[refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP

[refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP

[Chris St. Pierre]

Currently, spamd_t is only allowed to connect to a MySQL stream --
i.e., a local MySQL instance, not a remote one via TCP.  This patch
fixes that issue.

diff --git a/policy/modules/services/spamassassin.te
b/policy/modules/services/spamassassin.te
index dd49d31..210a57a 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -412,6 +412,8 @@ optional_policy(`
 optional_policy(`
        mysql_search_db(spamd_t)
        mysql_stream_connect(spamd_t)
+       corenet_tcp_connect_mysqld_port(spamd_t)
+       corenet_sendrecv_mysqld_client_packets(spamd_t)
 ')

 optional_policy(`

-- 
Chris St. Pierre

[refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP

[Christopher J. PeBenito]

On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
> Currently, spamd_t is only allowed to connect to a MySQL stream --
> i.e., a local MySQL instance, not a remote one via TCP.  This patch
> fixes that issue.

For completeness, something similar should also be added for postgresql.

> diff --git a/policy/modules/services/spamassassin.te
> b/policy/modules/services/spamassassin.te
> index dd49d31..210a57a 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -412,6 +412,8 @@ optional_policy(`
>  optional_policy(`
>         mysql_search_db(spamd_t)
>         mysql_stream_connect(spamd_t)
> +       corenet_tcp_connect_mysqld_port(spamd_t)
> +       corenet_sendrecv_mysqld_client_packets(spamd_t)
>  ')
> 
>  optional_policy(`
> 

-- 
Chris PeBenito
Tresys Technology, LLC

[refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP

[Chris St. Pierre]

On Tue, Apr 27, 2010 at 8:45 AM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
> On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
>> Currently, spamd_t is only allowed to connect to a MySQL stream --
>> i.e., a local MySQL instance, not a remote one via TCP. ?This patch
>> fixes that issue.
>
> For completeness, something similar should also be added for postgresql.

New patch:

diff --git a/policy/modules/services/spamassassin.te
b/policy/modules/services/spamassassin.te
index dd49d31..8a4089b 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -412,6 +412,8 @@ optional_policy(`
 optional_policy(`
        mysql_search_db(spamd_t)
        mysql_stream_connect(spamd_t)
+       corenet_tcp_connect_mysqld_port(spamd_t)
+       corenet_sendrecv_mysqld_client_packets(spamd_t)
 ')

 optional_policy(`
@@ -424,6 +426,8 @@ optional_policy(`

 optional_policy(`
        postgresql_stream_connect(spamd_t)
+       corenet_tcp_connect_postgresql_port(spamd_t)
+       corenet_sendrecv_postgresql_client_packets(spamd_t)
 ')

 optional_policy(`

-- 
Chris St. Pierre

[refpolicy] [PATCH] Allow spamd to connect to MySQL via TCP

[Christopher J. PeBenito]

On Tue, 2010-04-27 at 09:14 -0500, Chris St. Pierre wrote:
> On Tue, Apr 27, 2010 at 8:45 AM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
> > On Mon, 2010-04-26 at 13:48 -0500, Chris St. Pierre wrote:
> >> Currently, spamd_t is only allowed to connect to a MySQL stream --
> >> i.e., a local MySQL instance, not a remote one via TCP.  This patch
> >> fixes that issue.
> >
> > For completeness, something similar should also be added for postgresql.
> 
> New patch:

Merged.  In the future, please use tabs for indentation, rather than
spaces.

> diff --git a/policy/modules/services/spamassassin.te
> b/policy/modules/services/spamassassin.te
> index dd49d31..8a4089b 100644
> --- a/policy/modules/services/spamassassin.te
> +++ b/policy/modules/services/spamassassin.te
> @@ -412,6 +412,8 @@ optional_policy(`
>  optional_policy(`
>         mysql_search_db(spamd_t)
>         mysql_stream_connect(spamd_t)
> +       corenet_tcp_connect_mysqld_port(spamd_t)
> +       corenet_sendrecv_mysqld_client_packets(spamd_t)
>  ')
> 
>  optional_policy(`
> @@ -424,6 +426,8 @@ optional_policy(`
> 
>  optional_policy(`
>         postgresql_stream_connect(spamd_t)
> +       corenet_tcp_connect_postgresql_port(spamd_t)
> +       corenet_sendrecv_postgresql_client_packets(spamd_t)
>  ')
> 
>  optional_policy(`
> 

-- 
Chris PeBenito
Tresys Technology, LLC