View paste CEFA

New paste Repaste Download

	`$ git diff`
	`diff --git a/src/misc/av/socketav.cil b/src/misc/av/socketav.cil`
	`index 651ba44..df75057 100644`
	`--- a/src/misc/av/socketav.cil`
	`+++ b/src/misc/av/socketav.cil`
	`@@ -654,13 +654,20 @@`
	`(vsock_socket (append bind connect getattr getopt ioctl`
	`setopt shutdown write)))`

	`+(classmap constrainnetlinksubject (nlmsg_read))`
	`(classmap constrainsocketobject (nameconnect nodebind))`
	`(classmap constrainsocketsubject`
	`- (append association attachqueue connectto create getattr read`
	`- relabelto sendto setattr write))`
	`+ (accept append association attachqueue connect connectto create getattr`
	`+ getopt listen read relabelfrom relabelto sendto setattr setopt`
	`+ shutdown write))`

	`(classmap sockets (common getattr))`

	`+(classmapping constrainnetlinksubject nlmsg_read (netlink_audit_socket (nlmsg_read)))`
	`+(classmapping constrainnetlinksubject nlmsg_read (netlink_route_socket (nlmsg_read)))`
	`+(classmapping constrainnetlinksubject nlmsg_read (netlink_tcpdiag_socket (nlmsg_read)))`
	`+(classmapping constrainnetlinksubject nlmsg_read (netlink_xfrm_socket (nlmsg_read)))`
	`+`
	`(classmapping constrainsocketobject nameconnect (dccp_socket (name_connect)))`
	`(classmapping constrainsocketobject nameconnect (sctp_socket (name_connect)))`
	`(classmapping constrainsocketobject nameconnect (tcp_socket (name_connect)))`
	`@@ -672,6 +679,69 @@`
	`(classmapping constrainsocketobject nodebind (tcp_socket (node_bind)))`
	`(classmapping constrainsocketobject nodebind (udp_socket (node_bind)))`

	`+(classmapping constrainsocketsubject accept (alg_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (appletalk_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (atmpvc_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (atmsvc_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (ax25_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (bluetooth_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (caif_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (can_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (dccp_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (decnet_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (icmp_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (ieee802154_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (ipx_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (irda_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (isdn_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (iucv_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (kcm_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (key_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (llc_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (mctp_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_audit_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_connector_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_crypto_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_dnrt_socket (accept)))`
	`+(classmapping constrainsocketsubject accept`
	`+ (netlink_fib_lookup_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_generic_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_iscsi_socket (accept)))`
	`+(classmapping constrainsocketsubject accept`
	`+ (netlink_kobject_uevent_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_netfilter_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_nflog_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_rdma_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_route_socket (accept)))`
	`+(classmapping constrainsocketsubject accept`
	`+ (netlink_scsitransport_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_selinux_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_tcpdiag_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netlink_xfrm_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (netrom_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (nfc_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (packet_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (phonet_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (pppox_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (qipcrtr_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (rawip_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (rds_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (rose_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (rxrpc_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (sctp_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (smc_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (socket (accept)))`
	`+(classmapping constrainsocketsubject accept (tcp_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (tipc_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (tun_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (udp_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (unix_dgram_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (unix_stream_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (vsock_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (x25_socket (accept)))`
	`+(classmapping constrainsocketsubject accept (xdp_socket (accept)))`
	`+`
	`(classmapping constrainsocketsubject append (alg_socket (append)))`
	`(classmapping constrainsocketsubject append (appletalk_socket (append)))`
	`(classmapping constrainsocketsubject append (atmpvc_socket (append)))`
	`@@ -807,6 +877,69 @@`
	`(classmapping constrainsocketsubject create (x25_socket (create)))`
	`(classmapping constrainsocketsubject create (xdp_socket (create)))`

	`+(classmapping constrainsocketsubject connect (alg_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (appletalk_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (atmpvc_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (atmsvc_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (ax25_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (bluetooth_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (caif_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (can_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (dccp_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (decnet_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (icmp_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (ieee802154_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (ipx_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (irda_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (isdn_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (iucv_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (kcm_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (key_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (llc_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (mctp_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_audit_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_connector_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_crypto_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_dnrt_socket (connect)))`
	`+(classmapping constrainsocketsubject connect`
	`+ (netlink_fib_lookup_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_generic_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_iscsi_socket (connect)))`
	`+(classmapping constrainsocketsubject connect`
	`+ (netlink_kobject_uevent_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_netfilter_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_nflog_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_rdma_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_route_socket (connect)))`
	`+(classmapping constrainsocketsubject connect`
	`+ (netlink_scsitransport_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_selinux_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_tcpdiag_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netlink_xfrm_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (netrom_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (nfc_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (packet_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (phonet_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (pppox_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (qipcrtr_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (rawip_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (rds_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (rose_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (rxrpc_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (sctp_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (smc_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (socket (connect)))`
	`+(classmapping constrainsocketsubject connect (tcp_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (tipc_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (tun_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (udp_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (unix_dgram_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (unix_stream_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (vsock_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (x25_socket (connect)))`
	`+(classmapping constrainsocketsubject connect (xdp_socket (connect)))`
	`+`
	`(classmapping constrainsocketsubject getattr (alg_socket (getattr)))`
	`(classmapping constrainsocketsubject getattr (appletalk_socket (getattr)))`
	`(classmapping constrainsocketsubject getattr (atmpvc_socket (getattr)))`
	`@@ -873,6 +1006,134 @@`
	`(classmapping constrainsocketsubject getattr (x25_socket (getattr)))`
	`(classmapping constrainsocketsubject getattr (xdp_socket (getattr)))`

	`+(classmapping constrainsocketsubject getopt (alg_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (appletalk_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (atmpvc_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (atmsvc_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (ax25_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (bluetooth_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (caif_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (can_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (dccp_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (decnet_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (icmp_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (ieee802154_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (ipx_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (irda_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (isdn_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (iucv_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (kcm_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (key_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (llc_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (mctp_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_audit_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt`
	`+ (netlink_connector_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_crypto_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_dnrt_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt`
	`+ (netlink_fib_lookup_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_generic_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_iscsi_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt`
	`+ (netlink_kobject_uevent_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt`
	`+ (netlink_netfilter_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_nflog_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_rdma_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_route_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt`
	`+ (netlink_scsitransport_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_selinux_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_tcpdiag_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netlink_xfrm_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (netrom_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (nfc_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (packet_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (phonet_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (pppox_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (qipcrtr_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (rawip_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (rds_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (rose_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (rxrpc_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (sctp_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (smc_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (tcp_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (tipc_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (tun_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (udp_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (unix_dgram_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (unix_stream_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (vsock_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (x25_socket (getopt)))`
	`+(classmapping constrainsocketsubject getopt (xdp_socket (getopt)))`
	`+`
	`+(classmapping constrainsocketsubject listen (alg_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (appletalk_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (atmpvc_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (atmsvc_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (ax25_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (bluetooth_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (caif_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (can_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (dccp_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (decnet_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (icmp_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (ieee802154_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (ipx_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (irda_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (isdn_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (iucv_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (kcm_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (key_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (llc_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (mctp_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_audit_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_connector_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_crypto_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_dnrt_socket (listen)))`
	`+(classmapping constrainsocketsubject listen`
	`+ (netlink_fib_lookup_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_generic_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_iscsi_socket (listen)))`
	`+(classmapping constrainsocketsubject listen`
	`+ (netlink_kobject_uevent_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_netfilter_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_nflog_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_rdma_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_route_socket (listen)))`
	`+(classmapping constrainsocketsubject listen`
	`+ (netlink_scsitransport_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_selinux_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_tcpdiag_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netlink_xfrm_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (netrom_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (nfc_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (packet_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (phonet_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (pppox_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (qipcrtr_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (rawip_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (rds_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (rose_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (rxrpc_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (sctp_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (smc_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (socket (listen)))`
	`+(classmapping constrainsocketsubject listen (tcp_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (tipc_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (tun_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (udp_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (unix_dgram_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (unix_stream_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (vsock_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (x25_socket (listen)))`
	`+(classmapping constrainsocketsubject listen (xdp_socket (listen)))`
	`+`
	`(classmapping constrainsocketsubject read (alg_socket (read)))`
	`(classmapping constrainsocketsubject read (appletalk_socket (read)))`
	`(classmapping constrainsocketsubject read (atmpvc_socket (read)))`
	`@@ -934,6 +1195,82 @@`
	`(classmapping constrainsocketsubject read (x25_socket (read)))`
	`(classmapping constrainsocketsubject read (xdp_socket (read)))`

	`+(classmapping constrainsocketsubject relabelfrom (alg_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (appletalk_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (atmpvc_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (atmsvc_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (ax25_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (bluetooth_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (caif_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (can_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (dccp_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (decnet_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (icmp_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (ieee802154_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (ipx_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (irda_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (isdn_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (iucv_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (kcm_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (key_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (llc_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (mctp_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_audit_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_connector_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_crypto_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_dnrt_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_fib_lookup_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_generic_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_iscsi_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_kobject_uevent_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_netfilter_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_nflog_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_rdma_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_route_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_scsitransport_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_selinux_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (netlink_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_tcpdiag_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom`
	`+ (netlink_xfrm_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (netrom_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (nfc_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (packet_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (phonet_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (pppox_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (qipcrtr_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (rawip_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (rds_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (rose_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (rxrpc_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (sctp_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (smc_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (tcp_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (tipc_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (tun_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (udp_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (unix_dgram_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (unix_stream_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (vsock_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (x25_socket (relabelfrom)))`
	`+(classmapping constrainsocketsubject relabelfrom (xdp_socket (relabelfrom)))`
	`+`
	`(classmapping constrainsocketsubject relabelto (alg_socket (relabelto)))`
	`(classmapping constrainsocketsubject relabelto (appletalk_socket (relabelto)))`
	`(classmapping constrainsocketsubject relabelto (atmpvc_socket (relabelto)))`
	`@@ -1077,6 +1414,132 @@`
	`(classmapping constrainsocketsubject setattr (x25_socket (setattr)))`
	`(classmapping constrainsocketsubject setattr (xdp_socket (setattr)))`

	`+(classmapping constrainsocketsubject setopt (alg_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (appletalk_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (atmpvc_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (atmsvc_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (ax25_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (bluetooth_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (caif_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (can_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (dccp_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (decnet_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (icmp_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (ieee802154_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (ipx_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (irda_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (isdn_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (iucv_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (kcm_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (key_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (llc_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (mctp_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_audit_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_connector_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_crypto_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_dnrt_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt`
	`+ (netlink_fib_lookup_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_generic_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_iscsi_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt`
	`+ (netlink_kobject_uevent_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_netfilter_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_nflog_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_rdma_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_route_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt`
	`+ (netlink_scsitransport_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_selinux_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_tcpdiag_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netlink_xfrm_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (netrom_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (nfc_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (packet_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (phonet_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (pppox_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (qipcrtr_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (rawip_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (rds_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (rose_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (rxrpc_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (sctp_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (smc_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (tcp_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (tipc_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (tun_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (udp_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (unix_dgram_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (unix_stream_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (vsock_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (x25_socket (setopt)))`
	`+(classmapping constrainsocketsubject setopt (xdp_socket (setopt)))`
	`+`
	`+(classmapping constrainsocketsubject shutdown (alg_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (appletalk_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (atmpvc_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (atmsvc_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (ax25_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (bluetooth_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (caif_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (can_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (dccp_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (decnet_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (icmp_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (ieee802154_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (ipx_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (irda_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (isdn_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (iucv_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (kcm_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (key_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (llc_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (mctp_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_audit_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_connector_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_crypto_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_dnrt_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown`
	`+ (netlink_fib_lookup_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_generic_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_iscsi_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown`
	`+ (netlink_kobject_uevent_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_netfilter_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_nflog_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_rdma_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_route_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown`
	`+ (netlink_scsitransport_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_selinux_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_tcpdiag_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netlink_xfrm_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (netrom_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (nfc_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (packet_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (phonet_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (pppox_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (qipcrtr_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (rawip_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (rds_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (rose_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (rxrpc_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (sctp_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (smc_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (tcp_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (tipc_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (tun_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (udp_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (unix_dgram_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (unix_stream_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (vsock_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (x25_socket (shutdown)))`
	`+(classmapping constrainsocketsubject shutdown (xdp_socket (shutdown)))`
	`+`
	`(classmapping constrainsocketsubject write (alg_socket (write)))`
	`(classmapping constrainsocketsubject write (appletalk_socket (write)))`
	`(classmapping constrainsocketsubject write (atmpvc_socket (write)))`
	`@@ -1512,6 +1975,130 @@`
	`(or (dom h1 h2)`
	`(neq t1 constrained.typeattr))))`

	`+(in mls`
	`+`
	`+ (mlsconstrain (constrainsocketsubject (accept connect))`
	`+ (or (or (eq l1 l2)`
	`+ (and (or (and (eq t1 netreadtoclr.typeattr)`
	`+ (dom h1 l2))`
	`+ (eq t1 netread.typeattr))`
	`+ (or (or (and (and (eq t1 netwriteranged.typeattr)`
	`+ (dom l1 l2))`
	`+ (domby l1 h2))`
	`+ (and (and (eq t1 netwritetoclr.typeattr)`
	`+ (dom h1 l2))`
	`+ (domby l1 l2)))`
	`+ (eq t1 netwrite.typeattr))))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (constrainsocketsubject (accept getattr getopt listen read))`
	`+ (or (or (or (dom l1 l2)`
	`+ (and (eq t1 netreadtoclr.typeattr)`
	`+ (dom h1 l2)))`
	`+ (eq t1 netread.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (constrainnetlinksubject (nlmsg_read))`
	`+ (or (or (or (dom l1 l2)`
	`+ (and (eq t1 netreadtoclr.typeattr)`
	`+ (dom h1 l2)))`
	`+ (eq t1 netread.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (constrainsocketsubject (connect relabelfrom relabelto setattr setopt shutdown write))`
	`+ (or (or (or (or (eq l1 l2)`
	`+ (and (and (eq t1 netwriteranged.typeattr)`
	`+ (dom l1 l2))`
	`+ (domby l1 h2)))`
	`+ (and (and (eq t1 netwritetoclr.typeattr)`
	`+ (dom h1 l2))`
	`+ (domby l1 l2)))`
	`+ (eq t1 netwrite.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (tcp_socket (recvfrom))`
	`+ (or (or (or (eq l1 l2)`
	`+ (and (eq t1 netreadtoclr.typeattr)`
	`+ (dom h1 l2)))`
	`+ (eq t1 netread.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (udp_socket (recvfrom))`
	`+ (or (or (or (eq l1 l2)`
	`+ (and (eq t1 netreadtoclr.typeattr)`
	`+ (dom h1 l2)))`
	`+ (eq t1 netread.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (rawip_socket (recvfrom))`
	`+ (or (or (or (eq l1 l2)`
	`+ (and (eq t1 netreadtoclr.typeattr)`
	`+ (dom h1 l2)))`
	`+ (eq t1 netread.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (sctp_socket (recvfrom))`
	`+ (or (or (or (eq l1 l2)`
	`+ (and (eq t1 netreadtoclr.typeattr)`
	`+ (dom h1 l2)))`
	`+ (eq t1 netread.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (mlsconstrain (unix_stream_socket (connectto))`
	`+ (or (or (or (or (or (or (eq l1 l2)`
	`+ (and (and (eq t1 netwriteranged.typeattr)`
	`+ (dom l1 l2))`
	`+ (domby l1 h2)))`
	`+ (and (and (eq t1 netwritetoclr.typeattr)`
	`+ (dom h1 l2))`
	`+ (domby l1 l2)))`
	`+ (eq t1 netwrite.typeattr))`
	`+ (eq t2 trustedobject.typeattr))`
	`+ (eq t2 trustedsocket.typeattr))`
	`+ (eq t1 exempt.typeattr)))`
	`+`
	`+ (block netread`
	`+`
	`+ (macro type ((type ARG1))`
	`+ (typeattributeset typeattr ARG1))`
	`+`
	`+ (typeattribute typeattr))`
	`+`
	`+ (block netreadtoclr`
	`+`
	`+ (macro type ((type ARG1))`
	`+ (typeattributeset typeattr ARG1))`
	`+`
	`+ (typeattribute typeattr))`
	`+`
	`+ (block netwrite`
	`+`
	`+ (macro type ((type ARG1))`
	`+ (typeattributeset typeattr ARG1))`
	`+`
	`+ (typeattribute typeattr))`
	`+`
	`+ (block netwriteranged`
	`+`
	`+ (macro type ((type ARG1))`
	`+ (typeattributeset typeattr ARG1))`
	`+`
	`+ (typeattribute typeattr))`
	`+`
	`+ (block netwritetoclr`
	`+`
	`+ (macro type ((type ARG1))`
	`+ (typeattributeset typeattr ARG1))`
	`+`
	`+ (typeattribute typeattr))`
	`+`
	`+ (block trustedsocket`
	`+`
	`+ (macro type ((type ARG1))`
	`+ (typeattributeset typeattr ARG1))`
	`+`
	`+ (typeattribute typeattr)))`
	`+`
	`(in rbac`

	`(constrain (constrainsocketsubject (create relabelto))`

$ git diff
diff --git a/src/misc/av/socketav.cil b/src/misc/av/socketav.cil
index 651ba44..df75057 100644
--- a/src/misc/av/socketav.cil
+++ b/src/misc/av/socketav.cil
@@ -654,13 +654,20 @@
 		    (vsock_socket (append bind connect getattr getopt ioctl
 					  setopt shutdown write)))
 
+(classmap constrainnetlinksubject (nlmsg_read))
 (classmap constrainsocketobject (nameconnect nodebind))
 (classmap constrainsocketsubject
-	  (append association attachqueue connectto create getattr read
-		  relabelto sendto setattr write))
+	  (accept append association attachqueue connect connectto create getattr
+                  getopt listen read relabelfrom relabelto sendto setattr setopt
+                  shutdown write))
 
 (classmap sockets (common getattr))
 
+(classmapping constrainnetlinksubject nlmsg_read (netlink_audit_socket (nlmsg_read)))
+(classmapping constrainnetlinksubject nlmsg_read (netlink_route_socket (nlmsg_read)))
+(classmapping constrainnetlinksubject nlmsg_read (netlink_tcpdiag_socket (nlmsg_read)))
+(classmapping constrainnetlinksubject nlmsg_read (netlink_xfrm_socket (nlmsg_read)))
+
 (classmapping constrainsocketobject nameconnect (dccp_socket (name_connect)))
 (classmapping constrainsocketobject nameconnect (sctp_socket (name_connect)))
 (classmapping constrainsocketobject nameconnect (tcp_socket (name_connect)))
@@ -672,6 +679,69 @@
 (classmapping constrainsocketobject nodebind (tcp_socket (node_bind)))
 (classmapping constrainsocketobject nodebind (udp_socket (node_bind)))
 
+(classmapping constrainsocketsubject accept (alg_socket (accept)))
+(classmapping constrainsocketsubject accept (appletalk_socket (accept)))
+(classmapping constrainsocketsubject accept (atmpvc_socket (accept)))
+(classmapping constrainsocketsubject accept (atmsvc_socket (accept)))
+(classmapping constrainsocketsubject accept (ax25_socket (accept)))
+(classmapping constrainsocketsubject accept (bluetooth_socket (accept)))
+(classmapping constrainsocketsubject accept (caif_socket (accept)))
+(classmapping constrainsocketsubject accept (can_socket (accept)))
+(classmapping constrainsocketsubject accept (dccp_socket (accept)))
+(classmapping constrainsocketsubject accept (decnet_socket (accept)))
+(classmapping constrainsocketsubject accept (icmp_socket (accept)))
+(classmapping constrainsocketsubject accept (ieee802154_socket (accept)))
+(classmapping constrainsocketsubject accept (ipx_socket (accept)))
+(classmapping constrainsocketsubject accept (irda_socket (accept)))
+(classmapping constrainsocketsubject accept (isdn_socket (accept)))
+(classmapping constrainsocketsubject accept (iucv_socket (accept)))
+(classmapping constrainsocketsubject accept (kcm_socket (accept)))
+(classmapping constrainsocketsubject accept (key_socket (accept)))
+(classmapping constrainsocketsubject accept (llc_socket (accept)))
+(classmapping constrainsocketsubject accept (mctp_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_audit_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_connector_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_crypto_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_dnrt_socket (accept)))
+(classmapping constrainsocketsubject accept
+	      (netlink_fib_lookup_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_generic_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_iscsi_socket (accept)))
+(classmapping constrainsocketsubject accept
+	      (netlink_kobject_uevent_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_netfilter_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_nflog_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_rdma_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_route_socket (accept)))
+(classmapping constrainsocketsubject accept
+	      (netlink_scsitransport_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_selinux_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_tcpdiag_socket (accept)))
+(classmapping constrainsocketsubject accept (netlink_xfrm_socket (accept)))
+(classmapping constrainsocketsubject accept (netrom_socket (accept)))
+(classmapping constrainsocketsubject accept (nfc_socket (accept)))
+(classmapping constrainsocketsubject accept (packet_socket (accept)))
+(classmapping constrainsocketsubject accept (phonet_socket (accept)))
+(classmapping constrainsocketsubject accept (pppox_socket (accept)))
+(classmapping constrainsocketsubject accept (qipcrtr_socket (accept)))
+(classmapping constrainsocketsubject accept (rawip_socket (accept)))
+(classmapping constrainsocketsubject accept (rds_socket (accept)))
+(classmapping constrainsocketsubject accept (rose_socket (accept)))
+(classmapping constrainsocketsubject accept (rxrpc_socket (accept)))
+(classmapping constrainsocketsubject accept (sctp_socket (accept)))
+(classmapping constrainsocketsubject accept (smc_socket (accept)))
+(classmapping constrainsocketsubject accept (socket (accept)))
+(classmapping constrainsocketsubject accept (tcp_socket (accept)))
+(classmapping constrainsocketsubject accept (tipc_socket (accept)))
+(classmapping constrainsocketsubject accept (tun_socket (accept)))
+(classmapping constrainsocketsubject accept (udp_socket (accept)))
+(classmapping constrainsocketsubject accept (unix_dgram_socket (accept)))
+(classmapping constrainsocketsubject accept (unix_stream_socket (accept)))
+(classmapping constrainsocketsubject accept (vsock_socket (accept)))
+(classmapping constrainsocketsubject accept (x25_socket (accept)))
+(classmapping constrainsocketsubject accept (xdp_socket (accept)))
+
 (classmapping constrainsocketsubject append (alg_socket (append)))
 (classmapping constrainsocketsubject append (appletalk_socket (append)))
 (classmapping constrainsocketsubject append (atmpvc_socket (append)))
@@ -807,6 +877,69 @@
 (classmapping constrainsocketsubject create (x25_socket (create)))
 (classmapping constrainsocketsubject create (xdp_socket (create)))
 
+(classmapping constrainsocketsubject connect (alg_socket (connect)))
+(classmapping constrainsocketsubject connect (appletalk_socket (connect)))
+(classmapping constrainsocketsubject connect (atmpvc_socket (connect)))
+(classmapping constrainsocketsubject connect (atmsvc_socket (connect)))
+(classmapping constrainsocketsubject connect (ax25_socket (connect)))
+(classmapping constrainsocketsubject connect (bluetooth_socket (connect)))
+(classmapping constrainsocketsubject connect (caif_socket (connect)))
+(classmapping constrainsocketsubject connect (can_socket (connect)))
+(classmapping constrainsocketsubject connect (dccp_socket (connect)))
+(classmapping constrainsocketsubject connect (decnet_socket (connect)))
+(classmapping constrainsocketsubject connect (icmp_socket (connect)))
+(classmapping constrainsocketsubject connect (ieee802154_socket (connect)))
+(classmapping constrainsocketsubject connect (ipx_socket (connect)))
+(classmapping constrainsocketsubject connect (irda_socket (connect)))
+(classmapping constrainsocketsubject connect (isdn_socket (connect)))
+(classmapping constrainsocketsubject connect (iucv_socket (connect)))
+(classmapping constrainsocketsubject connect (kcm_socket (connect)))
+(classmapping constrainsocketsubject connect (key_socket (connect)))
+(classmapping constrainsocketsubject connect (llc_socket (connect)))
+(classmapping constrainsocketsubject connect (mctp_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_audit_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_connector_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_crypto_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_dnrt_socket (connect)))
+(classmapping constrainsocketsubject connect
+	      (netlink_fib_lookup_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_generic_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_iscsi_socket (connect)))
+(classmapping constrainsocketsubject connect
+	      (netlink_kobject_uevent_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_netfilter_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_nflog_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_rdma_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_route_socket (connect)))
+(classmapping constrainsocketsubject connect
+	      (netlink_scsitransport_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_selinux_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_tcpdiag_socket (connect)))
+(classmapping constrainsocketsubject connect (netlink_xfrm_socket (connect)))
+(classmapping constrainsocketsubject connect (netrom_socket (connect)))
+(classmapping constrainsocketsubject connect (nfc_socket (connect)))
+(classmapping constrainsocketsubject connect (packet_socket (connect)))
+(classmapping constrainsocketsubject connect (phonet_socket (connect)))
+(classmapping constrainsocketsubject connect (pppox_socket (connect)))
+(classmapping constrainsocketsubject connect (qipcrtr_socket (connect)))
+(classmapping constrainsocketsubject connect (rawip_socket (connect)))
+(classmapping constrainsocketsubject connect (rds_socket (connect)))
+(classmapping constrainsocketsubject connect (rose_socket (connect)))
+(classmapping constrainsocketsubject connect (rxrpc_socket (connect)))
+(classmapping constrainsocketsubject connect (sctp_socket (connect)))
+(classmapping constrainsocketsubject connect (smc_socket (connect)))
+(classmapping constrainsocketsubject connect (socket (connect)))
+(classmapping constrainsocketsubject connect (tcp_socket (connect)))
+(classmapping constrainsocketsubject connect (tipc_socket (connect)))
+(classmapping constrainsocketsubject connect (tun_socket (connect)))
+(classmapping constrainsocketsubject connect (udp_socket (connect)))
+(classmapping constrainsocketsubject connect (unix_dgram_socket (connect)))
+(classmapping constrainsocketsubject connect (unix_stream_socket (connect)))
+(classmapping constrainsocketsubject connect (vsock_socket (connect)))
+(classmapping constrainsocketsubject connect (x25_socket (connect)))
+(classmapping constrainsocketsubject connect (xdp_socket (connect)))
+
 (classmapping constrainsocketsubject getattr (alg_socket (getattr)))
 (classmapping constrainsocketsubject getattr (appletalk_socket (getattr)))
 (classmapping constrainsocketsubject getattr (atmpvc_socket (getattr)))
@@ -873,6 +1006,134 @@
 (classmapping constrainsocketsubject getattr (x25_socket (getattr)))
 (classmapping constrainsocketsubject getattr (xdp_socket (getattr)))
 
+(classmapping constrainsocketsubject getopt (alg_socket (getopt)))
+(classmapping constrainsocketsubject getopt (appletalk_socket (getopt)))
+(classmapping constrainsocketsubject getopt (atmpvc_socket (getopt)))
+(classmapping constrainsocketsubject getopt (atmsvc_socket (getopt)))
+(classmapping constrainsocketsubject getopt (ax25_socket (getopt)))
+(classmapping constrainsocketsubject getopt (bluetooth_socket (getopt)))
+(classmapping constrainsocketsubject getopt (caif_socket (getopt)))
+(classmapping constrainsocketsubject getopt (can_socket (getopt)))
+(classmapping constrainsocketsubject getopt (dccp_socket (getopt)))
+(classmapping constrainsocketsubject getopt (decnet_socket (getopt)))
+(classmapping constrainsocketsubject getopt (icmp_socket (getopt)))
+(classmapping constrainsocketsubject getopt (ieee802154_socket (getopt)))
+(classmapping constrainsocketsubject getopt (ipx_socket (getopt)))
+(classmapping constrainsocketsubject getopt (irda_socket (getopt)))
+(classmapping constrainsocketsubject getopt (isdn_socket (getopt)))
+(classmapping constrainsocketsubject getopt (iucv_socket (getopt)))
+(classmapping constrainsocketsubject getopt (kcm_socket (getopt)))
+(classmapping constrainsocketsubject getopt (key_socket (getopt)))
+(classmapping constrainsocketsubject getopt (llc_socket (getopt)))
+(classmapping constrainsocketsubject getopt (mctp_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_audit_socket (getopt)))
+(classmapping constrainsocketsubject getopt
+	      (netlink_connector_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_crypto_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_dnrt_socket (getopt)))
+(classmapping constrainsocketsubject getopt
+	      (netlink_fib_lookup_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_generic_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_iscsi_socket (getopt)))
+(classmapping constrainsocketsubject getopt
+	      (netlink_kobject_uevent_socket (getopt)))
+(classmapping constrainsocketsubject getopt
+	      (netlink_netfilter_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_nflog_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_rdma_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_route_socket (getopt)))
+(classmapping constrainsocketsubject getopt
+	      (netlink_scsitransport_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_selinux_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_tcpdiag_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netlink_xfrm_socket (getopt)))
+(classmapping constrainsocketsubject getopt (netrom_socket (getopt)))
+(classmapping constrainsocketsubject getopt (nfc_socket (getopt)))
+(classmapping constrainsocketsubject getopt (packet_socket (getopt)))
+(classmapping constrainsocketsubject getopt (phonet_socket (getopt)))
+(classmapping constrainsocketsubject getopt (pppox_socket (getopt)))
+(classmapping constrainsocketsubject getopt (qipcrtr_socket (getopt)))
+(classmapping constrainsocketsubject getopt (rawip_socket (getopt)))
+(classmapping constrainsocketsubject getopt (rds_socket (getopt)))
+(classmapping constrainsocketsubject getopt (rose_socket (getopt)))
+(classmapping constrainsocketsubject getopt (rxrpc_socket (getopt)))
+(classmapping constrainsocketsubject getopt (sctp_socket (getopt)))
+(classmapping constrainsocketsubject getopt (smc_socket (getopt)))
+(classmapping constrainsocketsubject getopt (socket (getopt)))
+(classmapping constrainsocketsubject getopt (tcp_socket (getopt)))
+(classmapping constrainsocketsubject getopt (tipc_socket (getopt)))
+(classmapping constrainsocketsubject getopt (tun_socket (getopt)))
+(classmapping constrainsocketsubject getopt (udp_socket (getopt)))
+(classmapping constrainsocketsubject getopt (unix_dgram_socket (getopt)))
+(classmapping constrainsocketsubject getopt (unix_stream_socket (getopt)))
+(classmapping constrainsocketsubject getopt (vsock_socket (getopt)))
+(classmapping constrainsocketsubject getopt (x25_socket (getopt)))
+(classmapping constrainsocketsubject getopt (xdp_socket (getopt)))
+
+(classmapping constrainsocketsubject listen (alg_socket (listen)))
+(classmapping constrainsocketsubject listen (appletalk_socket (listen)))
+(classmapping constrainsocketsubject listen (atmpvc_socket (listen)))
+(classmapping constrainsocketsubject listen (atmsvc_socket (listen)))
+(classmapping constrainsocketsubject listen (ax25_socket (listen)))
+(classmapping constrainsocketsubject listen (bluetooth_socket (listen)))
+(classmapping constrainsocketsubject listen (caif_socket (listen)))
+(classmapping constrainsocketsubject listen (can_socket (listen)))
+(classmapping constrainsocketsubject listen (dccp_socket (listen)))
+(classmapping constrainsocketsubject listen (decnet_socket (listen)))
+(classmapping constrainsocketsubject listen (icmp_socket (listen)))
+(classmapping constrainsocketsubject listen (ieee802154_socket (listen)))
+(classmapping constrainsocketsubject listen (ipx_socket (listen)))
+(classmapping constrainsocketsubject listen (irda_socket (listen)))
+(classmapping constrainsocketsubject listen (isdn_socket (listen)))
+(classmapping constrainsocketsubject listen (iucv_socket (listen)))
+(classmapping constrainsocketsubject listen (kcm_socket (listen)))
+(classmapping constrainsocketsubject listen (key_socket (listen)))
+(classmapping constrainsocketsubject listen (llc_socket (listen)))
+(classmapping constrainsocketsubject listen (mctp_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_audit_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_connector_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_crypto_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_dnrt_socket (listen)))
+(classmapping constrainsocketsubject listen
+	      (netlink_fib_lookup_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_generic_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_iscsi_socket (listen)))
+(classmapping constrainsocketsubject listen
+	      (netlink_kobject_uevent_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_netfilter_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_nflog_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_rdma_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_route_socket (listen)))
+(classmapping constrainsocketsubject listen
+	      (netlink_scsitransport_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_selinux_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_tcpdiag_socket (listen)))
+(classmapping constrainsocketsubject listen (netlink_xfrm_socket (listen)))
+(classmapping constrainsocketsubject listen (netrom_socket (listen)))
+(classmapping constrainsocketsubject listen (nfc_socket (listen)))
+(classmapping constrainsocketsubject listen (packet_socket (listen)))
+(classmapping constrainsocketsubject listen (phonet_socket (listen)))
+(classmapping constrainsocketsubject listen (pppox_socket (listen)))
+(classmapping constrainsocketsubject listen (qipcrtr_socket (listen)))
+(classmapping constrainsocketsubject listen (rawip_socket (listen)))
+(classmapping constrainsocketsubject listen (rds_socket (listen)))
+(classmapping constrainsocketsubject listen (rose_socket (listen)))
+(classmapping constrainsocketsubject listen (rxrpc_socket (listen)))
+(classmapping constrainsocketsubject listen (sctp_socket (listen)))
+(classmapping constrainsocketsubject listen (smc_socket (listen)))
+(classmapping constrainsocketsubject listen (socket (listen)))
+(classmapping constrainsocketsubject listen (tcp_socket (listen)))
+(classmapping constrainsocketsubject listen (tipc_socket (listen)))
+(classmapping constrainsocketsubject listen (tun_socket (listen)))
+(classmapping constrainsocketsubject listen (udp_socket (listen)))
+(classmapping constrainsocketsubject listen (unix_dgram_socket (listen)))
+(classmapping constrainsocketsubject listen (unix_stream_socket (listen)))
+(classmapping constrainsocketsubject listen (vsock_socket (listen)))
+(classmapping constrainsocketsubject listen (x25_socket (listen)))
+(classmapping constrainsocketsubject listen (xdp_socket (listen)))
+
 (classmapping constrainsocketsubject read (alg_socket (read)))
 (classmapping constrainsocketsubject read (appletalk_socket (read)))
 (classmapping constrainsocketsubject read (atmpvc_socket (read)))
@@ -934,6 +1195,82 @@
 (classmapping constrainsocketsubject read (x25_socket (read)))
 (classmapping constrainsocketsubject read (xdp_socket (read)))
 
+(classmapping constrainsocketsubject relabelfrom (alg_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (appletalk_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (atmpvc_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (atmsvc_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (ax25_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (bluetooth_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (caif_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (can_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (dccp_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (decnet_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (icmp_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (ieee802154_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (ipx_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (irda_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (isdn_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (iucv_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (kcm_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (key_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (llc_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (mctp_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_audit_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_connector_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_crypto_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_dnrt_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_fib_lookup_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_generic_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_iscsi_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_kobject_uevent_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_netfilter_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_nflog_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_rdma_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_route_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_scsitransport_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_selinux_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (netlink_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_tcpdiag_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom
+	      (netlink_xfrm_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (netrom_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (nfc_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (packet_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (phonet_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (pppox_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (qipcrtr_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (rawip_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (rds_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (rose_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (rxrpc_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (sctp_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (smc_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (tcp_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (tipc_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (tun_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (udp_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (unix_dgram_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (unix_stream_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (vsock_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (x25_socket (relabelfrom)))
+(classmapping constrainsocketsubject relabelfrom (xdp_socket (relabelfrom)))
+
 (classmapping constrainsocketsubject relabelto (alg_socket (relabelto)))
 (classmapping constrainsocketsubject relabelto (appletalk_socket (relabelto)))
 (classmapping constrainsocketsubject relabelto (atmpvc_socket (relabelto)))
@@ -1077,6 +1414,132 @@
 (classmapping constrainsocketsubject setattr (x25_socket (setattr)))
 (classmapping constrainsocketsubject setattr (xdp_socket (setattr)))
 
+(classmapping constrainsocketsubject setopt (alg_socket (setopt)))
+(classmapping constrainsocketsubject setopt (appletalk_socket (setopt)))
+(classmapping constrainsocketsubject setopt (atmpvc_socket (setopt)))
+(classmapping constrainsocketsubject setopt (atmsvc_socket (setopt)))
+(classmapping constrainsocketsubject setopt (ax25_socket (setopt)))
+(classmapping constrainsocketsubject setopt (bluetooth_socket (setopt)))
+(classmapping constrainsocketsubject setopt (caif_socket (setopt)))
+(classmapping constrainsocketsubject setopt (can_socket (setopt)))
+(classmapping constrainsocketsubject setopt (dccp_socket (setopt)))
+(classmapping constrainsocketsubject setopt (decnet_socket (setopt)))
+(classmapping constrainsocketsubject setopt (icmp_socket (setopt)))
+(classmapping constrainsocketsubject setopt (ieee802154_socket (setopt)))
+(classmapping constrainsocketsubject setopt (ipx_socket (setopt)))
+(classmapping constrainsocketsubject setopt (irda_socket (setopt)))
+(classmapping constrainsocketsubject setopt (isdn_socket (setopt)))
+(classmapping constrainsocketsubject setopt (iucv_socket (setopt)))
+(classmapping constrainsocketsubject setopt (kcm_socket (setopt)))
+(classmapping constrainsocketsubject setopt (key_socket (setopt)))
+(classmapping constrainsocketsubject setopt (llc_socket (setopt)))
+(classmapping constrainsocketsubject setopt (mctp_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_audit_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_connector_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_crypto_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_dnrt_socket (setopt)))
+(classmapping constrainsocketsubject setopt
+	      (netlink_fib_lookup_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_generic_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_iscsi_socket (setopt)))
+(classmapping constrainsocketsubject setopt
+	      (netlink_kobject_uevent_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_netfilter_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_nflog_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_rdma_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_route_socket (setopt)))
+(classmapping constrainsocketsubject setopt
+	      (netlink_scsitransport_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_selinux_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_tcpdiag_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netlink_xfrm_socket (setopt)))
+(classmapping constrainsocketsubject setopt (netrom_socket (setopt)))
+(classmapping constrainsocketsubject setopt (nfc_socket (setopt)))
+(classmapping constrainsocketsubject setopt (packet_socket (setopt)))
+(classmapping constrainsocketsubject setopt (phonet_socket (setopt)))
+(classmapping constrainsocketsubject setopt (pppox_socket (setopt)))
+(classmapping constrainsocketsubject setopt (qipcrtr_socket (setopt)))
+(classmapping constrainsocketsubject setopt (rawip_socket (setopt)))
+(classmapping constrainsocketsubject setopt (rds_socket (setopt)))
+(classmapping constrainsocketsubject setopt (rose_socket (setopt)))
+(classmapping constrainsocketsubject setopt (rxrpc_socket (setopt)))
+(classmapping constrainsocketsubject setopt (sctp_socket (setopt)))
+(classmapping constrainsocketsubject setopt (smc_socket (setopt)))
+(classmapping constrainsocketsubject setopt (socket (setopt)))
+(classmapping constrainsocketsubject setopt (tcp_socket (setopt)))
+(classmapping constrainsocketsubject setopt (tipc_socket (setopt)))
+(classmapping constrainsocketsubject setopt (tun_socket (setopt)))
+(classmapping constrainsocketsubject setopt (udp_socket (setopt)))
+(classmapping constrainsocketsubject setopt (unix_dgram_socket (setopt)))
+(classmapping constrainsocketsubject setopt (unix_stream_socket (setopt)))
+(classmapping constrainsocketsubject setopt (vsock_socket (setopt)))
+(classmapping constrainsocketsubject setopt (x25_socket (setopt)))
+(classmapping constrainsocketsubject setopt (xdp_socket (setopt)))
+
+(classmapping constrainsocketsubject shutdown (alg_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (appletalk_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (atmpvc_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (atmsvc_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (ax25_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (bluetooth_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (caif_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (can_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (dccp_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (decnet_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (icmp_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (ieee802154_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (ipx_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (irda_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (isdn_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (iucv_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (kcm_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (key_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (llc_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (mctp_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_audit_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_connector_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_crypto_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_dnrt_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown
+	      (netlink_fib_lookup_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_generic_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_iscsi_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown
+	      (netlink_kobject_uevent_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_netfilter_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_nflog_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_rdma_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_route_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown
+	      (netlink_scsitransport_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_selinux_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_tcpdiag_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netlink_xfrm_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (netrom_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (nfc_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (packet_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (phonet_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (pppox_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (qipcrtr_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (rawip_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (rds_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (rose_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (rxrpc_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (sctp_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (smc_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (tcp_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (tipc_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (tun_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (udp_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (unix_dgram_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (unix_stream_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (vsock_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (x25_socket (shutdown)))
+(classmapping constrainsocketsubject shutdown (xdp_socket (shutdown)))
+
 (classmapping constrainsocketsubject write (alg_socket (write)))
 (classmapping constrainsocketsubject write (appletalk_socket (write)))
 (classmapping constrainsocketsubject write (atmpvc_socket (write)))
@@ -1512,6 +1975,130 @@
      (or (dom h1 h2)
 	 (neq t1 constrained.typeattr))))
 
+(in mls
+
+    (mlsconstrain (constrainsocketsubject (accept connect))
+                  (or (or (eq l1 l2)
+                          (and (or (and (eq t1 netreadtoclr.typeattr)
+                                        (dom h1 l2))
+                                   (eq t1 netread.typeattr))
+                               (or (or (and (and (eq t1 netwriteranged.typeattr)
+                                                 (dom l1 l2))
+                                            (domby l1 h2))
+                                       (and (and (eq t1 netwritetoclr.typeattr)
+                                                 (dom h1 l2))
+                                            (domby l1 l2)))
+                                   (eq t1 netwrite.typeattr))))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (constrainsocketsubject (accept getattr getopt listen read))
+                  (or (or (or (dom l1 l2)
+                              (and (eq t1 netreadtoclr.typeattr)
+                                   (dom h1 l2)))
+                          (eq t1 netread.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (constrainnetlinksubject (nlmsg_read))
+                  (or (or (or (dom l1 l2)
+                              (and (eq t1 netreadtoclr.typeattr)
+                                   (dom h1 l2)))
+                          (eq t1 netread.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (constrainsocketsubject (connect relabelfrom relabelto setattr setopt shutdown write))
+                  (or (or (or (or (eq l1 l2)
+                                  (and (and (eq t1 netwriteranged.typeattr)
+                                            (dom l1 l2))
+                                       (domby l1 h2)))
+                              (and (and (eq t1 netwritetoclr.typeattr)
+                                        (dom h1 l2))
+                                   (domby l1 l2)))
+                          (eq t1 netwrite.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (tcp_socket (recvfrom))
+                  (or (or (or (eq l1 l2)
+                              (and (eq t1 netreadtoclr.typeattr)
+                                   (dom h1 l2)))
+                          (eq t1 netread.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (udp_socket (recvfrom))
+                  (or (or (or (eq l1 l2)
+                              (and (eq t1 netreadtoclr.typeattr)
+                                   (dom h1 l2)))
+                          (eq t1 netread.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (rawip_socket (recvfrom))
+                  (or (or (or (eq l1 l2)
+                              (and (eq t1 netreadtoclr.typeattr)
+                                   (dom h1 l2)))
+                          (eq t1 netread.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (sctp_socket (recvfrom))
+                  (or (or (or (eq l1 l2)
+                              (and (eq t1 netreadtoclr.typeattr)
+                                   (dom h1 l2)))
+                          (eq t1 netread.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (mlsconstrain (unix_stream_socket (connectto))
+                  (or (or (or (or (or (or (eq l1 l2)
+                                          (and (and (eq t1 netwriteranged.typeattr)
+                                                    (dom l1 l2))
+                                               (domby l1 h2)))
+                                      (and (and (eq t1 netwritetoclr.typeattr)
+                                                (dom h1 l2))
+                                           (domby l1 l2)))
+                                  (eq t1 netwrite.typeattr))
+                              (eq t2 trustedobject.typeattr))
+                          (eq t2 trustedsocket.typeattr))
+                      (eq t1 exempt.typeattr)))
+
+    (block netread
+
+      (macro type ((type ARG1))
+             (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr))
+
+    (block netreadtoclr
+
+      (macro type ((type ARG1))
+             (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr))
+
+    (block netwrite
+
+      (macro type ((type ARG1))
+             (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr))
+
+    (block netwriteranged
+
+      (macro type ((type ARG1))
+             (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr))
+
+    (block netwritetoclr
+
+      (macro type ((type ARG1))
+             (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr))
+
+    (block trustedsocket
+
+      (macro type ((type ARG1))
+             (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)))
+
 (in rbac
 
     (constrain (constrainsocketsubject (create relabelto))

Filename: $ git diff;. Size: 39kb. View raw, , hex, or download this file.

This paste expires on 2025-04-05 15:31:59.488132. Pasted through v1-api.

Are you sure you'd like to remove this file?