Currently, spamd_t is only allowed to connect to a MySQL stream --
i.e., a local MySQL instance, not a remote one via TCP. This patch
fixes that issue.
diff --git a/policy/modules/services/spamassassin.te
b/policy/modules/services/spamassassin.te
index dd49d31..210a57a 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -412,6 +412,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(spamd_t)
mysql_stream_connect(spamd_t)
+ corenet_tcp_connect_mysqld_port(spamd_t)
+ corenet_sendrecv_mysqld_client_packets(spamd_t)
')
optional_policy(`
--
Chris St. Pierre
On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
> Currently, spamd_t is only allowed to connect to a MySQL stream --
> i.e., a local MySQL instance, not a remote one via TCP. This patch
> fixes that issue.
For completeness, something similar should also be added for postgresql.
> diff --git a/policy/modules/services/spamassassin.te
> b/policy/modules/services/spamassassin.te
> index dd49d31..210a57a 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -412,6 +412,8 @@ optional_policy(`
> optional_policy(`
> mysql_search_db(spamd_t)
> mysql_stream_connect(spamd_t)
> + corenet_tcp_connect_mysqld_port(spamd_t)
> + corenet_sendrecv_mysqld_client_packets(spamd_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
Tresys Technology, LLC
On Tue, Apr 27, 2010 at 8:45 AM, Christopher J. PeBenito
<[email protected]> wrote:
> On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
>> Currently, spamd_t is only allowed to connect to a MySQL stream --
>> i.e., a local MySQL instance, not a remote one via TCP. ?This patch
>> fixes that issue.
>
> For completeness, something similar should also be added for postgresql.
New patch:
diff --git a/policy/modules/services/spamassassin.te
b/policy/modules/services/spamassassin.te
index dd49d31..8a4089b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -412,6 +412,8 @@ optional_policy(`
optional_policy(`
mysql_search_db(spamd_t)
mysql_stream_connect(spamd_t)
+ corenet_tcp_connect_mysqld_port(spamd_t)
+ corenet_sendrecv_mysqld_client_packets(spamd_t)
')
optional_policy(`
@@ -424,6 +426,8 @@ optional_policy(`
optional_policy(`
postgresql_stream_connect(spamd_t)
+ corenet_tcp_connect_postgresql_port(spamd_t)
+ corenet_sendrecv_postgresql_client_packets(spamd_t)
')
optional_policy(`
--
Chris St. Pierre
On Tue, 2010-04-27 at 09:14 -0500, Chris St. Pierre wrote:
> On Tue, Apr 27, 2010 at 8:45 AM, Christopher J. PeBenito
> <[email protected]> wrote:
> > On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
> >> Currently, spamd_t is only allowed to connect to a MySQL stream --
> >> i.e., a local MySQL instance, not a remote one via TCP. This patch
> >> fixes that issue.
> >
> > For completeness, something similar should also be added for postgresql.
>
> New patch:
Merged. In the future, please use tabs for indentation, rather than
spaces.
> diff --git a/policy/modules/services/spamassassin.te
> b/policy/modules/services/spamassassin.te
> index dd49d31..8a4089b 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -412,6 +412,8 @@ optional_policy(`
> optional_policy(`
> mysql_search_db(spamd_t)
> mysql_stream_connect(spamd_t)
> + corenet_tcp_connect_mysqld_port(spamd_t)
> + corenet_sendrecv_mysqld_client_packets(spamd_t)
> ')
>
> optional_policy(`
> @@ -424,6 +426,8 @@ optional_policy(`
>
> optional_policy(`
> postgresql_stream_connect(spamd_t)
> + corenet_tcp_connect_postgresql_port(spamd_t)
> + corenet_sendrecv_postgresql_client_packets(spamd_t)
> ')
>
> optional_policy(`
>
--
Chris PeBenito
Tresys Technology, LLC