From patchwork Thu Oct 19 15:57:47 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Haines <richard_c_haines@btinternet.com>
X-Patchwork-Id: 10017989
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	911CA600CC for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 19 Oct 2017 17:35:30 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 784B327F95
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 19 Oct 2017 17:35:30 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 6B39028174; Thu, 19 Oct 2017 17:35:30 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from UCOL19PA10.eemsg.mail.mil (ucol19pa10.eemsg.mail.mil
	[214.24.24.83])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2D09927F95
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu, 19 Oct 2017 17:35:28 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.43,402,1503360000"; d="scan'208";a="359097518"
Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3])
	by UCOL19PA10.eemsg.mail.mil with ESMTP/TLS/AES256-SHA;
	19 Oct 2017 17:34:50 +0000
X-IronPort-AV: E=Sophos;i="5.43,402,1503360000"; d="scan'208";a="4917312"
IronPort-PHdr: =?us-ascii?q?9a23=3AAdkNARM7hFH8y0VZ3o4l6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0L/Tyo8bcNUDSrc9gkEXOFd2CrakV26yO6+jJYi8p2d65qncMcZhBBVcuqP?=
	=?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6?=
	=?us-ascii?q?JvjvGo7Vks+7y/2+94fdbghMhzexe69+IAmrpgjNq8cahpdvJLwswRXTuHtIfO?=
	=?us-ascii?q?pWxWJsJV2Nmhv3+9m98p1+/SlOovwt78FPX7n0cKQ+VrxYES8pM3sp683xtBnM?=
	=?us-ascii?q?VhWA630BWWgLiBVIAgzF7BbnXpfttybxq+Rw1DWGMcDwULs7Vy6i76N2QxH2ji?=
	=?us-ascii?q?kJOSMy/GXOhsBtkK5XpRSsrAF9zYHJeoGYLPpwcL3Tc90ZQmRPQ95RWi5cDo6y?=
	=?us-ascii?q?cYQPFPEMMfpEo4Tnu1cDtweyCRWqCejyyjFInHj23agi3uo9EAHJwAwgEMgUsH?=
	=?us-ascii?q?vJsd77Nr0dUeGzzKbW1jXIcvRb2S386IfUchAuu+uMUq9ofsXN0UYvFxnKjlSW?=
	=?us-ascii?q?qYP7JDOYzf8Cs3Sa7+pmSeKglXQnqwdvrTiz3Msjlo7JhocMx13C6C53zoE1Jd?=
	=?us-ascii?q?iiR056Z96pCJRQtyCGN4t2X8MtWHtktzo9yr0Dv5OwYSsEyIw/yhLCZPGKfJKE?=
	=?us-ascii?q?7xL+WOqLPzt1i2xpdKiiixqq8kWty/fwWtS63VtFtCZIksfAumoQ2xHT7MWMV+?=
	=?us-ascii?q?Fz8V272TmV0gDe8uREIUcpmqXFM5Mh2bswloYLsUTEAy/2hF36jK+IeUUg/eil?=
	=?us-ascii?q?8/jnba/8pp+dKo90kRvyMrgum8OjAeQ4NRICX26H9uSnyLLv50j5QLROjvEuk6?=
	=?us-ascii?q?nZto7VJdgDq6KkDAJY3Zwv5haiAzu8ztgVkmcLIEhYdB6fiojmIVDOIPT2Dfel?=
	=?us-ascii?q?hFSslS9mx+vYMb3lA5XNKGXDkbj4cblm7E5c1QwzwsxB6JJPEbwBPPLyVVPxtN?=
	=?us-ascii?q?zfFBM5NRe0zPz9BNVy0YMeR3qDArWFP6PKrV+I+uUvLvGOZI8SvjbyMeQl5/70?=
	=?us-ascii?q?gn8/glIdf66p3Z0SaH+iBfRmP1uWYWD3gtsbFmcKpAU+RvTwiFKeST5Te2qyX6?=
	=?us-ascii?q?Uk6zE5CoKpF5vMRoO2gLyG2ie7H4NWa3tIClCIDHfpeJ6LW+oKaCKOP89tiDsE?=
	=?us-ascii?q?VaKuS4U5zxGhqBf6y6Z7LurT4iAYrYzs28Nr6O3VlBEy6Tt0At+c026TUW57gH?=
	=?us-ascii?q?kERzgs3KBwuUZ90EuM0bBkg/xEEtxe/+5GUgA8NZ7a0uN1FdTyWgPac9iTVlmm?=
	=?us-ascii?q?WNKmDSs2TtIrzN8Ee1x9FMm6jhDfwyqqBKcYmKGXBJMu6KLRxGT+J8F4y3nazq?=
	=?us-ascii?q?YhlEUmTtFJNWK4mq517xLTCJLRk0WFi6aqcrwR3C/L9Gef02WOuF9XUAtuXqXZ?=
	=?us-ascii?q?R3AeZlDbrdPh5kzcSb+uDK4oMgpFycGZLatLZcfljVJcRPfsIN7eeX6+m3+sBR?=
	=?us-ascii?q?aUwbOBdIrremQa3CXbE0UElgQT8W+HNQg4HCuhpXjRDCZtFVLufUPj7/NyqHWl?=
	=?us-ascii?q?QU8o1wuKdVFu16Kp+h4JgvyRU+0c3qoetyc7qjV0B02w38rMBNqapgphZ71cYd?=
	=?us-ascii?q?cn71hby23VrQt9PoavL6p6nF4Rbxx3v1/y1xVwEohBn8kqrHcvzAVsM6KVy11B?=
	=?us-ascii?q?eC2F0pD3IL3YMHHy/Aqoa67UxF7RzMqW9r0I6PQipFXppBupGVY683V7z9lV1G?=
	=?us-ascii?q?OR5pvQDAUIV5L+Tkc39wNhqrHfeik95prY1WZiMKmvqDPC3MgpBOQ9wBa6Y9hf?=
	=?us-ascii?q?KL+EFBP1E8ACBMihMu8qm1+0bh8fP+Bd7q00P8S7d/ec366rJulgliq8jWtb+I?=
	=?us-ascii?q?B9zl6M9y1kR+HSwpkF2fCY0RWdVzrnlliursX3lZpDZTEIEWq10TLkC5JJZq1u?=
	=?us-ascii?q?YYYLDn+jLNGtydV6mZHtQGJY9V6kB14dw8+mZRuSYEL73Q1M1EQYu2armS2mwD?=
	=?us-ascii?q?xoizsptLaQ3DTSw+T+cxoKInRLS3R/glr3Loi0it8bUFKubwc3iBuv/Vz6yLRD?=
	=?us-ascii?q?pKRjM2nTRl9FfzP4L2F4VauwraaCbtVU6JMutiVWXuG8bkqcSrLnpRsVzT/jFX?=
	=?us-ascii?q?NExD8nbzGqpon5nxtihWOTNnlzqGbZdt9qxRfE/9HcW+Be3iAdSylljDnbHF+8?=
	=?us-ascii?q?P8Om/d+MjZfMrvi+V369Vp1UaSTr0Z6Puza65WJwBR2yhOy8mtriEQcmyyD7zM?=
	=?us-ascii?q?VqWT/OrBnifonhz766Pv5/fkl0GF/87NJ3Gp9/koQsmJEQ3mIaio+J8noHlmfz?=
	=?us-ascii?q?N9pb1Ln6bHoMQz4E2cTV4A//1E1kNHKJyJrzVm+Bzct5e9m6fmQW1zo578BLE6?=
	=?us-ascii?q?eU8KVInTBrrVq8rALRZ+V9nzgGxPs18H4agucJuAsxwSWGGLwSG1dXPTD0nRSS?=
	=?us-ascii?q?89++tLlXZHqocbWozkp+mtShDLWcrQFGRHn5fZkjEDRr7sViLF3My2f/6ob+eN?=
	=?us-ascii?q?nfddgTrAGbkw/cj+hJL5I8jvkKijRhOWLmpnAlyPA0jRp13ZG8ooeHN39h/KWj?=
	=?us-ascii?q?Ah5XLjf1fd8c+inxjaZCmcabx5ivEY98GjUPQpToVeinEDQOtfv5LQaDCyA8qm?=
	=?us-ascii?q?yFFrrFBg+T8lxmr3XSE5CxK36YOncZzdJ4RBmSOkNTmgYUUysmnpQhDACl2NTh?=
	=?us-ascii?q?cFtl5jAW/lP4tB1Mxf9zOhnhVGfQuQeoZi0ySJeBMBpc9htC6FvNMcyC8uJzGD?=
	=?us-ascii?q?lV/oW7owyQLmyWfBhHDWAVWk2EHlzjMKOh5d/a/+ifHOq+IOPEYa+SpuxGS/eI?=
	=?us-ascii?q?2ZWv35Nl/zeMMsWAIGJvD/g82kpNU3B2BdjZmykPSywQkiLCcdSXpBGi9S1rts?=
	=?us-ascii?q?q/6ujkWBrz5YuTDLtfKdtv9AqwgaefMO6QgT10KThG2ZwRwn/I0qIQ3EYIiyFp?=
	=?us-ascii?q?dTmiD6gPtTLXQKLXgK9XAAYRazlvO8tQ86I8wg5NNNbBit/v2L90lPs1BE1BVV?=
	=?us-ascii?q?zmmsCkftYFLH24NF/dA0aLLruGLyXRw87reaO8VaFQjOJMuh2+ozaUDVLsPi+Z?=
	=?us-ascii?q?mDnvSxCvNvpMgTqBMxNCvYGxaBFtCXLsTNj+cB20LMd3jSEqwb0znn7KM3QcPi?=
	=?us-ascii?q?Jkc0NVtbCQ4yJYgu9kG2xd4HplLO+ElDyf7+bEK5YZq/9rDj5zl+JA73Qw06FV?=
	=?us-ascii?q?4z1cRPxphCvSqcZjrEq9neWIzjpnUQFOqipQhI6RpkVtJ7nW+oNbWXna+BIN7G?=
	=?us-ascii?q?OQCwkFptZ+FtLuu7pQysXUlK7pJjZN6c7U/dAbB8jSMs6HN2AhMRXxEj7OEAQF?=
	=?us-ascii?q?VSKrNX3Yh0FFlvGS93mVrpwkpZj3g5cBUKFUVEYyFv8ADURlBtMCKo9tXjw4ib?=
	=?us-ascii?q?6bkNII5X2moRbKRcVasZfHVvSJDPryNjmWlrhEaAEOwb/iKoQTLIL70VR4alZm?=
	=?us-ascii?q?hITKB1bQXddVryJ7YQ87ultN/2ZlQ200w0LqdAWt4HoJGv61mh45kQx+YOs3+D?=
	=?us-ascii?q?fr+Vc3KULApDEsn0kphdXlnTeRfSbtLKe3WIFaETD0t08wM5zlRQZ6dheynUt6?=
	=?us-ascii?q?OzfHXL9ek7xgdWV3hwDGoptPBeRQTatabx8M3fuXfekn0UxAqiW7wk9K/e3FBo?=
	=?us-ascii?q?V4mwsuapOsrHVA2xl/bNEvI6zQP6lJzllKiqKIoCCoyvg7wBUCKEYV7GOSZCkI?=
	=?us-ascii?q?tVQSNrY4PCqn4PZj6RaelDtDY2UDTPsqouh3+UM6NeSA1zjg3KBDK0yrMeyQMb?=
	=?us-ascii?q?+ZsXDalcGUWlMwyl8Il05d8Ldry8gjbUuUWF00zLaKDRsJL9DCKQZbbspJ6nfc?=
	=?us-ascii?q?YTuOsf/MwZJpP4SxDOboQvGStKwMmEKrAB4pH5gQ7sQGBpSs1EbYLd35I74DyB?=
	=?us-ascii?q?Qt4x/mJFqDDPRUYh6Lly0Ho86nxp9twYZdPi0dAXl6MSiv/bbYuAsqgPuFXNcr?=
	=?us-ascii?q?bXYXRZcLNnUzWMKmgSFZpGhAACOx0u0H1AiI9yX8qTjIDDngc9pjY++Zag5wB9?=
	=?us-ascii?q?Gz/jU/9bS2hUPM/5XAOW76L9Viu97I6eMcvZqHDe1bTaVluUfGh4ZYX2CqU3LI?=
	=?us-ascii?q?EdOtO5jwaowsbdvoCna6Ul2ykC86T8bxPdm3NaeEmwfoSphIsIODxjAsKde9Fi?=
	=?us-ascii?q?0CGxd3v+wD67h8ahcFY5onehPotgM+NqK5IAeE0tWhXWetKT1KT/ZB1+W2fbpX?=
	=?us-ascii?q?wDQwbuWi0nsvUok6z/Wr8U4KXJwFlBXexfe/aIZASSfzH3xcewPIpSo/jWdsLf?=
	=?us-ascii?q?09wuYlzxPOqFUcPS2LePZvaGNao9E2HUmSLmluCmokW1+cipLO7RWy0LAU5CZS?=
	=?us-ascii?q?hctb0fNbv3jkpZ/QeiisWayxpZXSqSogYsAso7dtPoz7PsuGqJTekyTFTJnWsw?=
	=?us-ascii?q?2KTC66F/1emthLOCxWWeRGl3s5NMIBoodO9U0xVsIiKLNVE6ksuqqmaTx6Ai4O?=
	=?us-ascii?q?1SUZTZ+P3CQegueg3LvXjgufcJY4PxMYq5hNntwdUypyYiMfuqCjTZnWmHGYRW?=
	=?us-ascii?q?gLOgsT6h5M5A0YnI9qYu/l+JbITINLyzNOufJ7SDHLFp5z+FbgVmGWm0L3SOu/?=
	=?us-ascii?q?nOyt3AJSyv3s0t0aWB5wCUhd2+hWmVEyKLFyMaUQuJDFsiOQf0PgoG3t0PemJE?=
	=?us-ascii?q?VWycDMeVz0FpbKtWr9Ui0Z+H0bX4xPxWreFZsMjQV2drwnpFJWIICpYkz+/SAr?=
	=?us-ascii?q?x5x1H7mkUsCm304lrXECRyiwCdpABeZmsFbZWDB+ZpCrr5LlO45MTWBM4p2drE?=
	=?us-ascii?q?xZkF5sMy6/xppQMcZN4iQDXDJXuzWSoMOySNFf2c9xF5IDOM1/u2r7GK9eO5ic?=
	=?us-ascii?q?uHw2ur3uyn/F4D8wqlG6yyuvG6WgVeJW43UeGhk1J2SZskQvE+ws8mLJ/1DRrl?=
	=?us-ascii?q?x0+vxUCqKJjUpvvDZ3BopOCSpR1XC5M1RzS2FLs+VAJ6TPacNcR+Q9aASyNBMg?=
	=?us-ascii?q?Df4mx1KG/UVqknfjeSBysRFa+y/FVQkuSSYVmqvtmSEZqsy/Oz8aTIxHYC48YC?=
	=?us-ascii?q?jbMAKUhzpXvApBZE53QZwZBMhK+60D14tO4sXCUVqsKT0CXBF6LQ043+ZQmVJB?=
	=?us-ascii?q?vUmFdy3QFhandfHKshJrZ8iRt9KpIO7//AhZloPtqPo4+LkbR326hQ2tRsjTr5?=
	=?us-ascii?q?XiudKXtkuBbrv4Pva4YX/GUjjDkw68iqsjD5bX4SffKgxbJIdmyXA8e5juFXbL?=
	=?us-ascii?q?PQhaJ6IcP0dbTbt6aclcre9He89pY70J+ahwBhKdWhzgBoqvrOVcLlnJQTTSNS?=
	=?us-ascii?q?KB8vawoYjL97zSVfDgZtCQx3bAW693Io165iflFLj3yoJe50722ut39kxgV1jG?=
	=?us-ascii?q?MieBrND/KQMX/sWicVHivpIxFzPMHJhwiGbtxl1Hd8cPRi2l6pAYyJdH53bsVe?=
	=?us-ascii?q?J3yFL8vfZU97Z69Yk3+Kxmxt2sJajMM/hat1FoAgSMDAVw6potGHR/R3xWYuIJ?=
	=?us-ascii?q?KvfeZ74Zjcf1q+DzDaMX9gaY++lEadvDO0HBm9WwCjCGRhxChwcNszkaLhGT1/?=
	=?us-ascii?q?Sdga97Vd6lpfTl2kIq+1W+LAQJzLZj5Yee/aqHufHYYgDNzbceXKjqXcTzoq4q?=
	=?us-ascii?q?u0yM+f0ujKQOdXBtYw27DOgdUdYQxmj9zaArySIsF93MH7f79fFeSX02hTPglI?=
	=?us-ascii?q?p7H1kMHfMUB7WL95xEnmgkg+zZKsEWcqdal2aJER6pCb4CyXiu6yeNIWllhB/O?=
	=?us-ascii?q?0wvqTmOo8F/2tzJ4TjfQz9f+iEpaSKO7BUBIXyqmIUV4qi+APBL0tNrrvqQ49E?=
	=?us-ascii?q?Q2MmvitNKRm2uuJqhaH8j+JNOGJyk7uk4XjZM2Rty12oAbAsCxINEP/3FidvHe?=
	=?us-ascii?q?8X+kkzddo6dbgIrT+sWV+u7SHXSglKCapauCyy1fyngip14/8sqgNvbM59KUX/?=
	=?us-ascii?q?uoy3wdTyBluwvORxS1sKDUr0gIOUyX10fGgI4KPtBc3XQj00Hp+ugiT8wp9AVf?=
	=?us-ascii?q?EIbAaOkOpTbtNzvo2Vyfec44VjGC0ztLGVL4CVh4Gakm123qoM3EjmzQ9EM0Ro?=
	=?us-ascii?q?Zua0Prnxt3D583KUg18lgY3jIDERQRaRCcFLynHkXlLZAKVEcZaxSH3aS6er8t?=
	=?us-ascii?q?0k1uxrOi//PcbethCKUTLPldkxSOnF9BGp0Mq6EeR6h8e1BF/q7NugfiE5TnX+?=
	=?us-ascii?q?ThlXcoLf26WNxa/twZt3os5Qa/XRmg5Y5Y77kFjJCId6hEYYXDvc1n90do/yIP?=
	=?us-ascii?q?eTBNgBlxiBO5S+McqPrg4tfFqpqo7PihVKI3S+UQ7Rg0CHx0j4Hsj1A7vdHXy+?=
	=?us-ascii?q?BcR5XJiYTl7g9NJ2SFuIDE3BRnNOUOKo2rfLd893odPCgRPWgOPceMZ/k6/SBt?=
	=?us-ascii?q?LC3Z50ZeDcMUedMYIM3NlBhbikLzQrFc6NbbGl+DBod3dsAo83T4yDAv/pshSe?=
	=?us-ascii?q?bs8jm2Ko7D71tVJfNMkD1slM7epOgS2ffSBzYY4X+FaxhyxSOOzIKNBOj0/eWN?=
	=?us-ascii?q?ztHUSlwHEzUyU4hDPjqD+RaoSvCzlJr3TgOe8tXzj44mdEKMWnyxm7wIsqBNEe?=
	=?us-ascii?q?FcjSX72iJRFpvvi/KUtNqs73BXtkZcHYZ24hDEF79TPpJhORT3jsOrXFRzBjPj?=
	=?us-ascii?q?eMHIcRojoOWWyfsX4+VlLkfweIAVLBQFy7L89HpUQRBjSLHzvlmDW+IeesFqSP?=
	=?us-ascii?q?TernBa8YhgMbMAPECBpJz2qTdFsFI2AAgpaL82tDBVaknOnAlIW6npub8Aiw0c?=
	=?us-ascii?q?UcV6uU9NAm+wJmM+5yTdWqRRkaaRCeYZ8jONQawSS09oKD9xQwup2JVyfLukhf?=
	=?us-ascii?q?FHsn1ckSN7u/Uq1yFmSwa9uS3rvKIBwzUg+Ku3tD8Zo3xKUv2ekzvUCVVE1PkK?=
	=?us-ascii?q?j7kTC3js6Vy4e3QCYpH94L95KsT874Uh5WowYQk7dS0cQeugEz3wj7+PAoGXv9?=
	=?us-ascii?q?JcgBmNucvQYr+3KSgfLa89yRXlR3h8zgfShhBo/3UXQj+49t8rOJ29Odo5xiqv?=
	=?us-ascii?q?AWXbdlYM46NRsMv2sV4LTfc2Zk16zWVm08iHWjcNS9LVF2YylAgkZn1OcIhf5h?=
	=?us-ascii?q?8CC6konjGIs7Fa/gEVZTfZCZil+ojMksfLx3Y9Sc1mxmTIqa2ZnpkqymFqm8to?=
	=?us-ascii?q?7i6Sv3Qfb+nYU85vAnjw0YdS0u7+aO+usuAATotp1rKhXOUEMsa95Wu8wI9qVV?=
	=?us-ascii?q?O9xrQCA1q5N/cOyazFXCejVW2VQv+Lc2yLnzYlLk7y+wenIUAtZMdNtU89PfPI?=
	=?us-ascii?q?hoRAmA35TbN0WiKQqEfVzGM9NeMadho2t5m8dg0LTe4RYu2cKvY0wP06FlQAdX?=
	=?us-ascii?q?jJHTF5C+Wuq16igJB7O2l84UX9eens/BjmMMGTGhYYD4HXtZtx+f2mRmKbJ3Bs?=
	=?us-ascii?q?1hpyPFN79+3HDVQ+qvdcc4qNndjXn9l71uoFeOl2PC0lvt4cgJlj6ZWV0MiWbR?=
	=?us-ascii?q?HR1Ij9Ks/PrvieHfLf01wgentGXboBfQP1+4I6M8Y9W73SG7tZoBsdCbE+QJwg?=
	=?us-ascii?q?LGfx6Lp0IRhycgHLYrS0hdPmpuWRZptbv3XW9E4/LD/Aux0fzfy5VRd7YI6uh3?=
	=?us-ascii?q?XzJpAwWz1Ao9piBBt6HItABdkAoBS/A5GOg6y7iMG++1l8u+AUtar/Ee3K1Nuj?=
	=?us-ascii?q?04V2RZha6lSBPCzNC6lznkRlkuOyj+/F0pbrFcziedIEVO58QmPedL/GH4O/JS?=
	=?us-ascii?q?yKOsL9fU5G7rGd3Kh+UhWLayDzR7CGuzG8NPV4/UU7zZR1fOjJwzwu6LHUw8D/?=
	=?us-ascii?q?Z3xdpie/rX6JM4Zf7FPKBezCRR5UT+SK8Hp9F60NcYT07PsOMcAlwNWE4Qlz6T?=
	=?us-ascii?q?NC0NGfI6igtU/BwUR7eojeLET32iY1Q44KIA6wMUE0m2/WtmzdAWhALsijMcRt?=
	=?us-ascii?q?m9iVDhnx6ERwmmwgfXBBFXTyRdeQOGkb3MS+aBeM9A1VE9ZQ19KwLFU1sqy0VP?=
	=?us-ascii?q?lAJoROmeLssq4O19luNXLhXs9fahvRJ79/JDYZLuzOolUzKkoesrM1U505UpO5?=
	=?us-ascii?q?IEoGNkqb4SnuzA3e3FfyesDq36GMdnVFuk5bxq7IhGAf7zKyvuyU14i6CL0=3D?=
X-IPAS-Result: =?us-ascii?q?A2BQAgBU4ehZ/wHyM5BdHAEBBAEBCgEBFwEBBAEBCgEBgwg?=
	=?us-ascii?q?pA2QXVyeOGXSOSpgtEIIAJguKJT8YAQEBAQEBAQEBAQFqKII4JIJJAiQZATkCA?=
	=?us-ascii?q?wkCBUMIAwFsBYhKgTgBAxUDAQytAzqDCQWBAoRWgmAEAwWDL4E2UYlHghABhgs?=
	=?us-ascii?q?FoVOHYY0BkyaXLR84gVs0ISWDQoIMDDUPHIFodYpmAQEB?=
Received: from tarius.tycho.ncsc.mil ([144.51.242.1])
	by emsm-gh1-uea11.NCSC.MIL with ESMTP; 19 Oct 2017 17:34:00 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9JHX5bh029337;
	Thu, 19 Oct 2017 13:33:20 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	v9JHX229083241 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 19 Oct 2017 13:33:02 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id v9JHX1L1029278
	for <selinux@tycho.nsa.gov>; Thu, 19 Oct 2017 13:33:01 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A1AJAQA+4ehZfyQbGNZdHAEBBAEBCgEBg?=
	=?us-ascii?q?zMpZ24njhmPPpgtEIIEDx6FGIUNPxgBAgEBAQEBAQETAQELFoYoGQE4ARWBO4h?=
	=?us-ascii?q?PgTgBAxUDAQytAzqDCQWBAoRWgjoBAQgcBAMFgy+BNlGJR4IQAYYLBaFTh2GNA?=
	=?us-ascii?q?ZMmly0fghM0ISWDQoJNDxyBaHWKZgEBAQ?=
X-IPAS-Result: =?us-ascii?q?A1AJAQA+4ehZfyQbGNZdHAEBBAEBCgEBgzMpZ24njhmPPpg?=
	=?us-ascii?q?tEIIEDx6FGIUNPxgBAgEBAQEBAQETAQELFoYoGQE4ARWBO4hPgTgBAxUDAQytA?=
	=?us-ascii?q?zqDCQWBAoRWgjoBAQgcBAMFgy+BNlGJR4IQAYYLBaFTh2GNAZMmly0fghM0ISW?=
	=?us-ascii?q?DQoJNDxyBaHWKZgEBAQ?=
X-IronPort-AV: E=Sophos;i="5.43,402,1503374400";
   d="scan'208";a="89756"
Received: from emsm-gh1-uea10.ncsc.mil ([214.29.60.34])
	by goalie.tycho.ncsc.mil with ESMTP; 19 Oct 2017 13:32:34 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AyZ2dRRfI9/Rug2lhnPITxjZPlGMj4u6mDksu8pMi?=
	=?us-ascii?q?zoh2WeGdxcS4YB7h7PlgxGXEQZ/co6odzbaO6+a5CSdZuMzJmUtBWaQEbwUCh8?=
	=?us-ascii?q?QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYdFRrlKAV6?=
	=?us-ascii?q?OPn+FJLMgMSrzeCy/IDYbxlViDanbr5+MAm6oR/MusQVjoduN7s9xgXUqXZUZu?=
	=?us-ascii?q?pawn9lK0iOlBjm/Mew+5Bj8yVUu/0/8sNLTLv3caclQ7FGFToqK2866tHluhnF?=
	=?us-ascii?q?VguP+2ATUn4KnRpSAgjK9w/1U5HsuSbnrOV92S2aPcrrTbAoXDmp8qlmRAP0hC?=
	=?us-ascii?q?oBKjU09nzchM5tg6JBuB+vuhxxzZDabo+WM/RzZb/Rcc8ASGZdRMtdSzBND4Wh?=
	=?us-ascii?q?ZIUPFeoBOuNYopHhqVsPsRS+BROjBPnyxTRVhHH5x6w60+I/HgHdwQctGMgOsH?=
	=?us-ascii?q?XIo9X1LqgSS/26w7HUwjrbb/NZwzb96I7WfRA6uvyDRq5wccvXyUkzCQzFlFOQ?=
	=?us-ascii?q?ppL5Pz+PyusNtG2b4vNmWOmyhWAnrARxrSKuxscqkoTJiYMVykzE9SVk24k5P8?=
	=?us-ascii?q?G3SEl+YdOiDZBetDmaOpNoTs8/TGxkojg2x7IctZKlfiUG0poqyh/HZ/GEcoWE?=
	=?us-ascii?q?+A/vWeieLDtihH9pZqiziwuy/EWm1+byTNO70ExQoSpAitTMtm4C1xjU6sWfV/?=
	=?us-ascii?q?t95lyu1iuS2w3X8uFLO1w4mKTBJ5E/3LEwk4ETsUvZEi/zgkr2jauWel8h+uip?=
	=?us-ascii?q?7+TrerTmppmCOI9okgzyLLkil8OlDegmPQUCRXaX9Oam2LDt/ED1WLBKgec3kq?=
	=?us-ascii?q?ndvpDaP8MbpquhDg9P04Ys9xa/AC280NsFhXYIMEpKeBKdgIjoPVHBPuv4AOyk?=
	=?us-ascii?q?jFSwkTdrwezGMaP7ApXLMHfDjK3tcqp6605Z0AYz18xQ54pICrEdJ/L+QlTxu8?=
	=?us-ascii?q?LcDh84NQy03unmBc5h1oIeRW2PAqiZPLnUsV+T/O0jOeaMZIgLuGW1F/9w/PPq?=
	=?us-ascii?q?jHkkiXcBbKKp2t0Rc3n+EfN4cGuDZn+5uNYKEW4QskIeRe3shUbKBSRSbHa7Ra?=
	=?us-ascii?q?4L7QY7AYOgAJzrTJyshqCMxiG2AttdYWUQWQPEKmvha4jRA6REUymVOMI0yjE?=
	=?us-ascii?q?=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AJAQDN4OhZfyQbGNZdHAEBBAEBCgEBF?=
	=?us-ascii?q?wEBBAEBCgEBgwgpZ24njhmPPpgtEIIEDx6FGIUNPxgBAQEBAQEBAQEBARIBAQs?=
	=?us-ascii?q?WXYI4IoJxGQE4ARWBO4hPgTgBAxUDAQytBzqDCQWBAoRWgjoBAQgcBAMFgy+BN?=
	=?us-ascii?q?lGJR4IQAYJtDIMSBaFTh2GNAZMmly0fghM0ISWDQoJNDxyBaHWKZgEBAQ?=
X-IPAS-Result: =?us-ascii?q?A0AJAQDN4OhZfyQbGNZdHAEBBAEBCgEBFwEBBAEBCgEBgwg?=
	=?us-ascii?q?pZ24njhmPPpgtEIIEDx6FGIUNPxgBAQEBAQEBAQEBARIBAQsWXYI4IoJxGQE4A?=
	=?us-ascii?q?RWBO4hPgTgBAxUDAQytBzqDCQWBAoRWgjoBAQgcBAMFgy+BNlGJR4IQAYJtDIM?=
	=?us-ascii?q?SBaFTh2GNAZMmly0fghM0ISWDQoJNDxyBaHWKZgEBAQ?=
X-IronPort-AV: E=Sophos;i="5.43,402,1503360000"; d="scan'208";a="4927709"
X-IronPort-Outbreak-Status: No, level 0, Unknown - Unknown
Received: from upbd19pa03.eemsg.mail.mil ([214.24.27.36])
	by EMSM-GH1-UEA10.NCSC.MIL with ESMTP; 19 Oct 2017 17:32:31 +0000
X-EEMSG-check-005: 0
X-EEMSG-check-006: 000-001;b7c6ef66-4751-42ca-b945-1fcff2157960
Received: from localhost.localdomain (localhost [127.0.0.1])
	by UPDCF3IC05.oob.disa.mil (Postfix) with SMTP id 3yHvSx4DrNzrKb7
	for <selinux@tycho.nsa.gov>; Thu, 19 Oct 2017 16:26:41 +0000 (UTC)
Received: from UPBD19PA12.eemsg.mil (unknown [192.168.18.16])
	by UPDCF3IC05.oob.disa.mil (Postfix) with ESMTP id 3yHvSx347lzrKb4
	for <selinux@tycho.nsa.gov>; Thu, 19 Oct 2017 16:26:41 +0000 (UTC)
Authentication-Results: upbd19pa12.eemsg.mail.mil;
	dkim=permerror (key too small [TEST])
	header.i=@btinternet.com
X-EEMSG-check-008: 90010800|UPBD19PA12_EEMSG_MP12.csd.disa.mil
X-EEMSG-check-001: false
X-EEMSG-SBRS: 3.4
X-EEMSG-ORIG-IP: 65.20.0.182
X-EEMSG-check-002: true
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A0A+AQCC0ehZhrYAFEFdg2OBEG62KxCCBA+FNoUNQBcDAQEBAQEBARMBAQEICwsIKC+FZAE4ARWBO4hPgTgBGAStOYMJBYEChFiCYAQDBYMvgTaMKAGCbQyDEgWhU4dhjQGTJpctIAGCETQhJYYugXSLWwEBAQ
X-IPAS-Result: 
 A0A+AQCC0ehZhrYAFEFdg2OBEG62KxCCBA+FNoUNQBcDAQEBAQEBARMBAQEICwsIKC+FZAE4ARWBO4hPgTgBGAStOYMJBYEChFiCYAQDBYMvgTaMKAGCbQyDEgWhU4dhjQGTJpctIAGCETQhJYYugXSLWwEBAQ
Received: from rgout05.bt.lon5.cpcloud.co.uk ([65.20.0.182])
	by upbd19pa12.eemsg.mail.mil with ESMTP; 19 Oct 2017 15:58:00 +0000
X-OWM-Source-IP: 86.134.52.15 (GB)
X-OWM-Env-Sender: richard_c_haines@btinternet.com
X-Junkmail-Premium-Raw: score=9/50, refid=2.7.2:2017.10.19.152416:17:9.975,
	ip=, rules=__HAS_FROM,
	__FRAUD_WEBMAIL_FROM, __TO_MALFORMED_2, __TO_NO_NAME, __HAS_CC_HDR,
	__CC_NAME, __CC_NAME_DIFF_FROM_ACC, __SUBJ_ALPHA_END, __HAS_MSGID,
	__SANE_MSGID, __HAS_X_MAILER, __FROM_DOMAIN_IN_ANY_CC1,
	__TO_IN_SUBJECT,
	__ANY_URI, __HTTPS_URI, __URI_WITH_PATH, __FRAUD_BODY_WEBMAIL,
	__URI_NO_WWW,
	__CP_URI_IN_BODY, __FRAUD_CONTACT_ADDY, __STOCK_PHRASE_7, __OEM_PRICE,
	__FRAUD_MONEY_CURRENCY_DOLLAR, __LINES_OF_YELLING, __URI_IN_BODY,
	__URI_NOT_IMG, __NO_HTML_TAG_RAW, BODY_SIZE_10000_PLUS, __MIME_TEXT_P1,
	__MIME_TEXT_ONLY, __URI_NS, HTML_00_01, HTML_00_10,
	__FRAUD_MONEY_CURRENCY,
	__FRAUD_WEBMAIL, __FROM_DOMAIN_IN_RCPT, __CC_REAL_NAMES,
	__PHISH_SPEAR_STRUCTURE_1, TO_IN_SUBJECT, __MIME_TEXT_P,
	URI_WITH_PATH_ONLY
Received: from localhost.localdomain (86.134.52.15) by
	rgout05.bt.lon5.cpcloud.co.uk (9.0.019.13-1) (authenticated as
	richard_c_haines@btinternet.com)
	id 59E5662400489367; Thu, 19 Oct 2017 16:57:53 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btinternet.com;
	s=btcpcloud; t=1508428681;
	bh=zDD2ABVtbq4UswL3+lpZeBNS9ywqRxrM1awTJK8z30s=;
	h=From:To:Cc:Subject:Date:Message-Id:X-Mailer;
	b=bC8CzCl/m20ea4eJqmbf/WqaFMVs8J+iaMykus/MKebyNvY7tQ12t0I0dWRMALJhfR+cvFNcsIwxbHTmtnifRQ5q3Ms7SfV9a2tFwCVC4J81GVrC17Wa5i7YCr+mVe33G6EXXyxxjt5pvpglaRpqB5Z5v+xKP2wiFFtu1pBC4is=
X-EEMSG-check-009: 444-444
From: Richard Haines <richard_c_haines@btinternet.com>
To: selinux@tycho.nsa.gov
Date: Thu, 19 Oct 2017 16:57:47 +0100
Message-Id: <20171019155747.26673-1-richard_c_haines@btinternet.com>
X-Mailer: git-send-email 2.13.6
Subject: [RFC PATCH 1/1] selinux-testsuite: Add CALIPSO/IPv6 tests
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Add CALIPSO tests to inet_socket.

Note the CALIPSO/IPv6 datagram tests check whether the kernel patch
described in "Add SCM_SECURITY support to IPv6" [1] is installed.

[1] https://github.com/SELinuxProject/selinux-kernel/issues/24

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
 tests/inet_socket/Makefile      |   3 +
 tests/inet_socket/calipso-flush |   5 ++
 tests/inet_socket/calipso-load  |   7 +++
 tests/inet_socket/server.c      |  67 +++++++++++++++++------
 tests/inet_socket/test          | 118 ++++++++++++++++++++++++++++++++++++----
 5 files changed, 173 insertions(+), 27 deletions(-)
 create mode 100644 tests/inet_socket/calipso-flush
 create mode 100644 tests/inet_socket/calipso-load

diff --git a/tests/inet_socket/Makefile b/tests/inet_socket/Makefile
index 5bfd561..a0a0d47 100644
--- a/tests/inet_socket/Makefile
+++ b/tests/inet_socket/Makefile
@@ -3,5 +3,8 @@ TARGETS=client server bind connect
 LDLIBS+= -lselinux
 
 all: $(TARGETS)
+	chmod +x *-load
+	chmod +x *-flush
+
 clean:
 	rm -f $(TARGETS)
diff --git a/tests/inet_socket/calipso-flush b/tests/inet_socket/calipso-flush
new file mode 100644
index 0000000..5143962
--- /dev/null
+++ b/tests/inet_socket/calipso-flush
@@ -0,0 +1,5 @@
+#!/bin/sh
+# Reset NetLabel configuration to unlabeled after CALIPSO/IPv6 tests.
+netlabelctl map del default
+netlabelctl calipso del doi:16
+netlabelctl map add default protocol:unlbl
diff --git a/tests/inet_socket/calipso-load b/tests/inet_socket/calipso-load
new file mode 100644
index 0000000..4bb9c7f
--- /dev/null
+++ b/tests/inet_socket/calipso-load
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Define a doi for testing loopback for CALIPSO/IPv6.
+netlabelctl calipso add pass doi:16
+netlabelctl map del default
+netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
+netlabelctl map add default address:::/0 protocol:unlbl
+netlabelctl map add default address:::1 protocol:calipso,16
diff --git a/tests/inet_socket/server.c b/tests/inet_socket/server.c
index 2801397..f7e38c8 100644
--- a/tests/inet_socket/server.c
+++ b/tests/inet_socket/server.c
@@ -10,6 +10,9 @@
 #include <stdio.h>
 #include <stdbool.h>
 
+ /* Defines IPV6_PASSSEC if kernel supports IPV6 cmsg_type */
+#include <linux/in6.h>
+
 #ifndef SO_PEERSEC
 #define SO_PEERSEC 31
 #endif
@@ -79,11 +82,25 @@ int main(int argc, char **argv)
 		perror("socket");
 		exit(1);
 	}
-	result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
-	if (result < 0) {
-		perror("setsockopt: SO_PASSSEC");
-		close(sock);
-		exit(1);
+
+	/* Allow retrival of IPv4 and IPv6 UDP/Datagram security contexts */
+	if (hints.ai_socktype == SOCK_DGRAM) {
+		result = setsockopt(sock, SOL_IP, IP_PASSSEC, &on, sizeof(on));
+		if (result < 0) {
+			perror("setsockopt: IP_PASSSEC");
+			close(sock);
+			exit(1);
+		}
+
+#ifdef IPV6_PASSSEC
+		result = setsockopt(sock, SOL_IPV6, IPV6_PASSSEC, &on,
+				    sizeof(on));
+		if (result < 0) {
+			perror("setsockopt: IPV6_PASSSEC");
+			close(sock);
+			exit(1);
+		}
+#endif
 	}
 
 	result = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
@@ -176,18 +193,34 @@ int main(int argc, char **argv)
 			}
 			if (nopeer) {
 				strcpy(msglabel, "nopeer");
-			}
-			for (cmsg = CMSG_FIRSTHDR(&msg); cmsg;
-			     cmsg = CMSG_NXTHDR(&msg, cmsg)) {
-				if (cmsg->cmsg_level == SOL_IP &&
-				    cmsg->cmsg_type == SCM_SECURITY) {
-					size_t len = cmsg->cmsg_len - CMSG_LEN(0);
-
-					if (len > 0 && len < sizeof(msglabel)) {
-						memcpy(msglabel, CMSG_DATA(cmsg), len);
-						msglabel[len] = 0;
-						printf("%s: Got SCM_SECURITY=%s\n",
-						       argv[0], msglabel);
+			} else {
+				for (cmsg = CMSG_FIRSTHDR(&msg); cmsg;
+				     cmsg = CMSG_NXTHDR(&msg, cmsg)) {
+#ifdef IPV6_PASSSEC
+					if ((cmsg->cmsg_level == SOL_IP &&
+					    cmsg->cmsg_type == SCM_SECURITY) ||
+					    (cmsg->cmsg_level == SOL_IPV6 &&
+					    cmsg->cmsg_type == IPV6_PASSSEC)) {
+#else
+					if (cmsg->cmsg_level == SOL_IP &&
+					    cmsg->cmsg_type == SCM_SECURITY) {
+#endif
+						size_t len = cmsg->cmsg_len - CMSG_LEN(0);
+
+						if (len > 0 && len < sizeof(msglabel)) {
+							memcpy(msglabel, CMSG_DATA(cmsg), len);
+							msglabel[len] = 0;
+#ifdef IPV6_PASSSEC
+							printf("%s: Got %s=%s\n",
+							       argv[0],
+							       cmsg->cmsg_type == SCM_SECURITY ?
+							       "SCM_SECURITY" : "IPV6_PASSSEC",
+							       msglabel);
+#else
+							printf("%s: Got SCM_SECURITY=%s\n",
+							       argv[0], msglabel);
+#endif
+						}
 					}
 				}
 			}
diff --git a/tests/inet_socket/test b/tests/inet_socket/test
index 81d0959..736e064 100755
--- a/tests/inet_socket/test
+++ b/tests/inet_socket/test
@@ -2,19 +2,53 @@
 use Test::More;
 
 BEGIN {
-    # check if ip xfrm supports ctx parameter
-    if ( system("ip xfrm policy help 2>&1 | grep -q ctx") != 0 ) {
-        plan skip_all => "ctx not supported in ip xfrm policy";
+    $basedir = $0;
+    $basedir =~ s|(.*)/[^/]*|$1|;
+
+    $test_count = 25;
+
+    $test_ipsec = 0;
+    if (system("ip xfrm policy help 2>&1 | grep -q ctx") != 0) {
+        print "ctx not supported in ip xfrm policy";
+    } else {
+        $test_count += 8;
+        $test_ipsec = 1;
     }
-    else {
-        plan tests => 33;
+
+    # Determine if CALIPSO supported by netlabelctl(8) and kernel.
+    $test_calipso_stream = 0;
+    $test_calipso_dgram = 0;
+    $netlabelctl = `netlabelctl -V`;
+    $netlabelctl =~ s/\D//g;
+    $kvercur = `uname -r`;
+    chomp($kvercur);
+    $kverminstream = "4.8";
+
+    $rc = `$basedir/../kvercmp $kvercur $kverminstream`;
+    if ($netlabelctl gt "021" and $rc > 0) {
+        $test_count += 4;
+        $test_calipso_stream = 1;
+
+        # Check if socket option IPV6_PASSSEC defined for datagram support
+        my $filename = '/usr/include/linux/in6.h';
+        $entry = 'IPV6_PASSSEC';
+        if (open(my $fh, '<:encoding(UTF-8)', $filename)) {
+            while (defined(my $row = <$fh>) and $test_calipso_dgram eq 0) {
+                chomp $row;
+                if ($row =~ /\b$entry\b/){
+	            $test_calipso_dgram = 1;
+                    $test_count += 4;
+                }
+            }
+        }
+    } else {
+        print "calipso not supported\n";
     }
-}
 
-$basedir = $0;
-$basedir =~ s|(.*)/[^/]*|$1|;
+    plan tests => $test_count;
+}
 
-# Load NetLabel configuration for full CIPSO4 labeling over loopback.
+# Load NetLabel configuration for full CIPSO/IPv4 labeling over loopback.
 system "$basedir/cipso-fl-load";
 
 # Start the stream server.
@@ -60,7 +94,7 @@ kill TERM, $pid;
 # Flush NetLabel configuration.
 system "$basedir/cipso-fl-flush";
 
-# Load NetLabel configuration for CIPSO4 over loopback.
+# Load NetLabel configuration for CIPSO/IPv4 over loopback.
 system "$basedir/cipso-load";
 
 # Start the stream server with a defined level.
@@ -293,4 +327,68 @@ kill TERM, $pid;
 # Flush iptables configuration.
 system "$basedir/iptables-flush";
 
+if ($test_calipso_stream) {
+    # Load NetLabel configuration for CALIPSO/IPv6 labeling over loopback.
+    system "$basedir/calipso-load";
+
+    # Start the stream server.
+    if (($pid = fork()) == 0) {
+        exec "runcon -t test_inet_server_t -l s0:c0.c10 $basedir/server stream 65535";
+    }
+
+    sleep 1; # Give it a moment to initialize.
+    # Verify that authorized client can communicate with the server.
+    $result = system "runcon -t test_inet_client_t -l s0:c0.c10 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c0.c10 stream ::1 65535";
+    ok($result eq 0);
+
+    # Verify that authorized client can communicate with the server using different valid level.
+    $result = system "runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e  system_u:object_r:netlabel_peer_t:s0:c8.c10 stream ::1 65535";
+    ok($result eq 0);
+
+    # Verify that authorized client cannot communicate with the server using invalid level.
+    $result = system "runcon -t test_inet_client_t -l s0:c8.c12 -- $basedir/client stream ::1 65535 2>&1";
+    ok($result);
+
+    # CALIPSO does not support mixed DGRAM->STREAM.
+    $result = system "runcon -t test_inet_client_t -l s0:c8.c10 $basedir/client -e  system_u:object_r:netlabel_peer_t:s0:c8.c10 dgram ::1 65535 2>&1";
+    ok($result);
+
+    # Kill the stream server.
+    kill TERM, $pid;
+
+    system "$basedir/calipso-flush";
+}
+
+if ($test_calipso_dgram) {
+    system "$basedir/calipso-load";
+
+    # Start the dgram server.
+    if (($pid = fork()) == 0) {
+        exec "runcon -t test_inet_server_t -l s0:c20.c50 $basedir/server dgram 65535";
+    }
+
+    sleep 1; # Give it a moment to initialize
+
+    # Verify that authorized client can communicate with the server using same levels.
+    $result = system "runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 dgram ::1 65535";
+    ok($result eq 0);
+
+    # CALIPSO does not allow client to communicate with server using different valid levels.
+    $result = system "runcon -t test_inet_client_t -l s0:c22.c30 $basedir/client -e  system_u:object_r:netlabel_peer_t:s0:c22.c30 dgram ::1 65535 2>&1";
+    ok($result);
+
+    # Verify that authorized client cannot communicate with the server using invalid level.
+    $result = system "runcon -t test_inet_client_t -l s0:c40.c51 -- $basedir/client dgram ::1 65535 2>&1";
+    ok($result);
+
+    # CALIPSO does not support mixed STREAM->DGRAM.
+    $result = system "runcon -t test_inet_client_t -l s0:c20.c50 $basedir/client -e system_u:object_r:netlabel_peer_t:s0:c20.c50 stream ::1 65535 2>&1";
+    ok($result);
+
+    # Kill the dgram server.
+    kill TERM, $pid;
+
+    system "$basedir/calipso-flush";
+}
+
 exit;