Remove general unlabeled packet usage.

Back when the SECMARK implementation was new, the packet class was always
checked.  Because of that, unlabeled_t packet rules proliferated refpolicy
since the common case was to have no SECMARK rules.  Since then, the kernel
has been modified to only enforce the packet class if there are SECMARK
rules.  Remove the unlabeled_t packet rules, since users of SECMARK will
likely want no unlabeled_t packet rules, and the common case users will
have no impact since the packet class isn't enforced on their systems.

To have partial SECMARK confinement, the following rule applies:

allow { domain -type_i_want_to_constrain_t } unlabeled_t:packet { send recv };

It seems like over-allowing, but if you have no SECMARK rules, it's the equivalent of:

allow * unlabeled_t:packet { send recv };

Signed-off-by: Chris PeBenito <cpebenito@tresys.com>

policy/modules/kernel/kernel.if

@@ -2630,9 +2630,6 @@ interface(`kernel_sendrecv_unlabeled_association',`
 	')
 
 	allow $1 unlabeled_t:association { sendto recvfrom };
-
-	# temporary hack until labeling on packets is supported
-	allow $1 unlabeled_t:packet { send recv };
 ')
 
 ########################################

policy/modules/kernel/kernel.te

@@ -1,4 +1,4 @@
-policy_module(kernel, 1.17.0)
+policy_module(kernel, 1.17.1)
 
 ########################################
 #