From 412fc7e7fd34e36880bb206bd7182cb9a3ed5c14 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <pebenito@ieee.org>
Date: Wed, 24 May 2017 19:36:04 -0400
Subject: [PATCH] corenet/sysadm: Move lines.

---
 policy/modules/kernel/corenetwork.if.in | 144 ++++++++++++------------
 policy/modules/roles/sysadm.te          |   6 +-
 2 files changed, 75 insertions(+), 75 deletions(-)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index ff3048de1..f56670d92 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -211,6 +211,60 @@ interface(`corenet_spd_type',`
 	typeattribute $1 ipsec_spd_type;
 ')
 
+########################################
+## <summary>
+##	Define type to be an infiniband pkey type
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be an infiniband pkey type
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for infiniband pkeys.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_pkey',`
+	gen_require(`
+		attribute ibpkey_type;
+	')
+
+	typeattribute $1 ibpkey_type;
+')
+
+########################################
+## <summary>
+##	Define type to be an infiniband endport
+## </summary>
+## <desc>
+##	<p>
+##	Define type to be an infiniband endport
+##	</p>
+##	<p>
+##	This is for supporting third party modules and its
+##	use is not allowed in upstream reference policy.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Type to be used for infiniband endports.
+##	</summary>
+## </param>
+#
+interface(`corenet_ib_endport',`
+	gen_require(`
+		attribute ibendport_type;
+	')
+
+	typeattribute $1 ibendport_type;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on generic interfaces.
@@ -3117,51 +3171,6 @@ interface(`corenet_relabelto_all_packets',`
 	allow $1 packet_type:packet relabelto;
 ')
 
-########################################
-## <summary>
-##	Unconfined access to network objects.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	The domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`corenet_unconfined',`
-	gen_require(`
-		attribute corenet_unconfined_type;
-	')
-
-	typeattribute $1 corenet_unconfined_type;
-')
-
-########################################
-## <summary>
-##	Define type to be an infiniband pkey type
-## </summary>
-## <desc>
-##	<p>
-##	Define type to be an infiniband pkey type
-##	</p>
-##	<p>
-##	This is for supporting third party modules and its
-##	use is not allowed in upstream reference policy.
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Type to be used for infiniband pkeys.
-##	</summary>
-## </param>
-#
-interface(`corenet_ib_pkey',`
-	gen_require(`
-		attribute ibpkey_type;
-	')
-
-	typeattribute $1 ibpkey_type;
-')
-
 ########################################
 ## <summary>
 ##	Access unlabeled infiniband pkeys.
@@ -3194,33 +3203,6 @@ interface(`corenet_ib_access_all_pkeys',`
 	allow $1 ibpkey_type:infiniband_pkey access;
 ')
 
-########################################
-## <summary>
-##	Define type to be an infiniband endport
-## </summary>
-## <desc>
-##	<p>
-##	Define type to be an infiniband endport
-##	</p>
-##	<p>
-##	This is for supporting third party modules and its
-##	use is not allowed in upstream reference policy.
-##	</p>
-## </desc>
-## <param name="domain">
-##	<summary>
-##	Type to be used for infiniband endports.
-##	</summary>
-## </param>
-#
-interface(`corenet_ib_endport',`
-	gen_require(`
-		attribute ibendport_type;
-	')
-
-	typeattribute $1 ibendport_type;
-')
-
 ########################################
 ## <summary>
 ##	Manage subnets on all labeled Infiniband endports
@@ -3252,3 +3234,21 @@ interface(`corenet_ib_manage_subnet_all_endports',`
 interface(`corenet_ib_manage_subnet_unlabeled_endports',`
 	kernel_ib_manage_subnet_unlabeled_endports($1)
 ')
+
+########################################
+## <summary>
+##	Unconfined access to network objects.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	The domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`corenet_unconfined',`
+	gen_require(`
+		attribute corenet_unconfined_type;
+	')
+
+	typeattribute $1 corenet_unconfined_type;
+')
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 52b8e4504..24dfb51f1 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -27,6 +27,9 @@ ifndef(`enable_mls',`
 
 corecmd_exec_shell(sysadm_t)
 
+corenet_ib_access_unlabeled_pkeys(sysadm_t)
+corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
+
 dev_read_kmsg(sysadm_t)
 
 mls_process_read_all_levels(sysadm_t)
@@ -46,9 +49,6 @@ selinux_read_policy(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
 
-corenet_ib_access_unlabeled_pkeys(sysadm_t)
-corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
-
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
 		init_run_daemon(sysadm_t, sysadm_r)