From Debian package 0.2.20100524-11
0014-Debian-nagios-file-locations-and-additional-policy.patch (part of)
0075-postfix-policy-adjustments-Allow-user_mail_t-to-tran.patch (part of)

  * Allow nagios services to connect to mysql servers via tcp and read /etc
    files for mysql.
  * Allow nagios_mail_plugin_t to read usr files.
  * Allow postfix_postqueue_t to use a fd from nagios_mail_plugin_t.
  * Allow nagios_checkdisk_plugin_t to getattr all mountpoint dirs, so it
    can check the root directory of a filesystem.

Replaces the posftix_exec_postqueue interface (note the typo in the interface
name) by posftix_run_postqueue - where does the domain transition
nagios_mail_plugin_t -> postfix_postqueue_t happen?

Index: policy/modules/contrib/nagios.te
===================================================================
--- policy/modules/contrib/nagios.te.orig
+++ policy/modules/contrib/nagios.te
@@ -320,6 +320,8 @@
 
 sysnet_read_config(nagios_mail_plugin_t)
 
+files_read_usr_files(nagios_mail_plugin_t)
+
 optional_policy(`
 	mta_send_mail(nagios_mail_plugin_t)
 ')
@@ -334,7 +336,7 @@
 
 optional_policy(`
 	postfix_stream_connect_master(nagios_mail_plugin_t)
-	posftix_exec_postqueue(nagios_mail_plugin_t)
+	posftix_run_postqueue(nagios_mail_plugin_t)
 	postfix_list_spool(nagios_mail_plugin_t)
 	postfix_read_spool_files(nagios_mail_plugin_t)
 ')
@@ -351,6 +353,7 @@
 files_read_etc_runtime_files(nagios_checkdisk_plugin_t)
 
 fs_getattr_all_fs(nagios_checkdisk_plugin_t)
+files_getattr_all_mountpoints(nagios_checkdisk_plugin_t)
 
 storage_raw_read_fixed_disk(nagios_checkdisk_plugin_t)
 
@@ -381,6 +384,8 @@
 ')
 
 optional_policy(`
+	mysql_read_config(nagios_services_plugin_t)
+	mysql_tcp_connect(nagios_services_plugin_t)
 	mysql_stream_connect(nagios_services_plugin_t)
 ')
 
Index: policy/modules/contrib/postfix.if
===================================================================
--- policy/modules/contrib/postfix.if.orig
+++ policy/modules/contrib/postfix.if
@@ -458,7 +458,7 @@
 
 #######################################
 ## <summary>
-##	Execute the master postqueue in the caller domain.
+##	Allow the master postqueue to use a fifo of the caller and send sigchld
 ## </summary>
 ## <param name="domain">
 ##	<summary>
@@ -466,12 +466,14 @@
 ##	</summary>
 ## </param>
 #
-interface(`posftix_exec_postqueue',`
+interface(`posftix_run_postqueue',`
 	gen_require(`
-		type postfix_postqueue_exec_t;
+		type postfix_postqueue_t;
 	')
 
-	can_exec($1, postfix_postqueue_exec_t)
+	allow postfix_postqueue_t $1:fd use;
+	allow postfix_postqueue_t $1:fifo_file rw_file_perms;
+	allow postfix_postqueue_t $1:process sigchld;
 ')
 
 ########################################