From e19b8d1c2e671a937d3d23a0166b147c3a2ad6d7 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: May 19 2010 13:00:39 +0000
Subject: MTA patch from Dan Walsh.


---

diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 44e782e..c57356a 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -356,6 +356,7 @@ interface(`mta_send_mail',`
 	')
 
 	allow $1 mta_exec_type:lnk_file read_lnk_file_perms;
+	corecmd_read_bin_symlinks($1)
 	domtrans_pattern($1, mta_exec_type, system_mail_t)
 
 	allow mta_user_agent $1:fd use;
@@ -400,6 +401,25 @@ interface(`mta_sendmail_domtrans',`
 
 ########################################
 ## <summary>
+##	Send system mail client a signal
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+#
+interface(`mta_signal_system_mail',`
+	gen_require(`
+		type system_mail_t;
+	')
+
+	allow $1 system_mail_t:process signal;
+')
+
+########################################
+## <summary>
 ##	Execute sendmail in the caller domain.
 ## </summary>
 ## <param name="domain">
@@ -765,6 +785,25 @@ interface(`mta_search_queue',`
 
 #######################################
 ## <summary>
+##	List the mail queue.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mta_list_queue',`
+	gen_require(`
+		type mqueue_spool_t;
+	')
+
+	allow $1 mqueue_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+')
+
+#######################################
+## <summary>
 ##	Read the mail queue.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index 797d86b..29f117c 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta, 2.2.1)
+policy_module(mta, 2.2.2)
 
 ########################################
 #
@@ -71,10 +71,14 @@ dev_read_sysfs(system_mail_t)
 dev_read_rand(system_mail_t)
 dev_read_urand(system_mail_t)
 
+files_read_usr_files(system_mail_t)
+
 fs_rw_anon_inodefs_files(system_mail_t)
 
 selinux_getattr_fs(system_mail_t)
 
+term_dontaudit_use_unallocated_ttys(system_mail_t)
+
 init_use_script_ptys(system_mail_t)
 
 userdom_use_user_terminals(system_mail_t)
@@ -107,6 +111,7 @@ optional_policy(`
 optional_policy(`
 	cron_read_system_job_tmp_files(system_mail_t)
 	cron_dontaudit_write_pipes(system_mail_t)
+	cron_rw_system_job_stream_sockets(system_mail_t)
 ')
 
 optional_policy(`