Add dovecot_can_connect_db boolean.

Add dovecot_can_connect_db boolean. Grant connect dovecot_auth_t to DBs by dovecot_can_connect_db boolean.

policy/modules/services/dovecot.te

@@ -5,6 +5,14 @@ policy_module(dovecot, 1.21.0)
 # Declarations
 #
 
+## <desc>
+##      <p>
+##      Determine whether dovecot can connect to
+##      databases.
+##      </p>
+## </desc>
+gen_tunable(dovecot_can_connect_db, false)
+
 attribute dovecot_domain;
 
 type dovecot_t, dovecot_domain;
@@ -268,6 +276,18 @@ seutil_search_default_contexts(dovecot_auth_t)
 
 sysnet_use_ldap(dovecot_auth_t)
 
+tunable_policy(`dovecot_can_connect_db',`
+        corenet_sendrecv_gds_db_client_packets(dovecot_auth_t)
+        corenet_tcp_connect_gds_db_port(dovecot_auth_t)
+        corenet_tcp_sendrecv_gds_db_port(dovecot_auth_t)
+        corenet_sendrecv_mssql_client_packets(dovecot_auth_t)
+        corenet_tcp_connect_mssql_port(dovecot_auth_t)
+        corenet_tcp_sendrecv_mssql_port(dovecot_auth_t)
+        corenet_sendrecv_oracledb_client_packets(dovecot_auth_t)
+        corenet_tcp_connect_oracledb_port(dovecot_auth_t)
+        corenet_tcp_sendrecv_oracledb_port(dovecot_auth_t)
+')
+
 optional_policy(`
 	userdom_list_user_tmp(dovecot_auth_t)
 	userdom_read_user_tmp_files(dovecot_auth_t)
@@ -275,9 +295,20 @@ optional_policy(`
 ')
 
 optional_policy(`
-	mysql_stream_connect(dovecot_auth_t)
-	mysql_read_config(dovecot_auth_t)
-	mysql_tcp_connect(dovecot_auth_t)
+        tunable_policy(`dovecot_can_connect_db',`
+		mysql_stream_connect(dovecot_auth_t)
+		mysql_read_config(dovecot_auth_t)
+		mysql_tcp_connect(dovecot_auth_t)
+	')
+')
+
+optional_policy(`
+        postgresql_unpriv_client(dovecot_auth_t)
+
+        tunable_policy(`dovecot_can_connect_db',`
+                postgresql_stream_connect(dovecot_auth_t)
+                postgresql_tcp_connect(dovecot_auth_t)
+        ')
 ')
 
 optional_policy(`