From ec280b320937c0ac993effd239561bb160268835 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Mon, 22 Aug 2011 12:49:25 -0400
Subject: [PATCH] Silence spurious udp_socket listen denials.

---
 Changelog                          | 1 +
 policy/modules/kernel/domain.te    | 8 ++++++++
 policy/modules/services/rpcbind.te | 4 ----
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/Changelog b/Changelog
index 5d2d0daca..50c6f3f3b 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Silence spurious udp_socket listen denials.
 - Fix unexpanded MLS/MCS fields in monolithic seusers file.
 - Type transition fix in Postgresql database objects from KaiGai Kohei.
 - Support for file context path substitutions (file_contexts.subs).
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 53352fd26..f00fca4bb 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -104,6 +104,14 @@ term_use_controlling_term(domain)
 # list the root directory
 files_list_root(domain)
 
+ifdef(`hide_broken_symptoms',`
+	# This check is in the general socket
+	# listen code, before protocol-specific
+	# listen function is called, so bad calls
+	# to listen on UDP sockets should be silenced
+	dontaudit domain self:udp_socket listen;
+')
+
 tunable_policy(`global_ssp',`
 	# enable reading of urandom for all domains:
 	# this should be enabled when all programs
diff --git a/policy/modules/services/rpcbind.te b/policy/modules/services/rpcbind.te
index d6d76e141..a63e9eee9 100644
--- a/policy/modules/services/rpcbind.te
+++ b/policy/modules/services/rpcbind.te
@@ -67,7 +67,3 @@ logging_send_syslog_msg(rpcbind_t)
 miscfiles_read_localization(rpcbind_t)
 
 sysnet_dns_name_resolve(rpcbind_t)
-
-ifdef(`hide_broken_symptoms',`
-	dontaudit rpcbind_t self:udp_socket listen;
-')