From 9ea85eaa8b6a52df1e7c13d6e2d20f4b8444f7f1 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Thu, 20 May 2010 08:36:38 -0400
Subject: [PATCH] Sendmail patch from Dan Walsh.

---
 policy/modules/services/sendmail.if | 18 ++++++++++++++++++
 policy/modules/services/sendmail.te |  6 ++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/sendmail.if b/policy/modules/services/sendmail.if
index 306a2b191..e4f405106 100644
--- a/policy/modules/services/sendmail.if
+++ b/policy/modules/services/sendmail.if
@@ -251,6 +251,24 @@ interface(`sendmail_manage_tmp_files',`
 	manage_files_pattern($1, sendmail_tmp_t, sendmail_tmp_t)
 ')
 
+########################################
+## <summary>
+##	Execute sendmail in the unconfined sendmail domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sendmail_domtrans_unconfined',`
+	gen_require(`
+		type unconfined_sendmail_t;
+	')
+
+	mta_sendmail_domtrans($1, unconfined_sendmail_t)
+')
+
 ########################################
 ## <summary>
 ##	Execute sendmail in the unconfined sendmail domain, and
diff --git a/policy/modules/services/sendmail.te b/policy/modules/services/sendmail.te
index c1d229755..43edd991a 100644
--- a/policy/modules/services/sendmail.te
+++ b/policy/modules/services/sendmail.te
@@ -1,5 +1,5 @@
 
-policy_module(sendmail, 1.10.1)
+policy_module(sendmail, 1.10.2)
 
 ########################################
 #
@@ -30,7 +30,7 @@ role system_r types unconfined_sendmail_t;
 #
 
 allow sendmail_t self:capability { dac_override setuid setgid net_bind_service sys_nice chown sys_tty_config };
-allow sendmail_t self:process { setrlimit signal signull };
+allow sendmail_t self:process { setsched setpgid setrlimit signal signull };
 allow sendmail_t self:fifo_file rw_fifo_file_perms;
 allow sendmail_t self:unix_stream_socket create_stream_socket_perms;
 allow sendmail_t self:unix_dgram_socket create_socket_perms;
@@ -72,6 +72,7 @@ fs_search_auto_mountpoints(sendmail_t)
 fs_rw_anon_inodefs_files(sendmail_t)
 
 term_dontaudit_use_console(sendmail_t)
+term_dontaudit_use_generic_ptys(sendmail_t)
 
 # for piping mail to a command
 corecmd_exec_shell(sendmail_t)
@@ -133,6 +134,7 @@ optional_policy(`
 
 optional_policy(`
 	fail2ban_read_lib_files(sendmail_t)
+	fail2ban_rw_stream_sockets(sendmail_t)
 ')
 
 optional_policy(`