From Debian package 0.0.20080702-14

Allow courier_pop_t to read /dev/urandom and to do ioctl on it's fifos.
Also allow it to talk to portmap so the IMAP server can do FAM.

Index: policy/modules/services/courier.te
===================================================================
--- policy/modules/services/courier.te.orig
+++ policy/modules/services/courier.te
@@ -52,12 +52,9 @@
 allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
 allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_fifo_file_perms;
 
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
 allow courier_authdaemon_t courier_tcpd_t:unix_stream_socket rw_stream_socket_perms;
 allow courier_authdaemon_t courier_tcpd_t:process sigchld;
 allow courier_authdaemon_t courier_tcpd_t:fd use;
-allow courier_authdaemon_t courier_tcpd_t:tcp_socket rw_stream_socket_perms;
-allow courier_authdaemon_t courier_tcpd_t:fifo_file rw_file_perms;
 
 create_dirs_pattern(courier_authdaemon_t, courier_var_lib_t, courier_var_lib_t)
 manage_sock_files_pattern(courier_authdaemon_t, courier_spool_t, courier_spool_t)
@@ -101,6 +98,12 @@
 allow courier_pop_t courier_authdaemon_t:process sigchld;
 
 allow courier_pop_t courier_tcpd_t:{ unix_stream_socket tcp_socket } rw_stream_socket_perms;
+dev_read_urand(courier_pop_t)
+
+# for FAM with IMAP
+sysnet_use_portmap(courier_pop_t)
+corenet_tcp_bind_all_rpc_ports(courier_pop_t)
+corenet_tcp_bind_all_nodes(courier_pop_t)
 
 # inherits file handle - should it?
 allow courier_pop_t courier_var_lib_t:file { read write };
Index: policy/modules/services/courier.if
===================================================================
--- policy/modules/services/courier.if.orig
+++ policy/modules/services/courier.if
@@ -29,7 +29,7 @@
 	allow courier_$1_t self:capability dac_override;
 	dontaudit courier_$1_t self:capability sys_tty_config;
 	allow courier_$1_t self:process { setpgid signal_perms };
-	allow courier_$1_t self:fifo_file { read write getattr };
+	allow courier_$1_t self:fifo_file rw_fifo_file_perms;
 	allow courier_$1_t self:tcp_socket create_stream_socket_perms;
 	allow courier_$1_t self:udp_socket create_socket_perms;