From Debian package 0.2.20091117-2
Updated in 0.2.20100524-5

0.2.20091117-2
  * Use lda_t for mail local delivery
0.2.20100524-5
  * Allow lda_t to talk to the Courier Authdaemon - for courier maildrop
  * Don't include /usr/lib/dovecot/deliver in dovecot.fc/te as it's in lda.pp
  Adds courier_authdaemon_client interface

Index: policy/modules/services/lda.fc
===================================================================
--- /dev/null
+++ policy/modules/services/lda.fc
@@ -0,0 +1,9 @@
+
+/usr/bin/procmail	--	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/sbin/deliverquota.maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/lib/dovecot/deliver --	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/bin/mailbot	--	gen_context(system_u:object_r:lda_exec_t,s0)
+
+/etc/courier/maildroprc	--	gen_context(system_u:object_r:lda_etc_t,s0)
+/var/log/maildrop.log	--	gen_context(system_u:object_r:lda_log_t,s0)
Index: policy/modules/services/lda.if
===================================================================
--- /dev/null
+++ policy/modules/services/lda.if
@@ -0,0 +1,41 @@
+## <summary>mail delivery agent</summary>
+
+########################################
+## <summary>
+##	Execute lda with a domain transition.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lda_domtrans',`
+	gen_require(`
+		type lda_exec_t, lda_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	domtrans_pattern($1,lda_exec_t,lda_t)
+')
+
+########################################
+## <summary>
+##	Execute lda in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`lda_exec',`
+	gen_require(`
+		type lda_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1,lda_exec_t)
+')
Index: policy/modules/services/lda.te
===================================================================
--- /dev/null
+++ policy/modules/services/lda.te
@@ -0,0 +1,162 @@
+
+policy_module(lda, 1.9.0)
+
+########################################
+#
+# Declarations
+#
+
+type lda_t;
+typealias lda_t alias procmail_t;
+type lda_exec_t;
+typealias lda_exec_t alias procmail_exec_t;
+application_domain(lda_t,lda_exec_t)
+role system_r types lda_t;
+
+type lda_tmp_t;
+typealias lda_tmp_t alias procmail_tmp_t;
+files_tmp_file(lda_tmp_t)
+
+type lda_etc_t;
+files_config_file(lda_etc_t)
+
+type lda_log_t;
+logging_log_file(lda_log_t)
+manage_files_pattern(lda_t,lda_log_t,lda_log_t)
+logging_log_filetrans(lda_t,lda_log_t,file)
+
+
+########################################
+#
+# Local policy
+#
+
+allow lda_t self:capability { sys_nice chown setuid setgid dac_override };
+allow lda_t self:process { setsched signal signull };
+allow lda_t self:fifo_file rw_fifo_file_perms;
+allow lda_t self:unix_stream_socket create_socket_perms;
+allow lda_t self:unix_dgram_socket create_socket_perms;
+allow lda_t self:tcp_socket create_stream_socket_perms;
+allow lda_t self:udp_socket create_socket_perms;
+read_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+read_lnk_files_pattern(lda_t,lda_etc_t,lda_etc_t)
+
+can_exec(lda_t,lda_exec_t)
+
+allow lda_t lda_tmp_t:file manage_file_perms;
+files_tmp_filetrans(lda_t, lda_tmp_t, file)
+
+kernel_read_system_state(lda_t)
+kernel_read_kernel_sysctls(lda_t)
+
+corenet_all_recvfrom_unlabeled(lda_t)
+corenet_all_recvfrom_netlabel(lda_t)
+corenet_tcp_sendrecv_all_if(lda_t)
+corenet_udp_sendrecv_all_if(lda_t)
+corenet_tcp_sendrecv_all_nodes(lda_t)
+corenet_udp_sendrecv_all_nodes(lda_t)
+corenet_tcp_sendrecv_all_ports(lda_t)
+corenet_udp_sendrecv_all_ports(lda_t)
+corenet_udp_bind_all_nodes(lda_t)
+corenet_tcp_connect_spamd_port(lda_t)
+corenet_sendrecv_spamd_client_packets(lda_t)
+corenet_sendrecv_comsat_client_packets(lda_t)
+
+dev_read_urand(lda_t)
+
+fs_getattr_xattr_fs(lda_t)
+fs_search_auto_mountpoints(lda_t)
+fs_rw_anon_inodefs_files(lda_t)
+
+auth_use_nsswitch(lda_t)
+
+corecmd_exec_bin(lda_t)
+corecmd_exec_shell(lda_t)
+
+files_read_etc_files(lda_t)
+files_read_etc_runtime_files(lda_t)
+files_search_pids(lda_t)
+# for spamassasin
+files_read_usr_files(lda_t)
+
+libs_use_ld_so(lda_t)
+libs_use_shared_libs(lda_t)
+
+logging_send_syslog_msg(lda_t)
+
+miscfiles_read_localization(lda_t)
+
+# only works until we define a different type for maildir
+userdom_manage_user_home_content_dirs(lda_t)
+userdom_manage_user_home_content_files(lda_t)
+userdom_user_home_dir_filetrans_user_home_content(lda_t, { dir file })
+
+optional_policy(`
+	gen_require(`
+		bool daemon_access_unconfined_home;
+	')
+#	tunable_policy(`daemon_access_unconfined_home', `
+#		unconfined_write_home_content_files(lda_t)
+#	')
+')
+
+mta_manage_spool(lda_t)
+
+ifdef(`hide_broken_symptoms',`
+	mta_dontaudit_rw_queue(lda_t)
+')
+
+tunable_policy(`use_nfs_home_dirs',`
+	fs_manage_nfs_dirs(lda_t)
+	fs_manage_nfs_files(lda_t)
+	fs_manage_nfs_symlinks(lda_t)
+')
+
+tunable_policy(`use_samba_home_dirs',`
+	fs_manage_cifs_dirs(lda_t)
+	fs_manage_cifs_files(lda_t)
+	fs_manage_cifs_symlinks(lda_t)
+')
+
+optional_policy(`
+	clamav_domtrans_clamscan(lda_t)
+	clamav_search_lib(lda_t)
+')
+
+optional_policy(`
+	courier_authdaemon_client(lda_t)
+')
+
+optional_policy(`
+	munin_dontaudit_search_lib(lda_t)
+')
+
+optional_policy(`
+	# for a bug in the postfix local program
+	postfix_dontaudit_rw_local_tcp_sockets(lda_t)
+	postfix_dontaudit_use_fds(lda_t)
+	postfix_read_spool_files(lda_t)
+	postfix_read_local_state(lda_t)
+	postfix_read_master_state(lda_t)
+')
+
+optional_policy(`
+	pyzor_domtrans(lda_t)
+')
+
+optional_policy(`
+	mta_read_config(lda_t)
+	sendmail_domtrans(lda_t)
+	sendmail_rw_tcp_sockets(lda_t)
+	sendmail_rw_unix_stream_sockets(lda_t)
+')
+
+optional_policy(`
+	corenet_udp_bind_generic_port(lda_t)
+	corenet_dontaudit_udp_bind_all_ports(lda_t)
+
+	spamassassin_exec(lda_t)
+	spamassassin_exec_client(lda_t)
+	spamassassin_read_lib_files(lda_t)
+')
+
Index: policy/modules/services/postfix.te
===================================================================
--- policy/modules/services/postfix.te.orig
+++ policy/modules/services/postfix.te
@@ -311,7 +311,7 @@
 ')
 
 optional_policy(`
-	procmail_domtrans(postfix_local_t)
+	lda_domtrans(postfix_local_t)
 ')
 
 ########################################
@@ -417,6 +417,10 @@
 ')
 
 optional_policy(`
+	lda_domtrans(postfix_pipe_t)
+')
+
+optional_policy(`
 	mailman_domtrans_queue(postfix_pipe_t)
 ')
 
Index: policy/modules/services/courier.if
===================================================================
--- policy/modules/services/courier.if.orig
+++ policy/modules/services/courier.if
@@ -106,6 +106,25 @@
 
 ########################################
 ## <summary>
+##	Act as a client for the courier authdaemon
+## </summary>
+## <param name="prefix">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`courier_authdaemon_client',`
+	gen_require(`
+		type courier_authdaemon_t, courier_etc_t, courier_var_run_t;
+	')
+	allow $1 courier_authdaemon_t:unix_stream_socket connectto;
+	allow $1 courier_etc_t:dir search;
+	allow $1 courier_var_run_t:sock_file write;
+')
+
+########################################
+## <summary>
 ##	Execute the courier POP3 and IMAP server with
 ##	a domain transition.
 ## </summary>
Index: policy/modules/services/dovecot.fc
===================================================================
--- policy/modules/services/dovecot.fc.orig
+++ policy/modules/services/dovecot.fc
@@ -25,7 +25,6 @@
 
 ifdef(`distro_debian', `
 /usr/lib/dovecot/dovecot-auth	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
-/usr/lib/dovecot/deliver	--	gen_context(system_u:object_r:dovecot_deliver_exec_t,s0)
 /usr/lib/dovecot/.+		--	gen_context(system_u:object_r:bin_t,s0)
 ')
 
Index: policy/modules/services/dovecot.te
===================================================================
--- policy/modules/services/dovecot.te.orig
+++ policy/modules/services/dovecot.te
@@ -20,11 +20,13 @@
 type dovecot_cert_t;
 files_type(dovecot_cert_t)
 
+ifdef(`distro_redhat', `
 type dovecot_deliver_t;
 type dovecot_deliver_exec_t;
 domain_type(dovecot_deliver_t)
 domain_entry_file(dovecot_deliver_t, dovecot_deliver_exec_t)
 role system_r types dovecot_deliver_t;
+')
 
 type dovecot_etc_t;
 files_config_file(dovecot_etc_t)
@@ -251,6 +253,7 @@
 #
 # dovecot deliver local policy
 #
+ifdef(`distro_redhat', `
 allow dovecot_deliver_t self:unix_dgram_socket create_socket_perms;
 
 allow dovecot_deliver_t dovecot_t:process signull;
@@ -305,6 +308,8 @@
 optional_policy(`
 	mta_manage_spool(dovecot_deliver_t)
 ')
+# end ifdef distro_redhat
+')
 
 optional_policy(`
 	mysql_tcp_connect(dovecot_auth_t)