phpfpm_additional: allow executing a shell to send mails

phpfpm_additional.if

@@ -0,0 +1,39 @@
+ ## <summary>PHP-fpm policy interfaces.</summary>
+
+########################################
+## <summary>
+##      Do not audit attempts to read and
+##      write phpfpm unix domain stream sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`phpfpm_dontaudit_rw_stream_sockets',`
+        gen_require(`
+                type phpfpm_t;
+        ')
+
+        dontaudit $1 phpfpm_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
+##      Do not audit attempts to read and
+##      write phpfpm TCP sockets.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit.
+##      </summary>
+## </param>
+#
+interface(`phpfpm_dontaudit_rw_tcp_sockets',`
+        gen_require(`
+                type phpfpm_t;
+        ')
+
+        dontaudit $1 phpfpm_t:tcp_socket { read write };
+')

phpfpm_additional.te

@@ -1,4 +1,4 @@
-policy_module(phpfpm_additional, 0.0.6)
+policy_module(phpfpm_additional, 0.0.7)
 
 require {
   type phpfpm_t;
@@ -22,6 +22,8 @@ allow phpfpm_t phpfpm_tmp_t:lnk_file { create unlink };
 miscfiles_read_all_certs(phpfpm_t)
 miscfiles_read_fonts(phpfpm_t)
 
+corecmd_exec_shell(phpfpm_t)
+
 corenet_tcp_connect_pop_port(phpfpm_t)
 corenet_tcp_connect_http_port(phpfpm_t)
 corenet_tcp_connect_sieve_port(phpfpm_t)