corenetwork: regenerate for query scripts

Signed-off-by: Jason Zaman <jason@perfinion.com>

2 files changed, 556 insertions, 116 deletions

diff --git a/policy/modules/kernel/corenetwork.if b/policy/modules/kernel/corenetwork.if
index d7473484..e6fbf90f 100644
--- a/policy/modules/kernel/corenetwork.if
+++ b/policy/modules/kernel/corenetwork.if
@@ -217,6 +217,60 @@ interface(`corenet_spd_type',`
 
 ########################################
 ## <summary>
+##	Define type to be an infiniband pkey type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be an infiniband pkey type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for infiniband pkeys.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_pkey',`
+	gen_require(`
+		attribute ibpkey_type;
+	')
+
+	typeattribute $1 ibpkey_type;
+')
+
+########################################
+## <summary>
+##	Define type to be an infiniband endport
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be an infiniband endport
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for infiniband endports.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_endport',`
+	gen_require(`
+		attribute ibendport_type;
+	')
+
+	typeattribute $1 ibendport_type;
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on generic interfaces.
 ## </summary>
 ## <desc>
@@ -586,6 +640,24 @@ interface(`corenet_raw_send_all_if',`
 
 ########################################
 ## <summary>
+##	Send and receive SCTP network traffic on generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:node { sendto recvfrom };
+')
+
+########################################
+## <summary>
 ##	Receive raw IP packets on all interfaces.
 ## </summary>
 ## <param name="domain">
@@ -793,6 +865,24 @@ interface(`corenet_raw_sendrecv_generic_node',`
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to generic nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_node',`
+	gen_require(`
+		type node_t;
+	')
+
+	allow $1 node_t:sctp_socket node_bind;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to generic nodes.
 ## </summary>
 ## <desc>
@@ -987,6 +1077,24 @@ interface(`corenet_dontaudit_udp_send_all_nodes',`
 
 ########################################
 ## <summary>
+##	Send and receive SCTP network traffic on all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_sendrecv_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:node { sendto recvfrom };
+')
+
+########################################
+## <summary>
 ##	Receive UDP network traffic on all nodes.
 ## </summary>
 ## <param name="domain">
@@ -1179,6 +1287,25 @@ interface(`corenet_tcp_sendrecv_generic_port',`
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to all nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_nodes',`
+	gen_require(`
+		attribute node_type;
+	')
+
+	allow $1 node_type:sctp_socket node_bind;
+')
+
+
+########################################
+## <summary>
 ##	Do not audit send and receive TCP network traffic on generic ports.
 ## </summary>
 ## <param name="domain">
@@ -1386,6 +1513,26 @@ interface(`corenet_udp_send_all_ports',`
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
+		attribute defined_port_type;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+	dontaudit $1 defined_port_type:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Receive UDP network traffic on all ports.
 ## </summary>
 ## <param name="domain">
@@ -1443,6 +1590,25 @@ interface(`corenet_udp_sendrecv_all_ports',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to bind SCTP
+##	sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t, ephemeral_port_t;
+	')
+
+	dontaudit $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to all ports.
 ## </summary>
 ## <param name="domain">
@@ -1499,6 +1665,24 @@ interface(`corenet_udp_bind_all_ports',`
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to generic ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_generic_port',`
+	gen_require(`
+		type port_t, unreserved_port_t,ephemeral_port_t;
+	')
+
+	allow $1 { port_t unreserved_port_t ephemeral_port_t }:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit attepts to bind UDP sockets to any ports.
 ## </summary>
 ## <param name="domain">
@@ -1670,6 +1854,25 @@ interface(`corenet_tcp_bind_reserved_port',`
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
 ##	Bind UDP sockets to generic reserved ports.
 ## </summary>
 ## <param name="domain">
@@ -1707,6 +1910,24 @@ interface(`corenet_tcp_connect_reserved_port',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to bind SCTP sockets to any ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_bind_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:sctp_socket name_bind;
+')
+
+########################################
+## <summary>
 ##	Send and receive TCP network traffic on all reserved ports.
 ## </summary>
 ## <param name="domain">
@@ -1776,6 +1997,24 @@ interface(`corenet_udp_sendrecv_all_reserved_ports',`
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	allow $1 port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to all reserved ports.
 ## </summary>
 ## <param name="domain">
@@ -1850,6 +2089,25 @@ interface(`corenet_dontaudit_udp_bind_all_reserved_ports',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to connect SCTP sockets
+##	to all ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_ports',`
+	gen_require(`
+		attribute port_type;
+	')
+
+	dontaudit $1 port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Bind TCP sockets to all ports > 1024.
 ## </summary>
 ## <param name="domain">
@@ -1904,6 +2162,24 @@ interface(`corenet_tcp_connect_all_reserved_ports',`
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to all ports > 1024.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit connect attempts to TCP sockets on
 ##	ports greater than 1024.
 ## </summary>
@@ -1997,6 +2273,63 @@ interface(`corenet_dontaudit_tcp_connect_all_rpc_ports',`
 
 ########################################
 ## <summary>
+##	Bind SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_bind_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
+')
+
+########################################
+## <summary>
+##	Read the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain read allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_read_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file read_chr_file_perms;
+')
+
+########################################
+## <summary>
+##	Write the TUN/TAP virtual network device.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed write access.
+##	</summary>
+## </param>
+#
+interface(`corenet_write_tun_tap_dev',`
+	gen_require(`
+		type tun_tap_device_t;
+	')
+
+	dev_list_all_dev_nodes($1)
+	allow $1 tun_tap_device_t:chr_file write_chr_file_perms;
+')
+
+########################################
+## <summary>
 ##	Read and write the TUN/TAP virtual network device.
 ## </summary>
 ## <param name="domain">
@@ -2016,6 +2349,24 @@ interface(`corenet_rw_tun_tap_dev',`
 
 ########################################
 ## <summary>
+##	Connect SCTP sockets to generic reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_connect_reserved_port',`
+	gen_require(`
+		type reserved_port_t;
+	')
+
+	allow $1 reserved_port_t:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to read or write the TUN/TAP
 ##	virtual network device.
 ## </summary>
@@ -2146,73 +2497,21 @@ interface(`corenet_dontaudit_udp_bind_all_rpc_ports',`
 
 ########################################
 ## <summary>
-##	Send and receive messages on a
-##	non-encrypted (no IPSEC) network
-##	session.
+##	Bind SCTP sockets to all reserved ports.
 ## </summary>
-## <desc>
-##	<p>
-##	Send and receive messages on a
-##	non-encrypted (no IPSEC) network
-##	session.  (Deprecated)
-##	</p>
-##	<p>
-##	The corenet_all_recvfrom_unlabeled() interface should be used instead
-##	of this one.
-##	</p>
-## </desc>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_non_ipsec_sendrecv',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_all_recvfrom_unlabeled() instead.')
-	corenet_all_recvfrom_unlabeled($1)
-')
-
-########################################
-## <summary>
-##	Do not audit attempts to send and receive
-##	messages on a non-encrypted (no IPSEC) network
-##	session.
-## </summary>
-## <desc>
-##	<p>
-##	Do not audit attempts to send and receive
-##	messages on a non-encrypted (no IPSEC) network
-##	session.
-##	</p>
-##	<p>
-##	The corenet_dontaudit_all_recvfrom_unlabeled() interface should be
-##	used instead of this one.
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Domain to not audit.
-##	</summary>
-## </param>
-#
-interface(`corenet_dontaudit_non_ipsec_sendrecv',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_all_recvfrom_unlabeled() instead.')
-	corenet_dontaudit_all_recvfrom_unlabeled($1)
-')
+interface(`corenet_sctp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
 
-########################################
-## <summary>
-##	Receive TCP packets from a NetLabel connection.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`corenet_tcp_recv_netlabel',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_tcp_recvfrom_netlabel() instead.')
-	corenet_tcp_recvfrom_netlabel($1)
+	allow $1 reserved_port_type:sctp_socket name_bind;
+	allow $1 self:capability net_bind_service;
 ')
 
 ########################################
@@ -2256,8 +2555,7 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive TCP packets from a NetLabel
-##	connection.
+##	Do not audit attempts to bind SCTP sockets to all reserved ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -2265,9 +2563,12 @@ interface(`corenet_tcp_recvfrom_unlabeled',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_tcp_recv_netlabel',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_tcp_recvfrom_netlabel() instead.')
-	corenet_dontaudit_tcp_recvfrom_netlabel($1)
+interface(`corenet_dontaudit_sctp_bind_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:sctp_socket name_bind;
 ')
 
 ########################################
@@ -2321,21 +2622,6 @@ interface(`corenet_dontaudit_tcp_recvfrom_unlabeled',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_udp_recv_netlabel',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_udp_recvfrom_netlabel() instead.')
-	corenet_udp_recvfrom_netlabel($1)
-')
-
-########################################
-## <summary>
-##	Receive UDP packets from a NetLabel connection.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
 interface(`corenet_udp_recvfrom_netlabel',`
 	gen_require(`
 		type netlabel_peer_t;
@@ -2367,18 +2653,20 @@ interface(`corenet_udp_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive UDP packets from a NetLabel
-##	connection.
+##	Bind SCTP sockets to all ports > 1024.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_udp_recv_netlabel',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_udp_recvfrom_netlabel($1) instead.')
-	corenet_dontaudit_udp_recvfrom_netlabel($1)
+interface(`corenet_sctp_bind_all_unreserved_ports',`
+	gen_require(`
+		attribute unreserved_port_type;
+	')
+
+	allow $1 unreserved_port_type:sctp_socket name_bind;
 ')
 
 ########################################
@@ -2432,21 +2720,6 @@ interface(`corenet_dontaudit_udp_recvfrom_unlabeled',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_raw_recv_netlabel',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_raw_recvfrom_netlabel() instead.')
-	corenet_raw_recvfrom_netlabel($1)
-')
-
-########################################
-## <summary>
-##	Receive Raw IP packets from a NetLabel connection.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
 interface(`corenet_raw_recvfrom_netlabel',`
 	gen_require(`
 		type netlabel_peer_t;
@@ -2487,29 +2760,31 @@ interface(`corenet_raw_recvfrom_unlabeled',`
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_raw_recv_netlabel',`
-	refpolicywarn(`$0($*) has been deprecated, use corenet_dontaudit_raw_recvfrom_netlabel() instead.')
-	corenet_dontaudit_raw_recvfrom_netlabel($1)
+interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	dontaudit $1 netlabel_peer_t:peer recv;
+	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
 ')
 
 ########################################
 ## <summary>
-##	Do not audit attempts to receive Raw IP packets from a NetLabel
-##	connection.
+##	Connect SCTP sockets to reserved ports.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
-##	Domain to not audit.
+##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
-interface(`corenet_dontaudit_raw_recvfrom_netlabel',`
+interface(`corenet_sctp_connect_all_reserved_ports',`
 	gen_require(`
-		type netlabel_peer_t;
+		attribute reserved_port_type;
 	')
 
-	dontaudit $1 netlabel_peer_t:peer recv;
-	dontaudit $1 netlabel_peer_t:rawip_socket recvfrom;
+	allow $1 reserved_port_type:sctp_socket name_connect;
 ')
 
 ########################################
@@ -2621,6 +2896,25 @@ interface(`corenet_dontaudit_all_recvfrom_unlabeled',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to connect SCTP sockets
+##	all reserved ports.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`corenet_dontaudit_sctp_connect_all_reserved_ports',`
+	gen_require(`
+		attribute reserved_port_type;
+	')
+
+	dontaudit $1 reserved_port_type:sctp_socket name_connect;
+')
+
+########################################
+## <summary>
 ##	Do not audit attempts to receive packets from a NetLabel
 ##	connection.
 ## </summary>
@@ -2750,6 +3044,7 @@ interface(`corenet_raw_recvfrom_labeled',`
 ## </param>
 #
 interface(`corenet_all_recvfrom_labeled',`
+	corenet_sctp_recvfrom_labeled($1, $2)
 	corenet_tcp_recvfrom_labeled($1, $2)
 	corenet_udp_recvfrom_labeled($1, $2)
 	corenet_raw_recvfrom_labeled($1, $2)
@@ -3022,6 +3317,24 @@ interface(`corenet_send_all_server_packets',`
 
 ########################################
 ## <summary>
+##	Receive SCTP packets from a NetLabel connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_netlabel',`
+	gen_require(`
+		type netlabel_peer_t;
+	')
+
+	allow $1 netlabel_peer_t:peer recv;
+')
+
+########################################
+## <summary>
 ##	Receive all server packets.
 ## </summary>
 ## <param name="domain">
@@ -3073,6 +3386,27 @@ interface(`corenet_relabelto_all_server_packets',`
 
 ########################################
 ## <summary>
+##	Receive SCTP packets from an unlabled connection.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_unlabeled',`
+	gen_require(`
+		attribute corenet_unlabeled_type;
+	')
+
+	kernel_recvfrom_unlabeled_peer($1)
+
+	typeattribute $1 corenet_unlabeled_type;
+	kernel_sendrecv_unlabeled_association($1)
+')
+
+########################################
+## <summary>
 ##	Send all packets.
 ## </summary>
 ## <param name="domain">
@@ -3142,6 +3476,98 @@ interface(`corenet_relabelto_all_packets',`
 
 ########################################
 ## <summary>
+##	Access unlabeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_access_unlabeled_pkeys',`
+	kernel_ib_access_unlabeled_pkeys($1)
+')
+
+########################################
+## <summary>
+##	Access all labeled infiniband pkeys.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_access_all_pkeys',`
+	gen_require(`
+		attribute ibpkey_type;
+	')
+
+	allow $1 ibpkey_type:infiniband_pkey access;
+')
+
+########################################
+## <summary>
+##	Manage subnets on all labeled Infiniband endports
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_all_endports',`
+	gen_require(`
+		attribute ibendport_type;
+	')
+
+	allow $1 ibendport_type:infiniband_endport manage_subnet;
+')
+
+########################################
+## <summary>
+##	Manage subnet on all unlabeled Infiniband endports
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_manage_subnet_unlabeled_endports',`
+	kernel_ib_manage_subnet_unlabeled_endports($1)
+')
+
+########################################
+## <summary>
+##	Rules for receiving labeled SCTP packets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="peer_domain">
+##	<summary>
+##	Peer domain.
+##	</summary>
+## </param>
+#
+interface(`corenet_sctp_recvfrom_labeled',`
+	allow { $1 $2 } self:association sendto;
+	allow $1 $2:association recvfrom;
+	allow $2 $1:association recvfrom;
+
+	allow $1 $2:peer recv;
+	allow $2 $1:peer recv;
+
+	# allow receiving packets from MLS-only peers using NetLabel
+	corenet_sctp_recvfrom_netlabel($1)
+	corenet_sctp_recvfrom_netlabel($2)
+')
+
+########################################
+## <summary>
 ##	Unconfined access to network objects.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/kernel/corenetwork.te b/policy/modules/kernel/corenetwork.te
index a7eb9045..707933c9 100644
--- a/policy/modules/kernel/corenetwork.te
+++ b/policy/modules/kernel/corenetwork.te
@@ -2,7 +2,7 @@
 # This is a generated file!  Instead of modifying this file, the
 # corenetwork.te.in or corenetwork.te.m4 file should be modified.
 #
-policy_module(corenetwork, 1.23.3)
+policy_module(corenetwork, 1.25.1)
 
 ########################################
 #
@@ -20,6 +20,8 @@ attribute port_type;
 attribute reserved_port_type;
 attribute rpc_port_type;
 attribute server_packet_type;
+attribute ibpkey_type;
+attribute ibendport_type;
 # This is an optimization for { port_type -reserved_port_type }
 attribute unreserved_port_type;
 
@@ -471,8 +473,10 @@ type dns_port_t, port_type, defined_port_type;
 type dns_client_packet_t, packet_type, client_packet_type;
 type dns_server_packet_t, packet_type, server_packet_type;
 typeattribute dns_port_t reserved_port_type;
+typeattribute dns_port_t rpc_port_type;
 portcon tcp 53 gen_context(system_u:object_r:dns_port_t,s0)
 portcon udp 53 gen_context(system_u:object_r:dns_port_t,s0)
+portcon tcp 853 gen_context(system_u:object_r:dns_port_t,s0)
 
 
 type dropbox_port_t, port_type, defined_port_type;
@@ -1969,9 +1973,12 @@ portcon tcp 8021 gen_context(system_u:object_r:zope_port_t,s0)
 portcon udp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
 portcon tcp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
+portcon sctp 1024-65535 gen_context(system_u:object_r:unreserved_port_t, s0)
+portcon sctp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon udp 512-1023 gen_context(system_u:object_r:hi_reserved_port_t, s0)
 portcon tcp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 portcon udp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
+portcon sctp 1-511 gen_context(system_u:object_r:reserved_port_t, s0)
 
 ########################################
 #
@@ -2023,12 +2030,19 @@ typealias netif_t alias { lo_netif_t netif_lo_t };
 # Unconfined access to this module
 #
 
-allow corenet_unconfined_type node_type:node *;
-allow corenet_unconfined_type netif_type:netif *;
-allow corenet_unconfined_type packet_type:packet *;
+allow corenet_unconfined_type node_type:node { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send enforce_dest dccp_recv dccp_send recvfrom sendto };
+allow corenet_unconfined_type netif_type:netif { tcp_recv tcp_send udp_recv udp_send rawip_recv rawip_send dccp_recv dccp_send ingress egress };
+allow corenet_unconfined_type packet_type:packet { send recv relabelto flow_in flow_out forward_in forward_out };
 allow corenet_unconfined_type port_type:tcp_socket { send_msg recv_msg name_connect };
+allow corenet_unconfined_type port_type:sctp_socket { send_msg recv_msg name_connect };
 allow corenet_unconfined_type port_type:udp_socket { send_msg recv_msg };
 
 # Bind to any network address.
-allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket } name_bind;
-allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket } node_bind;
+allow corenet_unconfined_type port_type:{ tcp_socket udp_socket rawip_socket sctp_socket } name_bind;
+allow corenet_unconfined_type node_type:{ tcp_socket udp_socket rawip_socket sctp_socket } node_bind;
+
+# Infiniband
+corenet_ib_access_all_pkeys(corenet_unconfined_type)
+corenet_ib_manage_subnet_all_endports(corenet_unconfined_type)
+corenet_ib_access_unlabeled_pkeys(corenet_unconfined_type)
+corenet_ib_manage_subnet_unlabeled_endports(corenet_unconfined_type)