Bug 453990

I noticed a new avc deny on my server:
avc:  denied  { node_bind } for  pid=7620 comm="smtp" saddr=<local_ipv6> ipaddr=<some_ipv4> scontext=staff_u:system_r:postfix_smtp_t tcontext=system_u:object_r:node_t tclass=tcp_socket

(the staff_u probably comes from the fact that I restarted the service, right ?)

In the postfix logs, I can see the following warning when a mail goes out directly to some IPv6-enabled SMTP server:
postfix/smtpd[7616]: connect from <known_authorized_host>
postfix/smtpd[7616]: Anonymous TLS connection established from <known_authorized_host>: TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
postfix/smtpd[7616]: <QueueID>: client=<known_authorized_host>
postfix/cleanup[7619]: <QueueID>:  message-id=.....
postfix/qmgr[25069]: <QueueID>: from=<...>, size=..., nrcpt=.. (queue active)
postfix/smtpd[7616]: disconnect from <known_authorized_host>
postfix/smtp[7620]: warning: smtp_connect_addr: bind <local_ipv6>: Permission denied
postfix/smtp[7620]: <QueueID>: to=<....>, relay=...[distant_ipv6]:25, delay=.., delays=..., dsn=2.0.0, status=sent (...)
[...]
postfix/qmgr[25069]: <QueueID>: removed

Looking at the src/smtp/smtp_connect.c in the postfix sources, I read:
[...]
    /*
     * Allow the sysadmin to specify the source address, for example, as "-o
     * smtp_bind_address=x.x.x.x" in the master.cf file.
     */
[... I do not specify it ...]
    /*
     * When running as a virtual host, bind to the virtual interface so that
     * the mail appears to come from the "right" machine address.
     *
     * XXX The IPv6 patch expands the null host (as client endpoint) and uses
     * the result as the loopback address list.
     */
    else {
[...code containing a bind and a msg_warn corresponding to my warning...]

After adding the following rule, I saw no more warning in (avc|mail).log:
''allow postfix_smtp_t node_t:tcp_socket node_bind;''