From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 27 Apr 2010 09:45:41 -0400
Subject: [refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP
In-Reply-To: <t2mc08242931004261148xe0c81f67la5f88a775610a67a@mail.gmail.com>
References: <t2mc08242931004261148xe0c81f67la5f88a775610a67a@mail.gmail.com>
Message-ID: <1272375941.32279.244.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
> Currently, spamd_t is only allowed to connect to a MySQL stream --
> i.e., a local MySQL instance, not a remote one via TCP.  This patch
> fixes that issue.

For completeness, something similar should also be added for postgresql.

> diff --git a/policy/modules/services/spamassassin.te
> b/policy/modules/services/spamassassin.te
> index dd49d31..210a57a 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -412,6 +412,8 @@ optional_policy(`
>  optional_policy(`
>         mysql_search_db(spamd_t)
>         mysql_stream_connect(spamd_t)
> +       corenet_tcp_connect_mysqld_port(spamd_t)
> +       corenet_sendrecv_mysqld_client_packets(spamd_t)
>  ')
> 
>  optional_policy(`
> 

-- 
Chris PeBenito
Tresys Technology, LLC