Silence spurious udp_socket listen denials.

Changelog

@@ -1,3 +1,4 @@
+- Silence spurious udp_socket listen denials.
 - Fix unexpanded MLS/MCS fields in monolithic seusers file.
 - Type transition fix in Postgresql database objects from KaiGai Kohei.
 - Support for file context path substitutions (file_contexts.subs).

policy/modules/kernel/domain.te

@@ -104,6 +104,14 @@ term_use_controlling_term(domain)
 # list the root directory
 files_list_root(domain)
 
+ifdef(`hide_broken_symptoms',`
+	# This check is in the general socket
+	# listen code, before protocol-specific
+	# listen function is called, so bad calls
+	# to listen on UDP sockets should be silenced
+	dontaudit domain self:udp_socket listen;
+')
+
 tunable_policy(`global_ssp',`
 	# enable reading of urandom for all domains:
 	# this should be enabled when all programs

policy/modules/services/rpcbind.te

@@ -67,7 +67,3 @@ logging_send_syslog_msg(rpcbind_t)
 miscfiles_read_localization(rpcbind_t)
 
 sysnet_dns_name_resolve(rpcbind_t)
-
-ifdef(`hide_broken_symptoms',`
-	dontaudit rpcbind_t self:udp_socket listen;
-')