Internal interaction goes before external interface calls.

policy/modules/services/spamassassin.te

@@ -252,11 +252,6 @@ allow spamc_t self:unix_dgram_socket sendto;
 allow spamc_t self:unix_stream_socket connectto;
 allow spamc_t self:tcp_socket create_stream_socket_perms;
 allow spamc_t self:udp_socket create_socket_perms;
-corenet_all_recvfrom_unlabeled(spamc_t)
-corenet_all_recvfrom_netlabel(spamc_t)
-corenet_tcp_sendrecv_generic_if(spamc_t)
-corenet_tcp_sendrecv_generic_node(spamc_t)
-corenet_tcp_connect_spamd_port(spamc_t)
 
 can_exec(spamc_t, spamc_exec_t)
 
@@ -272,6 +267,9 @@ manage_sock_files_pattern(spamc_t, spamc_home_t, spamc_home_t)
 userdom_user_home_dir_filetrans(spamc_t, spamc_home_t, { dir file lnk_file sock_file fifo_file })
 userdom_append_user_home_content_files(spamc_t)
 
+list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
+
 # Allow connecting to a local spamd
 allow spamc_t spamd_t:unix_stream_socket connectto;
 allow spamc_t spamd_tmp_t:sock_file rw_sock_file_perms;
@@ -290,6 +288,11 @@ corenet_tcp_sendrecv_all_ports(spamc_t)
 corenet_udp_sendrecv_all_ports(spamc_t)
 corenet_tcp_connect_all_ports(spamc_t)
 corenet_sendrecv_all_client_packets(spamc_t)
+corenet_all_recvfrom_unlabeled(spamc_t)
+corenet_all_recvfrom_netlabel(spamc_t)
+corenet_tcp_sendrecv_generic_if(spamc_t)
+corenet_tcp_sendrecv_generic_node(spamc_t)
+corenet_tcp_connect_spamd_port(spamc_t)
 
 fs_search_auto_mountpoints(spamc_t)
 
@@ -309,8 +312,6 @@ files_dontaudit_search_var(spamc_t)
 # cjp: this may be removable:
 files_list_home(spamc_t)
 files_list_var_lib(spamc_t)
-list_dirs_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
-read_files_pattern(spamc_t, spamd_var_lib_t, spamd_var_lib_t)
 
 fs_search_auto_mountpoints(spamc_t)