From: chris.a.st.pierre@gmail.com (Chris St. Pierre)
Date: Tue, 27 Apr 2010 09:14:43 -0500
Subject: [refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP
In-Reply-To: <1272375941.32279.244.camel@gorn>
References: <t2mc08242931004261148xe0c81f67la5f88a775610a67a@mail.gmail.com>
	<1272375941.32279.244.camel@gorn>
Message-ID: <r2jc08242931004270714yf48ed961wd109032891a252f3@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, Apr 27, 2010 at 8:45 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
>> Currently, spamd_t is only allowed to connect to a MySQL stream --
>> i.e., a local MySQL instance, not a remote one via TCP. ?This patch
>> fixes that issue.
>
> For completeness, something similar should also be added for postgresql.

New patch:

diff --git a/policy/modules/services/spamassassin.te
b/policy/modules/services/spamassassin.te
index dd49d31..8a4089b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -412,6 +412,8 @@ optional_policy(`
 optional_policy(`
        mysql_search_db(spamd_t)
        mysql_stream_connect(spamd_t)
+       corenet_tcp_connect_mysqld_port(spamd_t)
+       corenet_sendrecv_mysqld_client_packets(spamd_t)
 ')

 optional_policy(`
@@ -424,6 +426,8 @@ optional_policy(`

 optional_policy(`
        postgresql_stream_connect(spamd_t)
+       corenet_tcp_connect_postgresql_port(spamd_t)
+       corenet_sendrecv_postgresql_client_packets(spamd_t)
 ')

 optional_policy(`

-- 
Chris St. Pierre