ipsec_spd_t:association setcontext;
+')
+
 ########################################
 ## <summary>
 ##	Execute racoon in the racoon domain.

policy/modules/system/ipsec.te

@@ -1,5 +1,5 @@
 
-policy_module(ipsec,1.4.2)
+policy_module(ipsec,1.4.3)
 
 ########################################
 #
@@ -297,8 +297,6 @@ allow racoon_t ipsec_key_file_t:dir list_dir_perms;
 read_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 read_lnk_files_pattern(racoon_t,ipsec_key_file_t,ipsec_key_file_t)
 
-allow racoon_t ipsec_spd_t:association setcontext;
-
 kernel_read_network_state(racoon_t)
 
 corenet_all_recvfrom_unlabeled(racoon_t)
@@ -315,6 +313,8 @@ files_read_etc_files(racoon_t)
 # allow racoon to use avc_has_perm to check context on proposed SA
 selinux_compute_access_vector(racoon_t)
 
+ipsec_setcontext_default_spd(racoon_t)
+
 libs_use_ld_so(racoon_t)
 libs_use_shared_libs(racoon_t)
 
@@ -338,9 +338,6 @@ allow setkey_t ipsec_conf_file_t:dir list_dir_perms;
 read_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
 read_lnk_files_pattern(setkey_t,ipsec_conf_file_t,ipsec_conf_file_t)
 
-# allow setkey to set the context for ipsec SAs and policy.
-allow setkey_t ipsec_spd_t:association setcontext;
-
 # allow setkey utility to set contexts on SA's and policy
 domain_ipsec_setcontext_all_domains(setkey_t)
 
@@ -348,6 +345,9 @@ files_read_etc_files(setkey_t)
 
 init_dontaudit_use_fds(setkey_t)
 
+# allow setkey to set the context for ipsec SAs and policy.
+ipsec_setcontext_default_spd(setkey_t)
+
 locallogin_use_fds(setkey_t)
 
 libs_use_ld_so(setkey_t)

policy/modules/system/unconfined.if

@@ -72,6 +72,10 @@ interface(`unconfined_domain_noaudit',`
 		dbus_system_bus_unconfined($1)
 	')
 
+	optional_policy(`
+		ipsec_setcontext_default_spd($1)
+	')
+
 	optional_policy(`
 		# this is to handle execmod on shared
 		# libs with text relocations

policy/modules/system/unconfined.te

@@ -1,5 +1,5 @@
 
-policy_module(unconfined,2.0.0)
+policy_module(unconfined,2.0.1)
 
 ########################################
 #