From 04926d07a8ab35594cebb6e1650de4d712efd8dd Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Sun, 23 Oct 2005 20:18:36 +0000
Subject: [PATCH] add postfix

---
 refpolicy/Changelog                           |   1 +
 refpolicy/policy/modules/services/cron.if     |  39 +-
 refpolicy/policy/modules/services/mta.if      |  64 +-
 refpolicy/policy/modules/services/mta.te      |  19 +-
 refpolicy/policy/modules/services/postfix.fc  |  59 ++
 refpolicy/policy/modules/services/postfix.if  | 219 +++++++
 refpolicy/policy/modules/services/postfix.te  | 569 ++++++++++++++++++
 refpolicy/policy/modules/services/ppp.te      |  14 +
 refpolicy/policy/modules/services/sendmail.te |   5 +
 refpolicy/policy/modules/system/files.if      |  16 +
 refpolicy/policy/modules/system/init.if       |  16 +
 refpolicy/policy/modules/system/init.te       |   4 +
 refpolicy/policy/modules/system/miscfiles.if  |  16 +
 refpolicy/policy/modules/system/sysnetwork.if |  16 +
 14 files changed, 1049 insertions(+), 8 deletions(-)
 create mode 100644 refpolicy/policy/modules/services/postfix.fc
 create mode 100644 refpolicy/policy/modules/services/postfix.if
 create mode 100644 refpolicy/policy/modules/services/postfix.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 732188f0..15dd3684 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -11,6 +11,7 @@
 	lpd
 	networkmanager
 	pegasus
+	postfix
 	radius
 	spamassassin
 	xdm
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index 2f1179c8..c20e9655 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -392,10 +392,26 @@ interface(`cron_read_pipe',`
 interface(`cron_rw_pipe',`
 	gen_require(`
 		type crond_t;
-		class file { read write };
 	')
 
-	allow $1 crond_t:file { read write };
+	allow $1 crond_t:fifo_file { read write };
+')
+
+########################################
+## <summary>
+##	Create, read, and write a cron daemon TCP socket.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: need to fix this name
+interface(`cron_crw_tcp_socket',`
+	gen_require(`
+		type crond_t;
+	')
+
+	allow $1 crond_t:tcp_socket { create read write };
 ')
 
 ########################################
@@ -449,7 +465,6 @@ interface(`cron_domtrans_anacron_system_job',`
 interface(`cron_use_system_job_fd',`
 	gen_require(`
 		type system_crond_t;
-		class fd use;
 	')
 
 	allow $1 system_crond_t:fd use;
@@ -457,7 +472,7 @@ interface(`cron_use_system_job_fd',`
 
 ########################################
 ## <summary>
-##	Wrate a system cron job unnamed pipe.
+##	Write a system cron job unnamed pipe.
 ## </summary>
 ## <param name="domain">
 ##	Domain allowed access.
@@ -472,6 +487,22 @@ interface(`cron_write_system_job_pipe',`
 	allow $1 system_crond_t:file write;
 ')
 
+########################################
+## <summary>
+##	Read and write a system cron job unnamed pipe.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`cron_rw_system_job_pipe',`
+	gen_require(`
+		type system_crond_t;
+	')
+
+	allow $1 system_crond_t:file rw_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read temporary files from the system cron jobs.
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index c452cf04..26ac53e8 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -43,11 +43,11 @@ interface(`mta_stub',`
 #
 template(`mta_per_userdomain_template',`
 	gen_require(`
-		attribute mailserver_domain, mta_user_agent;
+		attribute mailserver_domain, mta_user_agent, user_mail_domain;
 		type sendmail_exec_t;
 	')
 
-	type $1_mail_t;
+	type $1_mail_t, user_mail_domain;
 	domain_type($1_mail_t)
 	role $3 types $1_mail_t;
 
@@ -128,6 +128,12 @@ template(`mta_per_userdomain_template',`
 		nscd_use_socket($1_mail_t)
 	')
 
+	optional_policy(`postfix.te',`
+		allow $1_mail_t self:capability dac_override;
+		postfix_read_config($1_mail_t)
+		postfix_list_spool($1_mail_t)
+	')
+
 	ifdef(`TODO',`
 	optional_policy(`procmail.te',`
 		procmail_execute($1_mail_t)
@@ -376,7 +382,7 @@ interface(`mta_rw_aliases',`
 	')
 
 	files_search_etc($1)
-	allow sendmail_t etc_aliases_t:file { rw_file_perms setattr };
+	allow $1 etc_aliases_t:file { rw_file_perms setattr };
 ')
 
 #######################################
@@ -490,6 +496,24 @@ interface(`mta_append_spool',`
 	allow $1 mail_spool_t:file create_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Delete from the mail spool.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mta_delete_spool',`
+	gen_require(`
+		type mail_spool_t;
+	')
+
+	files_search_spool($1)
+	allow $1 mail_spool_t:dir { list_dir_perms write remove_name };
+	allow $1 mail_spool_t:file unlink;
+')
+
 #######################################
 #
 # mta_manage_spool(domain)
@@ -523,3 +547,37 @@ interface(`mta_manage_queue',`
 	allow $1 mqueue_spool_t:dir rw_dir_perms;
 	allow $1 mqueue_spool_t:file create_file_perms;
 ')
+
+#######################################
+## <summary>
+##	Read sendmail binary.
+## </summmary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+# cjp: added for postfix
+interface(`mta_read_sendmail_bin',`
+	gen_require(`
+		type sendmail_exec_t;;
+	')
+
+	allow $1 sendmail_exec_t:file r_file_perms;
+')
+
+#######################################
+## <summary>
+##	Read and write unix domain stream sockets
+##	of user mail domains.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`mta_rw_user_mail_stream_socket',`
+	gen_require(`
+		attribute user_mail_domain;
+	')
+
+	allow $1 user_mail_domain:unix_stream_socket rw_socket_perms;
+')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 7eaca383..a1c95136 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -11,6 +11,8 @@ attribute mailserver_delivery;
 attribute mailserver_domain;
 attribute mailserver_sender;
 
+attribute user_mail_domain;
+
 type etc_aliases_t;
 files_type(etc_aliases_t)
 
@@ -152,8 +154,23 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(system_mail_t)
 ')
 
+optional_policy(`postfix.te',`
+	postfix_stub(system_mail_t)
+
+	allow system_mail_t etc_aliases_t:dir create_dir_perms;
+	allow system_mail_t etc_aliases_t:file create_file_perms;
+	allow system_mail_t etc_aliases_t:lnk_file create_lnk_perms;
+	allow system_mail_t etc_aliases_t:sock_file create_file_perms;
+	allow system_mail_t etc_aliases_t:fifo_file create_file_perms;
+	files_create_etc_config(sysadm_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
+
+	optional_policy(`crond.te',`
+		cron_crw_tcp_socket(system_mail_t)
+	')
+')
+
 optional_policy(`sendmail.te',`
-	sendmail_stub()
+	sendmail_stub(system_mail_t)
 
 	allow system_mail_t etc_mail_t:dir { getattr search };
 
diff --git a/refpolicy/policy/modules/services/postfix.fc b/refpolicy/policy/modules/services/postfix.fc
new file mode 100644
index 00000000..ce02866e
--- /dev/null
+++ b/refpolicy/policy/modules/services/postfix.fc
@@ -0,0 +1,59 @@
+# postfix
+/etc/postfix(/.*)?		gen_context(system_u:object_r:postfix_etc_t,s0)
+ifdef(`distro_redhat', `
+/etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
+/usr/libexec/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/libexec/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/libexec/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/libexec/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/libexec/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/libexec/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/libexec/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/libexec/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/libexec/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/libexec/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/libexec/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+', `
+/usr/lib/postfix/.*	--	gen_context(system_u:object_r:postfix_exec_t,s0)
+/usr/lib/postfix/cleanup --	gen_context(system_u:object_r:postfix_cleanup_exec_t,s0)
+/usr/lib/postfix/local	--	gen_context(system_u:object_r:postfix_local_exec_t,s0)
+/usr/lib/postfix/master	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/lib/postfix/pickup	--	gen_context(system_u:object_r:postfix_pickup_exec_t,s0)
+/usr/lib/postfix/(n)?qmgr --	gen_context(system_u:object_r:postfix_qmgr_exec_t,s0)
+/usr/lib/postfix/showq	--	gen_context(system_u:object_r:postfix_showq_exec_t,s0)
+/usr/lib/postfix/smtp	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/scache	--	gen_context(system_u:object_r:postfix_smtp_exec_t,s0)
+/usr/lib/postfix/smtpd	--	gen_context(system_u:object_r:postfix_smtpd_exec_t,s0)
+/usr/lib/postfix/bounce	--	gen_context(system_u:object_r:postfix_bounce_exec_t,s0)
+/usr/lib/postfix/pipe	--	gen_context(system_u:object_r:postfix_pipe_exec_t,s0)
+')
+/etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
+/etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
+/usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postkick	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlock	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postlog	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/postmap	--	gen_context(system_u:object_r:postfix_map_exec_t,s0)
+/usr/sbin/postqueue	--	gen_context(system_u:object_r:postfix_postqueue_exec_t,s0)
+/usr/sbin/postsuper	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
+/usr/sbin/rmail		--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/usr/sbin/sendmail.postfix --	gen_context(system_u:object_r:sendmail_exec_t,s0)
+/var/spool/postfix(/.*)?	gen_context(system_u:object_r:postfix_spool_t,s0)
+/var/spool/postfix/maildrop(/.*)? gen_context(system_u:object_r:postfix_spool_maildrop_t,s0)
+/var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+/var/spool/postfix/pid/.*	gen_context(system_u:object_r:postfix_var_run_t,s0)
+/var/spool/postfix/private(/.*)? gen_context(system_u:object_r:postfix_private_t,s0)
+/var/spool/postfix/public(/.*)? gen_context(system_u:object_r:postfix_public_t,s0)
+/var/spool/postfix/bounce(/.*)? gen_context(system_u:object_r:postfix_spool_bounce_t,s0)
+/var/spool/postfix/flush(/.*)?	gen_context(system_u:object_r:postfix_spool_flush_t,s0)
+/var/spool/postfix/etc(/.*)?	gen_context(system_u:object_r:etc_t,s0)
+/var/spool/postfix/lib(64)?(/.*)?	gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/usr(/.*)?	gen_context(system_u:object_r:lib_t,s0)
+/var/spool/postfix/lib(64)?/ld.*\.so.* -- gen_context(system_u:object_r:ld_so_t,s0)
+/var/spool/postfix/lib(64)?/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/var/spool/postfix/lib(64)?/[^/]*/lib.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
+/var/spool/postfix/lib(64)?/devfsd/.*\.so.* -- gen_context(system_u:object_r:shlib_t,s0)
diff --git a/refpolicy/policy/modules/services/postfix.if b/refpolicy/policy/modules/services/postfix.if
new file mode 100644
index 00000000..bf94aeca
--- /dev/null
+++ b/refpolicy/policy/modules/services/postfix.if
@@ -0,0 +1,219 @@
+## <summary>Postfix email server</summary>
+
+########################################
+## <summary>
+##	Postfix stub interface.  No access allowed.
+## </summary>
+## <param name="domain" optional="true">
+##	N/A
+## </param>
+#
+interface(`postfix_stub',`
+	gen_require(`
+		type postfix_master_t;
+	')
+')
+
+template(`postfix_domain_template',`
+	type postfix_$1_t;
+	type postfix_$1_exec_t;
+	domain_type(postfix_$1_t)
+	domain_entry_file(postfix_$1_t,postfix_$1_exec_t)
+	role system_r types postfix_$1_t;
+
+	dontaudit postfix_$1_t self:capability sys_tty_config;
+	allow postfix_$1_t self:process { signal_perms setpgid };
+	allow postfix_$1_t self:unix_dgram_socket create_socket_perms;
+	allow postfix_$1_t self:unix_stream_socket create_stream_socket_perms;
+	allow postfix_$1_t self:unix_stream_socket connectto;
+
+	allow postfix_master_t postfix_$1_t:process signal;
+
+	allow postfix_$1_t postfix_etc_t:dir r_dir_perms;
+	allow postfix_$1_t postfix_etc_t:file r_file_perms;
+
+	can_exec(postfix_$1_t, postfix_$1_exec_t)
+
+	allow postfix_$1_t postfix_exec_t:file rx_file_perms;
+	# cjp: ???
+	allow postfix_$1_t postfix_exec_t:dir r_dir_perms;
+
+	allow postfix_$1_t postfix_master_t:process sigchld;
+
+	allow postfix_$1_t postfix_spool_t:dir r_dir_perms;
+
+	allow postfix_$1_t postfix_var_run_t:file manage_file_perms;
+	files_create_pid(postfix_$1_t,postfix_var_run_t)
+
+	kernel_read_system_state(postfix_$1_t)
+	kernel_read_network_state(postfix_$1_t)
+	kernel_read_all_sysctl(postfix_$1_t)
+
+	dev_read_sysfs(postfix_$1_t)
+	dev_read_rand(postfix_$1_t)
+	dev_read_urand(postfix_$1_t)
+
+	fs_search_auto_mountpoints(postfix_$1_t)
+	fs_getattr_xattr_fs(postfix_$1_t)
+
+	term_dontaudit_use_console(postfix_$1_t)
+
+	corecmd_list_bin(postfix_$1_t)
+	corecmd_list_sbin(postfix_$1_t)
+	corecmd_read_bin_symlink(postfix_$1_t)
+	corecmd_read_sbin_symlink(postfix_$1_t)
+	corecmd_exec_shell(postfix_$1_t)
+
+	files_read_etc_files(postfix_$1_t)
+	files_read_etc_runtime_files(postfix_$1_t)
+	files_search_spool(postfix_$1_t)
+	files_getattr_tmp_dir(postfix_$1_t)
+
+	init_use_fd(postfix_$1_t)
+	init_sigchld(postfix_$1_t)
+
+	libs_use_ld_so(postfix_$1_t)
+	libs_use_shared_libs(postfix_$1_t)
+
+	logging_send_syslog_msg(postfix_$1_t)
+
+	miscfiles_read_localization(postfix_$1_t)
+	miscfiles_read_certs(postfix_$1_t)
+
+	userdom_dontaudit_use_unpriv_user_fd(postfix_$1_t)
+
+	ifdef(`targeted_policy', `
+		term_dontaudit_use_unallocated_tty(postfix_$1_t)
+		term_dontaudit_use_generic_pty(postfix_$1_t)
+		files_dontaudit_read_root_file(postfix_$1_t)
+	')
+
+	optional_policy(`udev.te',`
+		udev_read_db(postfix_$1_t)
+	')
+')
+
+template(`postfix_server_domain_template',`
+	postfix_domain_template($1)
+
+	allow postfix_$1_t self:capability { setuid setgid dac_override };
+	allow postfix_$1_t postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
+	allow postfix_$1_t self:tcp_socket create_socket_perms;
+	allow postfix_$1_t self:udp_socket create_socket_perms;
+
+	domain_auto_trans(postfix_master_t, postfix_$1_exec_t, postfix_$1_t)
+
+	corenet_tcp_sendrecv_all_if(postfix_$1_t)
+	corenet_udp_sendrecv_all_if(postfix_$1_t)
+	corenet_raw_sendrecv_all_if(postfix_$1_t)
+	corenet_tcp_sendrecv_all_nodes(postfix_$1_t)
+	corenet_udp_sendrecv_all_nodes(postfix_$1_t)
+	corenet_raw_sendrecv_all_nodes(postfix_$1_t)
+	corenet_tcp_sendrecv_all_ports(postfix_$1_t)
+	corenet_udp_sendrecv_all_ports(postfix_$1_t)
+	corenet_tcp_bind_all_nodes(postfix_$1_t)
+	corenet_udp_bind_all_nodes(postfix_$1_t)
+	corenet_tcp_connect_all_ports(postfix_$1_t)
+
+	sysnet_read_config(postfix_$1_t)
+
+	optional_policy(`nis.te',`
+		nis_use_ypbind(postfix_$1_t)
+	')
+')
+
+template(`postfix_user_domain_template',`
+	postfix_domain_template($1)
+
+	allow postfix_$1_t self:capability dac_override;
+
+	domain_auto_trans(user_mail_domain, postfix_$1_exec_t, postfix_$1_t)
+
+	# this is replaced by run interfaces
+	role sysadm_r types postfix_$1_t;
+	allow postfix_$1_t userdomain:process sigchld;
+	allow postfix_$1_t userdomain:fifo_file { write getattr };
+	allow postfix_$1_t { userdomain privfd }:fd use;
+
+')
+
+template(`postfix_public_domain_template',`
+	postfix_server_domain_template($1)
+
+	allow postfix_$1_t postfix_public_t:dir search;
+')
+
+########################################
+## <summary>
+##	Read postfix configuration files.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postfix_read_config',`
+	gen_require(`
+		type postfix_etc_t;
+	')
+
+	allow $1 postfix_etc_t:dir { getattr read search };
+	allow $1 postfix_etc_t:file { read getattr };
+	allow $1 postfix_etc_t:lnk_file { getattr read };
+	files_search_etc($1)
+')
+
+########################################
+## <summary>
+##	Execute the master postfix program in the
+##	postfix_master domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postfix_domtrans_master',`
+	gen_require(`
+		type postfix_master_t, postfix_master_exec_t;
+	')
+
+	domain_auto_trans($1,postfix_master_exec_t,postfix_master_t)
+
+	allow $1 postfix_master_t:fd use;
+	allow postfix_master_t $1:fd use;
+	allow postfix_master_t $1:fifo_file rw_file_perms;
+	allow postfix_master_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Search postfix mail spool directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postfix_search_spool',`
+	gen_require(`
+		type postfix_spool_t;
+	')
+
+	allow $1 postfix_spool_t:dir search_dir_perms;
+	files_search_spool($1)
+')
+
+########################################
+## <summary>
+##	List postfix mail spool directories.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`postfix_list_spool',`
+	gen_require(`
+		type postfix_spool_t;
+	')
+
+	allow $1 postfix_spool_t:dir list_dir_perms;
+	files_search_spool($1)
+')
diff --git a/refpolicy/policy/modules/services/postfix.te b/refpolicy/policy/modules/services/postfix.te
new file mode 100644
index 00000000..bbacedea
--- /dev/null
+++ b/refpolicy/policy/modules/services/postfix.te
@@ -0,0 +1,569 @@
+
+policy_module(postfix,1.0)
+
+########################################
+#
+# Declarations
+#
+
+postfix_public_domain_template(bounce)
+
+type postfix_spool_bounce_t;
+files_type(postfix_spool_bounce_t)
+
+postfix_public_domain_template(cleanup)
+
+type postfix_etc_t;
+files_type(postfix_etc_t)
+
+type postfix_exec_t;
+files_type(postfix_exec_t)
+
+postfix_server_domain_template(local)
+mta_mailserver_delivery(postfix_local_t)
+
+type postfix_local_tmp_t;
+files_tmp_file(postfix_local_tmp_t)
+
+# Program for creating database files
+type postfix_map_t;
+type postfix_map_exec_t;
+domain_type(postfix_map_t)
+domain_entry_file(postfix_map_t,postfix_map_exec_t)
+
+type postfix_map_tmp_t;
+files_tmp_file(postfix_map_tmp_t)
+
+postfix_domain_template(master)
+mta_mailserver(postfix_master_t,postfix_master_exec_t)
+
+postfix_public_domain_template(pickup)
+
+postfix_public_domain_template(pipe)
+
+postfix_user_domain_template(postdrop)
+mta_mailserver_user_agent(postfix_postdrop_t)
+
+postfix_user_domain_template(postqueue)
+
+type postfix_private_t;
+files_type(postfix_private_t)
+
+type postfix_prng_t;
+files_type(postfix_prng_t)
+
+postfix_public_domain_template(qmgr)
+
+postfix_user_domain_template(showq)
+
+postfix_server_domain_template(smtp)
+mta_mailserver_sender(postfix_smtp_t)
+
+postfix_server_domain_template(smtpd)
+
+type postfix_spool_t;
+files_type(postfix_spool_t)
+
+type postfix_spool_maildrop_t;
+files_type(postfix_spool_maildrop_t)
+
+type postfix_spool_flush_t;
+files_type(postfix_spool_flush_t)
+
+type postfix_public_t;
+files_type(postfix_public_t)
+
+type postfix_var_run_t;
+files_pid_file(postfix_var_run_t)
+
+########################################
+#
+# Postfix master process local policy
+#
+
+# chown is to set the correct ownership of queue dirs
+allow postfix_master_t self:capability { chown dac_override kill setgid setuid net_bind_service sys_tty_config };
+allow postfix_master_t self:fifo_file rw_file_perms;
+allow postfix_master_t self:tcp_socket create_stream_socket_perms;
+allow postfix_master_t self:udp_socket create_socket_perms;
+
+can_exec(postfix_master_t,postfix_exec_t)
+
+allow postfix_master_t postfix_map_exec_t:file rx_file_perms;
+
+allow postfix_master_t postfix_postdrop_exec_t:file getattr;
+
+allow postfix_master_t postfix_postqueue_exec_t:file getattr;
+
+allow postfix_master_t postfix_private_t:dir rw_dir_perms;
+allow postfix_master_t postfix_private_t:sock_file create_file_perms;
+allow postfix_master_t postfix_private_t:fifo_file create_file_perms;
+
+allow postfix_master_t postfix_prng_t:file rw_file_perms;
+
+allow postfix_master_t postfix_public_t:fifo_file create_file_perms;
+allow postfix_master_t postfix_public_t:sock_file create_file_perms;
+allow postfix_master_t postfix_public_t:dir rw_dir_perms;
+
+# allow access to deferred queue and allow removing bogus incoming entries
+allow postfix_master_t postfix_spool_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_t:file create_file_perms;
+
+allow postfix_master_t postfix_spool_flush_t:dir create_dir_perms;
+allow postfix_master_t postfix_spool_flush_t:file create_file_perms;
+allow postfix_master_t postfix_spool_flush_t:lnk_file create_lnk_perms;
+
+allow postfix_master_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_master_t postfix_spool_maildrop_t:file { unlink rename getattr };
+
+kernel_read_all_sysctl(postfix_master_t)
+
+corenet_tcp_sendrecv_all_if(postfix_master_t)
+corenet_udp_sendrecv_all_if(postfix_master_t)
+corenet_raw_sendrecv_all_if(postfix_master_t)
+corenet_tcp_sendrecv_all_nodes(postfix_master_t)
+corenet_udp_sendrecv_all_nodes(postfix_master_t)
+corenet_raw_sendrecv_all_nodes(postfix_master_t)
+corenet_tcp_sendrecv_all_ports(postfix_master_t)
+corenet_udp_sendrecv_all_ports(postfix_master_t)
+corenet_tcp_bind_all_nodes(postfix_master_t)
+corenet_udp_bind_all_nodes(postfix_master_t)
+corenet_tcp_bind_amavisd_send_port(postfix_master_t)
+corenet_tcp_bind_smtp_port(postfix_master_t)
+corenet_tcp_connect_all_ports(postfix_master_t)
+
+# for a find command
+selinux_dontaudit_search_fs(postfix_master_t)
+
+corecmd_exec_ls(postfix_master_t)
+corecmd_exec_sbin(postfix_master_t)
+corecmd_exec_shell(postfix_master_t)
+corecmd_exec_bin(postfix_master_t)
+
+domain_use_wide_inherit_fd(postfix_master_t)
+
+files_read_usr_files(postfix_master_t)
+
+init_use_script_pty(postfix_master_t)
+
+miscfiles_dontaudit_search_man_pages(postfix_master_t)
+
+seutil_sigchld_newrole(postfix_master_t)
+# postfix does a "find" on startup for some reason - keep it quiet
+seutil_dontaudit_search_config(postfix_master_t)
+
+sysnet_read_config(postfix_master_t)
+
+mta_rw_aliases(postfix_master_t)
+mta_read_sendmail_bin(postfix_master_t)
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(postfix_master_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(postfix_master_t)
+')
+
+###########################################################
+#
+# Partially converted rules.  THESE ARE ONLY TEMPORARY
+#
+
+ifdef(`distro_redhat',`
+	# for newer main.cf that uses /etc/aliases
+	allow postfix_master_t etc_t:dir rw_dir_perms;
+	allow postfix_master_t etc_aliases_t:dir create_dir_perms;
+	allow postfix_master_t etc_aliases_t:file create_file_perms;
+	allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
+	allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
+	allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
+	type_transition postfix_master_t etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
+
+	allow postfix_master_t postfix_etc_t:dir rw_dir_perms;
+	allow postfix_master_t etc_aliases_t:dir create_dir_perms;
+	allow postfix_master_t etc_aliases_t:file create_file_perms;
+	allow postfix_master_t etc_aliases_t:lnk_file create_lnk_perms;
+	allow postfix_master_t etc_aliases_t:sock_file create_file_perms;
+	allow postfix_master_t etc_aliases_t:fifo_file create_file_perms;
+	type_transition postfix_master_t postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
+')
+
+# postfix needs this for newaliases
+allow { system_mail_t sysadm_mail_t } tmp_t:dir getattr;
+
+can_exec({ sysadm_mail_t system_mail_t }, postfix_master_exec_t)
+
+allow sysadm_mail_t etc_aliases_t:dir create_dir_perms;
+allow sysadm_mail_t etc_aliases_t:file create_file_perms;
+allow sysadm_mail_t etc_aliases_t:lnk_file create_lnk_perms;
+allow sysadm_mail_t etc_aliases_t:sock_file create_file_perms;
+allow sysadm_mail_t etc_aliases_t:fifo_file create_file_perms;
+files_create_etc_config(system_mail_t,etc_aliases_t,{ file lnk_file sock_file fifo_file })
+
+
+ifdef(`distro_redhat',`
+	# compatability for old default main.cf
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
+
+	allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
+	type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
+
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:dir create_dir_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:file create_file_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:lnk_file create_lnk_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:sock_file create_file_perms;
+	allow { sysadm_mail_t system_mail_t } etc_aliases_t:fifo_file create_file_perms;
+
+	allow { sysadm_mail_t system_mail_t } postfix_etc_t:dir rw_dir_perms;
+	type_transition { sysadm_mail_t system_mail_t } postfix_etc_t:{ file lnk_file sock_file fifo_file } etc_aliases_t;
+')
+
+# end partially converted rules
+
+########################################
+#
+# Postfix bounce local policy
+#
+
+allow postfix_bounce_t self:capability dac_read_search;
+allow postfix_bounce_t self:tcp_socket create_socket_perms;
+
+allow postfix_bounce_t postfix_public_t:sock_file write;
+
+allow postfix_bounce_t postfix_spool_t:dir create_dir_perms;
+allow postfix_bounce_t postfix_spool_t:file create_file_perms;
+allow postfix_bounce_t postfix_spool_t:lnk_file create_lnk_perms;
+
+allow postfix_bounce_t postfix_spool_bounce_t:dir create_dir_perms;
+allow postfix_bounce_t postfix_spool_bounce_t:file create_file_perms;
+allow postfix_bounce_t postfix_spool_bounce_t:lnk_file create_lnk_perms;
+
+########################################
+#
+# Postfix cleanup local policy
+#
+
+allow postfix_cleanup_t self:process setrlimit;
+
+# connect to master process
+allow postfix_cleanup_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_cleanup_t postfix_private_t:dir search;
+allow postfix_cleanup_t postfix_private_t:sock_file rw_file_perms;
+
+allow postfix_cleanup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_cleanup_t postfix_public_t:sock_file { getattr write };
+
+allow postfix_cleanup_t postfix_spool_t:dir create_dir_perms;
+allow postfix_cleanup_t postfix_spool_t:file create_file_perms;
+allow postfix_cleanup_t postfix_spool_t:lnk_file create_lnk_perms;
+
+allow postfix_cleanup_t postfix_spool_bounce_t:dir r_dir_perms;
+
+########################################
+#
+# Postfix local local policy
+#
+
+allow postfix_local_t self:fifo_file rw_file_perms;
+allow postfix_local_t self:process { setsched setrlimit };
+
+allow postfix_local_t postfix_local_tmp_t:dir create_dir_perms;
+allow postfix_local_t postfix_local_tmp_t:file create_file_perms;
+files_create_tmp_files(postfix_local_t, postfix_local_tmp_t, { file dir })
+
+# connect to master process
+allow postfix_local_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_local_t postfix_public_t:dir search;
+allow postfix_local_t postfix_public_t:sock_file write;
+
+# for .forward - maybe we need a new type for it?
+allow postfix_local_t postfix_private_t:dir search;
+allow postfix_local_t postfix_private_t:sock_file rw_file_perms;
+
+allow postfix_local_t postfix_spool_t:file rw_file_perms;
+
+corecmd_exec_shell(postfix_local_t)
+corecmd_exec_bin(postfix_local_t)
+
+mta_read_aliases(postfix_local_t)
+mta_delete_spool(postfix_local_t)
+# For reading spamassasin
+mta_read_config(postfix_local_t)
+
+ifdef(`TODO',`
+optional_policy(`procmail.te', `
+	domain_auto_trans(postfix_local_t, procmail_exec_t, procmail_t)
+	# for a bug in the postfix local program
+	dontaudit procmail_t postfix_local_t:tcp_socket { read write };
+	dontaudit procmail_t postfix_master_t:fd use;
+')
+') dnl end TODO
+
+########################################
+#
+# Postfix map local policy
+#
+
+allow postfix_map_t self:capability setgid;
+allow postfix_map_t self:unix_stream_socket create_stream_socket_perms;
+allow postfix_map_t self:unix_dgram_socket create_socket_perms;
+allow postfix_map_t self:tcp_socket create_stream_socket_perms;
+allow postfix_map_t self:udp_socket create_socket_perms;
+
+allow postfix_map_t postfix_etc_t:dir create_dir_perms;
+allow postfix_map_t postfix_etc_t:file create_file_perms;
+allow postfix_map_t postfix_etc_t:lnk_file create_lnk_perms;
+
+allow postfix_map_t postfix_map_tmp_t:dir create_dir_perms;
+allow postfix_map_t postfix_map_tmp_t:file create_file_perms;
+files_create_tmp_files(postfix_map_t, postfix_map_tmp_t, { file dir })
+
+kernel_read_kernel_sysctl(postfix_map_t)
+
+corenet_tcp_sendrecv_all_if(postfix_map_t)
+corenet_udp_sendrecv_all_if(postfix_map_t)
+corenet_raw_sendrecv_all_if(postfix_map_t)
+corenet_tcp_sendrecv_all_nodes(postfix_map_t)
+corenet_udp_sendrecv_all_nodes(postfix_map_t)
+corenet_raw_sendrecv_all_nodes(postfix_map_t)
+corenet_tcp_bind_all_nodes(postfix_map_t)
+corenet_udp_bind_all_nodes(postfix_map_t)
+corenet_tcp_sendrecv_all_ports(postfix_map_t)
+corenet_udp_sendrecv_all_ports(postfix_map_t)
+corenet_tcp_connect_all_ports(postfix_map_t)
+
+corecmd_list_bin(postfix_map_t)
+corecmd_read_bin_symlink(postfix_map_t)
+corecmd_read_bin_file(postfix_map_t)
+corecmd_read_bin_pipe(postfix_map_t)
+corecmd_read_bin_socket(postfix_map_t)
+corecmd_list_sbin(postfix_map_t)
+corecmd_read_sbin_symlink(postfix_map_t)
+corecmd_read_sbin_file(postfix_map_t)
+corecmd_read_sbin_pipe(postfix_map_t)
+corecmd_read_sbin_socket(postfix_map_t)
+
+files_list_home(postfix_map_t)
+files_read_usr_files(postfix_map_t)
+files_read_etc_files(postfix_map_t)
+files_read_etc_runtime_files(postfix_map_t)
+files_dontaudit_search_var(postfix_map_t)
+
+libs_use_ld_so(postfix_map_t)
+libs_use_shared_libs(postfix_map_t)
+
+miscfiles_read_localization(postfix_map_t)
+
+seutil_read_config(postfix_map_t)
+
+sysnet_read_config(postfix_map_t)
+
+tunable_policy(`read_default_t',`
+	files_list_default(postfix_map_t)
+	files_read_default_files(postfix_map_t)
+	files_read_default_symlinks(postfix_map_t)
+	files_read_default_sockets(postfix_map_t)
+	files_read_default_pipes(postfix_map_t)
+')
+
+optional_policy(`locallogin.te',`
+	locallogin_dontaudit_use_fd(postfix_map_t)
+')
+
+# a "run" interface needs to be
+# added, and have sysadm_t use it
+# in a optional_policy block.
+
+########################################
+#
+# Postfix pickup local policy
+#
+
+allow postfix_pickup_t self:tcp_socket create_socket_perms;
+
+allow postfix_pickup_t postfix_master_t:unix_stream_socket connectto;
+
+allow postfix_pickup_t postfix_private_t:dir search;
+allow postfix_pickup_t postfix_private_t:sock_file write;
+
+allow postfix_pickup_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_pickup_t postfix_public_t:sock_file rw_file_perms;
+
+allow postfix_pickup_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file r_file_perms;
+allow postfix_pickup_t postfix_spool_maildrop_t:file unlink;
+
+########################################
+#
+# Postfix pipe local policy
+#
+
+allow postfix_pipe_t self:fifo_file { read write };
+
+allow postfix_pipe_t postfix_private_t:dir search;
+allow postfix_pipe_t postfix_private_t:sock_file write;
+
+allow postfix_pipe_t postfix_spool_t:dir search;
+allow postfix_pipe_t postfix_spool_t:file rw_file_perms;
+
+ifdef(`TODO',`
+optional_policy(`procmail.te', `
+domain_auto_trans(postfix_pipe_t, procmail_exec_t, procmail_t)
+')
+') dnl end TODO
+
+########################################
+#
+# Postfix postdrop local policy
+#
+
+# usually it does not need a UDP socket
+allow postfix_postdrop_t self:capability sys_resource;
+allow postfix_postdrop_t self:tcp_socket create;
+allow postfix_postdrop_t self:udp_socket create_socket_perms;
+
+allow postfix_postdrop_t postfix_public_t:dir search;
+allow postfix_postdrop_t postfix_public_t:fifo_file rw_file_perms;
+
+allow postfix_postdrop_t postfix_spool_maildrop_t:dir rw_dir_perms;
+allow postfix_postdrop_t postfix_spool_maildrop_t:file create_file_perms;
+
+term_dontaudit_use_all_user_ptys(postfix_postdrop_t)
+term_dontaudit_use_all_user_ttys(postfix_postdrop_t)
+
+sysnet_dontaudit_read_config(postfix_postdrop_t)
+
+mta_rw_user_mail_stream_socket(postfix_postdrop_t)
+
+optional_policy(`crond.te',`
+	cron_use_fd(postfix_postdrop_t)
+	cron_rw_pipe(postfix_postdrop_t)
+	cron_use_system_job_fd(postfix_postdrop_t)
+	cron_rw_system_job_pipe(postfix_postdrop_t)
+')
+
+#######################################
+#
+# Postfix postqueue local policy
+#
+
+allow postfix_postqueue_t self:tcp_socket create;
+allow postfix_postqueue_t self:udp_socket { create ioctl };
+
+# wants to write to /var/spool/postfix/public/showq
+allow postfix_postqueue_t postfix_public_t:sock_file rw_file_perms;
+allow postfix_postqueue_t postfix_master_t:unix_stream_socket connectto;
+
+allow postfix_postqueue_t postfix_public_t:dir search;
+# write to /var/spool/postfix/public/qmgr
+allow postfix_postqueue_t postfix_public_t:fifo_file { getattr write };
+
+domain_auto_trans(postfix_master_t, postfix_postqueue_exec_t, postfix_postqueue_t)
+
+# to write the mailq output, it really should not need read access!
+term_use_all_user_ptys(postfix_showq_t)
+term_use_all_user_ttys(postfix_showq_t)
+
+init_sigchld_script(postfix_postqueue_t)
+init_use_script_fd(postfix_postqueue_t)
+
+sysnet_dontaudit_read_config(postfix_postqueue_t)
+
+ifdef(`TODO',`
+optional_policy(`gnome-pty-helper.te', `allow postfix_postqueue_t user_gph_t:fd use;')
+')
+
+########################################
+#
+# Postfix qmgr local policy
+#
+
+allow postfix_qmgr_t postfix_master_t:unix_stream_socket connectto;
+
+allow postfix_qmgr_t postfix_private_t:dir search;
+allow postfix_qmgr_t postfix_private_t:sock_file rw_file_perms;
+
+allow postfix_qmgr_t postfix_public_t:fifo_file rw_file_perms;
+allow postfix_qmgr_t postfix_public_t:sock_file write;
+
+# for /var/spool/postfix/active
+allow postfix_qmgr_t postfix_spool_t:dir create_dir_perms;
+allow postfix_qmgr_t postfix_spool_t:file create_file_perms;
+allow postfix_qmgr_t postfix_spool_t:lnk_file create_lnk_perms;
+
+allow postfix_qmgr_t postfix_spool_bounce_t:dir { getattr read search };
+allow postfix_qmgr_t postfix_spool_bounce_t:file { read getattr };
+allow postfix_qmgr_t postfix_spool_bounce_t:lnk_file { getattr read };
+
+########################################
+#
+# Postfix showq local policy
+#
+
+allow postfix_showq_t self:capability { setuid setgid };
+allow postfix_showq_t self:tcp_socket create_socket_perms;
+
+domain_auto_trans(postfix_postqueue_t, postfix_showq_exec_t, postfix_showq_t)
+# the following auto_trans is usually in postfix server domain
+domain_auto_trans(postfix_master_t, postfix_showq_exec_t, postfix_showq_t)
+
+allow postfix_showq_t postfix_master_t:unix_stream_socket { accept rw_socket_perms };
+
+allow postfix_showq_t postfix_spool_t:file r_file_perms;
+
+allow postfix_showq_t postfix_spool_maildrop_t:dir { getattr read search };
+allow postfix_showq_t postfix_spool_maildrop_t:file { read getattr };
+allow postfix_showq_t postfix_spool_maildrop_t:lnk_file { getattr read };
+
+term_use_all_user_ptys(postfix_showq_t)
+term_use_all_user_ttys(postfix_showq_t)
+
+sysnet_dns_name_resolve(postfix_showq_t)
+
+########################################
+#
+# Postfix smtp delivery local policy
+#
+
+# connect to master process
+allow postfix_smtp_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtp_t { postfix_private_t postfix_public_t }:sock_file write;
+
+allow postfix_smtp_t postfix_spool_t:file rw_file_perms;
+
+kernel_tcp_recvfrom(postfix_smtp_t)
+
+# if you have two different mail servers on the same host let them talk via
+# SMTP, also if one mail server wants to talk to itself then allow it and let
+# the SMTP protocol sort it out (SE Linux is not to prevent mail server
+# misconfiguration)
+mta_tcp_connect_all_mailservers(postfix_smtp_t)
+
+########################################
+#
+# Postfix smtpd local policy
+#
+allow postfix_smtpd_t postfix_master_t:tcp_socket rw_stream_socket_perms;
+
+# connect to master process
+allow postfix_smtpd_t postfix_master_t:unix_stream_socket connectto;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:dir search;
+allow postfix_smtpd_t { postfix_private_t postfix_public_t }:sock_file rw_file_perms;
+
+# for prng_exch
+allow postfix_smtpd_t postfix_spool_t:file rw_file_perms;
+allow { postfix_smtp_t postfix_smtpd_t } postfix_prng_t:file rw_file_perms;
+
+# for OpenSSL certificates
+files_read_usr_files(postfix_smtpd_t)
+mta_read_aliases(postfix_smtpd_t)
+
+optional_policy(`sasl.te',`
+	sasl_connect(postfix_smtpd_t)
+')
diff --git a/refpolicy/policy/modules/services/ppp.te b/refpolicy/policy/modules/services/ppp.te
index c410f18e..c7a80b82 100644
--- a/refpolicy/policy/modules/services/ppp.te
+++ b/refpolicy/policy/modules/services/ppp.te
@@ -176,6 +176,20 @@ ifdef(`targeted_policy', `
 	term_dontaudit_use_unallocated_tty(pppd_t)
 	term_dontaudit_use_generic_pty(pppd_t)
 	files_dontaudit_read_root_file(pppd_t)
+
+	optional_policy(`postfix.te',`
+		gen_require(`
+			bool postfix_master_disable_transgre;
+		')
+
+		if(!postfix_master_disable_trans) {
+			postfix_domtrans_master(pppd_t)
+		}
+	')
+',`
+	optional_policy(`postfix.te',`
+		postfix_domtrans_master(pppd_t)
+	')
 ')
 
 optional_policy(`modutils.te',`
diff --git a/refpolicy/policy/modules/services/sendmail.te b/refpolicy/policy/modules/services/sendmail.te
index 63562437..c25dd75a 100644
--- a/refpolicy/policy/modules/services/sendmail.te
+++ b/refpolicy/policy/modules/services/sendmail.te
@@ -117,6 +117,11 @@ optional_policy(`nscd.te',`
 	nscd_use_socket(sendmail_t)
 ')
 
+optional_policy(`postfix.te',`
+	postfix_read_config(sendmail_t)
+	postfix_search_spool(sendmail_t)
+')
+
 optional_policy(`selinuxutil.te',`
 	seutil_sigchld_newrole(sendmail_t)
 ')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 914fb0e8..a306ffe1 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1905,6 +1905,22 @@ interface(`files_associate_tmp',`
 	allow $1 tmp_t:filesystem associate;
 ')
 
+########################################
+## <summary>
+##	Get the	attributes of the tmp directory (/tmp).
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`files_getattr_tmp_dir',`
+	gen_require(`
+		type tmp_t;
+	')
+
+	allow $1 tmp_t:dir getattr;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to get the
diff --git a/refpolicy/policy/modules/system/init.if b/refpolicy/policy/modules/system/init.if
index f9e57233..9bf10584 100644
--- a/refpolicy/policy/modules/system/init.if
+++ b/refpolicy/policy/modules/system/init.if
@@ -538,6 +538,22 @@ interface(`init_get_script_process_group',`
 	allow $1 initrc_t:process getpgid;
 ')
 
+########################################
+## <summary>
+##	Send SIGCHLD signals to init scripts.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`init_sigchld_script',`
+	gen_require(`
+		type initrc_t;
+	')
+
+	allow $1 initrc_t:process sigchld;
+')
+
 ########################################
 ## <summary>
 ##	Read and write init script unnamed pipes.
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 40d390b5..ae6c8896 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -556,6 +556,10 @@ optional_policy(`postgresql.te',`
 	postgresql_read_config(initrc_t)
 ')
 
+optional_policy(`postfix.te',`
+	postfix_list_spool(initrc_t)
+')
+
 optional_policy(`quota.te',`
 	quota_manage_flags(initrc_t)
 ')
diff --git a/refpolicy/policy/modules/system/miscfiles.if b/refpolicy/policy/modules/system/miscfiles.if
index 5c0f6440..d8970e47 100644
--- a/refpolicy/policy/modules/system/miscfiles.if
+++ b/refpolicy/policy/modules/system/miscfiles.if
@@ -98,6 +98,22 @@ interface(`miscfiles_legacy_read_localization',`
 	allow $1 locale_t:file execute;
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to search man pages.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`miscfiles_dontaudit_search_man_pages',`
+	gen_require(`
+		type man_t;
+	')
+
+	dontaudit $1 man_t:dir search;
+')
+
 ########################################
 ## <summary>
 ##	Read man pages
diff --git a/refpolicy/policy/modules/system/sysnetwork.if b/refpolicy/policy/modules/system/sysnetwork.if
index cf55822c..42f145b7 100644
--- a/refpolicy/policy/modules/system/sysnetwork.if
+++ b/refpolicy/policy/modules/system/sysnetwork.if
@@ -177,6 +177,22 @@ interface(`sysnet_read_config',`
 	allow $1 net_conf_t:file r_file_perms;
 ')
 
+#######################################
+## <summary>
+##	Do not audit attempts to read network config files.
+## </summary>
+## <param name="domain">
+##	Domain to not audit.
+## </param>
+#
+interface(`sysnet_dontaudit_read_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	dontaudit $1 net_conf_t:file r_file_perms;
+')
+
 #######################################
 ## <summary>
 ##	Create files in /etc with the type used for