Merge pull request #44 from pebenito/http-mta-optional

policy/modules/services/apache.te

@@ -663,16 +663,18 @@ tunable_policy(`httpd_execmem',`
 	dontaudit httpd_t self:process { execmem execstack };
 ')
 
-tunable_policy(`httpd_can_sendmail',`
+optional_policy(`
-	corenet_sendrecv_smtp_client_packets(httpd_t)
+	tunable_policy(`httpd_can_sendmail',`
-	corenet_tcp_connect_smtp_port(httpd_t)
+		corenet_sendrecv_smtp_client_packets(httpd_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_t)
+		corenet_tcp_connect_smtp_port(httpd_t)
-	corenet_sendrecv_pop_client_packets(httpd_t)
+		corenet_tcp_sendrecv_smtp_port(httpd_t)
-	corenet_tcp_connect_pop_port(httpd_t)
+		corenet_sendrecv_pop_client_packets(httpd_t)
-	corenet_tcp_sendrecv_pop_port(httpd_t)
+		corenet_tcp_connect_pop_port(httpd_t)
+		corenet_tcp_sendrecv_pop_port(httpd_t)
 
-	mta_send_mail(httpd_t)
+		mta_send_mail(httpd_t)
-	mta_signal_system_mail(httpd_t)
+		mta_signal_system_mail(httpd_t)
+	')
 ')
 
 optional_policy(`
@@ -1007,17 +1009,6 @@ tunable_policy(`httpd_can_network_connect_db',`
 	corenet_tcp_sendrecv_oracledb_port(httpd_suexec_t)
 ')
 
-tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_smtp_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
-	corenet_sendrecv_pop_client_packets(httpd_suexec_t)
-	corenet_tcp_connect_pop_port(httpd_suexec_t)
-	corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
-	mta_send_mail(httpd_suexec_t)
-	mta_signal_system_mail(httpd_suexec_t)
-')
-
 tunable_policy(`httpd_enable_cgi && httpd_unified',`
 	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
 ')
@@ -1094,6 +1085,19 @@ optional_policy(`
 	mailman_domtrans_cgi(httpd_suexec_t)
 ')
 
+optional_policy(`
+	tunable_policy(`httpd_can_sendmail',`
+		corenet_sendrecv_smtp_client_packets(httpd_suexec_t)
+		corenet_tcp_connect_smtp_port(httpd_suexec_t)
+		corenet_tcp_sendrecv_smtp_port(httpd_suexec_t)
+		corenet_sendrecv_pop_client_packets(httpd_suexec_t)
+		corenet_tcp_connect_pop_port(httpd_suexec_t)
+		corenet_tcp_sendrecv_pop_port(httpd_suexec_t)
+		mta_send_mail(httpd_suexec_t)
+		mta_signal_system_mail(httpd_suexec_t)
+	')
+')
+
 optional_policy(`
 	mysql_stream_connect(httpd_suexec_t)
 	mysql_read_config(httpd_suexec_t)
@@ -1265,18 +1269,6 @@ ifdef(`init_systemd', `
 	init_search_pids(httpd_sys_script_t)
 ')
 
-tunable_policy(`httpd_can_sendmail',`
-	corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_smtp_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
-	corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
-	corenet_tcp_connect_pop_port(httpd_sys_script_t)
-	corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
-
-	mta_send_mail(httpd_sys_script_t)
-	mta_signal_system_mail(httpd_sys_script_t)
-')
-
 tunable_policy(`httpd_enable_homedirs',`
 	userdom_search_user_home_dirs(httpd_sys_script_t)
 ')
@@ -1326,6 +1318,20 @@ optional_policy(`
 	clamav_scannable_files(httpd_sys_content_t)
 ')
 
+optional_policy(`
+	tunable_policy(`httpd_can_sendmail',`
+		corenet_sendrecv_smtp_client_packets(httpd_sys_script_t)
+		corenet_tcp_connect_smtp_port(httpd_sys_script_t)
+		corenet_tcp_sendrecv_smtp_port(httpd_sys_script_t)
+		corenet_sendrecv_pop_client_packets(httpd_sys_script_t)
+		corenet_tcp_connect_pop_port(httpd_sys_script_t)
+		corenet_tcp_sendrecv_pop_port(httpd_sys_script_t)
+
+		mta_send_mail(httpd_sys_script_t)
+		mta_signal_system_mail(httpd_sys_script_t)
+	')
+')
+
 optional_policy(`
 	postgresql_unpriv_client(httpd_sys_script_t)
 ')