Rearrange new hadoop/ipsec interfaces.

policy/modules/kernel/corenetwork.if.in

@@ -138,6 +138,25 @@ interface(`corenet_server_packet',`
 	typeattribute $1 server_packet_type, packet_type;
 ')
 
+########################################
+## <summary>
+##	Make the specified type usable
+##	for labeled ipsec.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for labeled ipsec.
+##	</summary>
+## </param>
+#
+interface(`corenet_spd_type',`
+	gen_require(`
+		attribute ipsec_spd_type;
+	')
+
+	typeattribute $1 ipsec_spd_type;
+')
+
 ########################################
 ## <summary>
 ##	Send and receive TCP network traffic on generic interfaces.
@@ -2659,6 +2678,25 @@ interface(`corenet_all_recvfrom_labeled',`
 	corenet_raw_recvfrom_labeled($1,$2)
 ')
 
+########################################
+## <summary>
+##	Make the specified type usable
+##	for labeled ipsec.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used for labeled ipsec.
+##	</summary>
+## </param>
+#
+interface(`corenet_setcontext_all_spds',`
+	gen_require(`
+		attribute ipsec_spd_type;
+	')
+
+	allow $1 ipsec_spd_type:association setcontext;
+')
+
 ########################################
 ## <summary>
 ##	Send generic client packets.
@@ -3042,41 +3080,3 @@ interface(`corenet_unconfined',`
 
 	typeattribute $1 corenet_unconfined_type;
 ')
-
-########################################
-## <summary>
-##	Make the specified type usable
-##	for labeled ipsec.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Type to be used for labeled ipsec.
-##	</summary>
-## </param>
-#
-interface(`corenet_spd_type',`
-	gen_require(`
-		attribute ipsec_spd_type;
-	')
-
-	typeattribute $1 ipsec_spd_type;
-')
-
-########################################
-## <summary>
-##	Make the specified type usable
-##	for labeled ipsec.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Type to be used for labeled ipsec.
-##	</summary>
-## </param>
-#
-interface(`corenet_setcontext_all_spds',`
-	gen_require(`
-		attribute ipsec_spd_type;
-	')
-
-	allow $1 ipsec_spd_type:association setcontext;
-')

policy/modules/services/hadoop.if

@@ -253,6 +253,26 @@ interface(`hadoop_domtrans',`
 	domtrans_pattern($1, hadoop_exec_t, hadoop_t)
 ')
 
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom',`
+	gen_require(`
+		type hadoop_t;
+	')
+
+	allow $1 hadoop_t:peer recv;
+')
+
 ########################################
 ## <summary>
 ##	Execute zookeeper client in the
@@ -273,6 +293,26 @@ interface(`hadoop_domtrans_zookeeper_client',`
 	domtrans_pattern($1, zookeeper_exec_t, zookeeper_t)
 ')
 
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom zookeeper_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_zookeeper_client',`
+	gen_require(`
+		type zookeeper_t;
+	')
+
+	allow $1 zookeeper_t:peer recv;
+')
+
 ########################################
 ## <summary>
 ##	Execute zookeeper server in the
@@ -293,6 +333,26 @@ interface(`hadoop_domtrans_zookeeper_server',`
 	domtrans_pattern($1, zookeeper_server_exec_t, zookeeper_server_t)
 ')
 
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom zookeeper_server_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_zookeeper_server',`
+	gen_require(`
+		type zookeeper_server_t;
+	')
+
+	allow $1 zookeeper_server_t:peer recv;
+')
+
 ########################################
 ## <summary>
 ##	Execute zookeeper server in the
@@ -312,6 +372,26 @@ interface(`hadoop_initrc_domtrans_zookeeper_server',`
 	init_labeled_script_domtrans($1, zookeeper_server_initrc_exec_t)
 ')
 
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_datanode_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_datanode',`
+	gen_require(`
+		type hadoop_datanode_t;
+	')
+
+	allow $1 hadoop_datanode_t:peer recv;
+')
+
 ########################################
 ## <summary>
 ##	Give permission to a domain to read
@@ -353,6 +433,26 @@ interface(`hadoop_exec_config',`
 	allow $1 hadoop_etc_t:file exec_file_perms;
 ')
 
+########################################
+## <summary>
+##	Give permission to a domain to
+##	recvfrom hadoop_jobtracker_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain needing recvfrom
+##	permission
+##	</summary>
+## </param>
+#
+interface(`hadoop_recvfrom_jobtracker',`
+	gen_require(`
+		type hadoop_jobtracker_t;
+	')
+
+	allow $1 hadoop_jobtracker_t:peer recv;
+')
+
 ########################################
 ## <summary>
 ##	Give permission to a domain to
@@ -373,26 +473,6 @@ interface(`hadoop_match_lan_spd',`
 	allow $1 hadoop_lan_t:association polmatch;
 ')
 
-########################################
-## <summary>
-##	Give permission to a domain to
-##	recvfrom hadoop_datanode_t
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain needing recvfrom
-##	permission
-##	</summary>
-## </param>
-#
-interface(`hadoop_recvfrom_datanode',`
-	gen_require(`
-		type hadoop_datanode_t;
-	')
-
-	allow $1 hadoop_datanode_t:peer recv;
-')
-
 ########################################
 ## <summary>
 ##	Give permission to a domain to
@@ -416,7 +496,7 @@ interface(`hadoop_recvfrom_namenode',`
 ########################################
 ## <summary>
 ##	Give permission to a domain to
-##	recvfrom hadoop_jobtracker_t
+##	recvfrom hadoop_secondarynamenode_t
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -425,12 +505,12 @@ interface(`hadoop_recvfrom_namenode',`
 ##	</summary>
 ## </param>
 #
-interface(`hadoop_recvfrom_jobtracker',`
+interface(`hadoop_recvfrom_secondarynamenode',`
 	gen_require(`
-		type hadoop_jobtracker_t;
+		type hadoop_secondarynamenode_t;
 	')
 
-	allow $1 hadoop_jobtracker_t:peer recv;
+	allow $1 hadoop_secondarynamenode_t:peer recv;
 ')
 
 ########################################
@@ -452,83 +532,3 @@ interface(`hadoop_recvfrom_tasktracker',`
 
 	allow $1 hadoop_tasktracker_t:peer recv;
 ')
-
-########################################
-## <summary>
-##	Give permission to a domain to
-##	recvfrom hadoop_secondarynamenode_t
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain needing recvfrom
-##	permission
-##	</summary>
-## </param>
-#
-interface(`hadoop_recvfrom_secondarynamenode',`
-	gen_require(`
-		type hadoop_secondarynamenode_t;
-	')
-
-	allow $1 hadoop_secondarynamenode_t:peer recv;
-')
-
-########################################
-## <summary>
-##	Give permission to a domain to
-##	recvfrom hadoop_t
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain needing recvfrom
-##	permission
-##	</summary>
-## </param>
-#
-interface(`hadoop_recvfrom',`
-	gen_require(`
-		type hadoop_t;
-	')
-
-	allow $1 hadoop_t:peer recv;
-')
-
-########################################
-## <summary>
-##	Give permission to a domain to
-##	recvfrom zookeeper_server_t
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain needing recvfrom
-##	permission
-##	</summary>
-## </param>
-#
-interface(`hadoop_recvfrom_zookeeper_server',`
-	gen_require(`
-		type zookeeper_server_t;
-	')
-
-	allow $1 zookeeper_server_t:peer recv;
-')
-
-########################################
-## <summary>
-##	Give permission to a domain to
-##	recvfrom zookeeper_t
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain needing recvfrom
-##	permission
-##	</summary>
-## </param>
-#
-interface(`hadoop_recvfrom_zookeeper_client',`
-	gen_require(`
-		type zookeeper_t;
-	')
-
-	allow $1 zookeeper_t:peer recv;
-')