Description: Add boolean to allow binding to UDP sockets
Author: Russell Coker <russell@coker.com.au>
Last-Update: 2016-01-20

Index: refpolicy/policy/global_tunables
===================================================================
--- refpolicy.orig/policy/global_tunables
+++ refpolicy/policy/global_tunables
@@ -118,3 +118,11 @@ gen_tunable(use_samba_home_dirs,false)
 ## </p>
 ## </desc>
 gen_tunable(user_tcp_server,false)
+
+## <desc>
+## <p>
+## Allow users to run UDP servers (bind to ports and accept connection from
+## the same domain and outside users)
+## </p>
+## </desc>
+gen_tunable(user_udp_server,false)
Index: refpolicy/policy/modules/system/userdomain.if
===================================================================
--- refpolicy.orig/policy/modules/system/userdomain.if
+++ refpolicy/policy/modules/system/userdomain.if
@@ -1053,6 +1053,13 @@ template(`userdom_unpriv_user_template',
 		corenet_tcp_bind_generic_port($1_t)
 	')
 
+	# Allow users to run UDP servers (bind to ports and accept connection from
+	# the same domain and outside users)
+	tunable_policy(`user_udp_server',`
+		corenet_udp_bind_generic_node($1_t)
+		corenet_udp_bind_generic_port($1_t)
+	')
+
 	optional_policy(`
 		netutils_run_ping_cond($1_t, $1_r)
 		netutils_run_traceroute_cond($1_t, $1_r)
