From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Tue, 27 Apr 2010 10:32:29 -0400
Subject: [refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP
In-Reply-To: <r2jc08242931004270714yf48ed961wd109032891a252f3@mail.gmail.com>
References: <t2mc08242931004261148xe0c81f67la5f88a775610a67a@mail.gmail.com>
	<1272375941.32279.244.camel@gorn>
	<r2jc08242931004270714yf48ed961wd109032891a252f3@mail.gmail.com>
Message-ID: <1272378749.32279.249.camel@gorn>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Tue, 2010-04-27 at 09:14 -0500, Chris St. Pierre wrote:
> On Tue, Apr 27, 2010 at 8:45 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
> > On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
> >> Currently, spamd_t is only allowed to connect to a MySQL stream --
> >> i.e., a local MySQL instance, not a remote one via TCP.  This patch
> >> fixes that issue.
> >
> > For completeness, something similar should also be added for postgresql.
> 
> New patch:

Merged.  In the future, please use tabs for indentation, rather than
spaces.

> diff --git a/policy/modules/services/spamassassin.te
> b/policy/modules/services/spamassassin.te
> index dd49d31..8a4089b 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -412,6 +412,8 @@ optional_policy(`
>  optional_policy(`
>         mysql_search_db(spamd_t)
>         mysql_stream_connect(spamd_t)
> +       corenet_tcp_connect_mysqld_port(spamd_t)
> +       corenet_sendrecv_mysqld_client_packets(spamd_t)
>  ')
> 
>  optional_policy(`
> @@ -424,6 +426,8 @@ optional_policy(`
> 
>  optional_policy(`
>         postgresql_stream_connect(spamd_t)
> +       corenet_tcp_connect_postgresql_port(spamd_t)
> +       corenet_sendrecv_postgresql_client_packets(spamd_t)
>  ')
> 
>  optional_policy(`
> 

-- 
Chris PeBenito
Tresys Technology, LLC