From 65e131f0c7a70d59f21d14e7b3b171e23c0188e2 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <cpebenito@tresys.com>
Date: Wed, 5 Apr 2006 15:32:38 +0000
Subject: [PATCH] add qmail

---
 refpolicy/Changelog                           |   1 +
 .../policy/modules/kernel/corecommands.fc     |   5 +
 .../policy/modules/kernel/corecommands.te     |   2 +-
 refpolicy/policy/modules/services/mta.fc      |   6 +-
 refpolicy/policy/modules/services/mta.if      |  10 +-
 refpolicy/policy/modules/services/mta.te      |   6 +-
 refpolicy/policy/modules/services/qmail.fc    |  47 +++
 refpolicy/policy/modules/services/qmail.if    | 209 ++++++++++++
 refpolicy/policy/modules/services/qmail.te    | 313 ++++++++++++++++++
 refpolicy/policy/modules/services/ucspitcp.te |   4 +-
 .../policy/modules/system/daemontools.fc      |   4 +
 .../policy/modules/system/daemontools.te      |   6 +-
 12 files changed, 601 insertions(+), 12 deletions(-)
 create mode 100644 refpolicy/policy/modules/services/qmail.fc
 create mode 100644 refpolicy/policy/modules/services/qmail.if
 create mode 100644 refpolicy/policy/modules/services/qmail.te

diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index b4df0f5b..5077bda3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -40,6 +40,7 @@
 	games
 	mozilla
 	mplayer
+	qmail (Petre Rodan)
 	rhgb
 	thunderbird
 	tor (Erich Schubert)
diff --git a/refpolicy/policy/modules/kernel/corecommands.fc b/refpolicy/policy/modules/kernel/corecommands.fc
index 3fbafa0e..a2c59dd2 100644
--- a/refpolicy/policy/modules/kernel/corecommands.fc
+++ b/refpolicy/policy/modules/kernel/corecommands.fc
@@ -164,6 +164,7 @@ ifdef(`distro_gentoo',`
 
 ifdef(`distro_gentoo', `
 /usr/.*-.*-linux-gnu/gcc-bin/.*(/.*)?	gen_context(system_u:object_r:bin_t,s0)
+/usr/.*-.*-linux-gnu/binutils-bin(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 ')
 
 ifdef(`distro_redhat', `
@@ -221,6 +222,10 @@ ifdef(`distro_suse', `
 
 /usr/lib/yp/.+			--	gen_context(system_u:object_r:bin_t,s0)
 
+/var/qmail/bin                  -d      gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/bin(/.*)?                    gen_context(system_u:object_r:bin_t,s0)
+/var/qmail/rc                   --      gen_context(system_u:object_r:bin_t,s0)
+
 ifdef(`distro_suse',`
 /var/lib/samba/bin/.+			gen_context(system_u:object_r:bin_t,s0)
 ')
diff --git a/refpolicy/policy/modules/kernel/corecommands.te b/refpolicy/policy/modules/kernel/corecommands.te
index 5b418df0..d166d62d 100644
--- a/refpolicy/policy/modules/kernel/corecommands.te
+++ b/refpolicy/policy/modules/kernel/corecommands.te
@@ -1,5 +1,5 @@
 
-policy_module(corecommands,1.3.6)
+policy_module(corecommands,1.3.7)
 
 ########################################
 #
diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc
index 7a677d68..14ff65cf 100644
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@@ -1,6 +1,6 @@
 
 /etc/aliases		--	gen_context(system_u:object_r:etc_aliases_t,s0)
-/etc/aliases\.db		--	gen_context(system_u:object_r:etc_aliases_t,s0)
+/etc/aliases\.db	--	gen_context(system_u:object_r:etc_aliases_t,s0)
 /etc/mail(/.*)?			gen_context(system_u:object_r:etc_mail_t,s0)
 ifdef(`distro_redhat',`
 /etc/postfix/aliases.*		gen_context(system_u:object_r:etc_aliases_t,s0)
@@ -14,8 +14,10 @@ ifdef(`distro_redhat',`
 
 /var/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
 
+/var/qmail/bin/sendmail	--	gen_context(system_u:object_r:sendmail_exec_t,s0)
+
 /var/spool/imap(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
-/var/spool/(client)?mqueue(/.*)?	 gen_context(system_u:object_r:mqueue_spool_t,s0)
+/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
 /var/spool/mail(/.*)?		gen_context(system_u:object_r:mail_spool_t,s0)
 
 #ifdef(`postfix.te', `', `
diff --git a/refpolicy/policy/modules/services/mta.if b/refpolicy/policy/modules/services/mta.if
index 3bac4bdc..b0d0784e 100644
--- a/refpolicy/policy/modules/services/mta.if
+++ b/refpolicy/policy/modules/services/mta.if
@@ -111,6 +111,10 @@ template(`mta_base_mail_template',`
 		procmail_exec($1_mail_t)
 	')
 
+	optional_policy(`
+		qmail_domtrans_inject($1_mail_t)
+	')
+
 	optional_policy(`
 		gen_require(`
 			type etc_mail_t, mail_spool_t, mqueue_spool_t;
@@ -138,12 +142,6 @@ template(`mta_base_mail_template',`
 		sendmail_create_log($1_mail_t)
 	')
 
-	ifdef(`TODO',`
-	ifdef(`qmail.te', `
-		allow $1_mail_t qmail_etc_t:dir search;
-		allow $1_mail_t qmail_etc_t:{ file lnk_file } read;
-	')
-	') dnl end TODO
 ')
 
 #######################################
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 534bddc0..369e0e87 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -1,5 +1,5 @@
 
-policy_module(mta,1.3.0)
+policy_module(mta,1.3.1)
 
 ########################################
 #
@@ -161,6 +161,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	qmail_domtrans_inject(system_mail_t)
+')
+
 optional_policy(`
 	userdom_dontaudit_use_unpriv_users_ptys(system_mail_t)
 
diff --git a/refpolicy/policy/modules/services/qmail.fc b/refpolicy/policy/modules/services/qmail.fc
new file mode 100644
index 00000000..0055e54b
--- /dev/null
+++ b/refpolicy/policy/modules/services/qmail.fc
@@ -0,0 +1,47 @@
+
+/var/qmail/alias		-d	gen_context(system_u:object_r:qmail_alias_home_t,s0)
+/var/qmail/alias(/.*)?			gen_context(system_u:object_r:qmail_alias_home_t,s0)
+
+/var/qmail/bin/qmail-clean	--	gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/var/qmail/bin/qmail-getpw	--	gen_context(system_u:object_r:qmail_exec_t,s0)
+/var/qmail/bin/qmail-inject	--	gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/var/qmail/bin/qmail-local	--	gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/var/qmail/bin/qmail-lspawn	--	gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/var/qmail/bin/qmail-queue	--	gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/var/qmail/bin/qmail-remote	--	gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/var/qmail/bin/qmail-rspawn	--	gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/var/qmail/bin/qmail-send	--	gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/var/qmail/bin/qmail-smtpd	--	gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/var/qmail/bin/qmail-start	--	gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/var/qmail/bin/splogger		--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+/var/qmail/bin/tcp-env		--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+/var/qmail/control(/.*)?		gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/qmail/queue(/.*)?			gen_context(system_u:object_r:qmail_spool_t,s0)
+
+ifdef(`distro_debian', `
+/etc/qmail(/.*)?			gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/usr/bin/tcp-env		--	gen_context(system_u:object_r:qmail_tcp_env_exec_t,s0)
+
+#/usr/local/bin/serialmail/.*	--	gen_context(system_u:object_r:qmail_serialmail_exec_t,s0)
+
+/usr/sbin/qmail-clean		--	gen_context(system_u:object_r:qmail_clean_exec_t,s0)
+/usr/sbin/qmail-getpw		--	gen_context(system_u:object_r:qmail_exec_t,s0)
+/usr/sbin/qmail-inject		--	gen_context(system_u:object_r:qmail_inject_exec_t,s0)
+/usr/sbin/qmail-local		--	gen_context(system_u:object_r:qmail_local_exec_t,s0)
+/usr/sbin/qmail-lspawn		--	gen_context(system_u:object_r:qmail_lspawn_exec_t,s0)
+/usr/sbin/qmail-queue		--	gen_context(system_u:object_r:qmail_queue_exec_t,s0)
+/usr/sbin/qmail-remote		--	gen_context(system_u:object_r:qmail_remote_exec_t,s0)
+/usr/sbin/qmail-rspawn		--	gen_context(system_u:object_r:qmail_rspawn_exec_t,s0)
+/usr/sbin/qmail-send		--	gen_context(system_u:object_r:qmail_send_exec_t,s0)
+/usr/sbin/qmail-smtpd		--	gen_context(system_u:object_r:qmail_smtpd_exec_t,s0)
+/usr/sbin/qmail-start		--	gen_context(system_u:object_r:qmail_start_exec_t,s0)
+/usr/sbin/splogger		--	gen_context(system_u:object_r:qmail_splogger_exec_t,s0)
+
+/var/qmail(/.*)?			gen_context(system_u:object_r:qmail_etc_t,s0)
+
+/var/spool/qmail(/.*)?			gen_context(system_u:object_r:qmail_spool_t,s0)
+')
+
diff --git a/refpolicy/policy/modules/services/qmail.if b/refpolicy/policy/modules/services/qmail.if
new file mode 100644
index 00000000..a9ac7099
--- /dev/null
+++ b/refpolicy/policy/modules/services/qmail.if
@@ -0,0 +1,209 @@
+## <summary>Qmail Mail Server</summary>
+
+#######################################
+## <summary>
+##      The per user domain template for qmail
+## </summary>
+## <desc>
+##      <p>
+##      This template is invoked automatically for each user, and
+##      generally does not need to be invoked directly
+##      by policy writers.
+##      </p>
+## </desc>
+## <param name="userdomain_prefix">
+##      <summary>
+##      The prefix of the user domain (e.g., user
+##      is the prefix for user_t).
+##      </summary>
+## </param>
+## <param name="user_domain">
+##      <summary>
+##      The type of the user domain.
+##      </summary>
+## </param>
+## <param name="user_role">
+##      <summary>
+##      The role associated with the user domain.
+##      </summary>
+## </param>
+#
+template(`qmail_per_userdomain_template',`
+	gen_require(`
+		attribute qmail_user_domains;
+	')
+
+	role $3 types qmail_user_domains;
+
+	qmail_domtrans_inject($2)
+
+	allow qmail_user_domains $2:process sigchld;
+	allow qmail_user_domains $2:fifo_file { write getattr };
+	allow qmail_user_domains $2:fd use;
+
+')
+
+########################################
+## <summary>
+##	Template for qmail parent/sub-domain pairs
+## </summary>
+## <param name="child_prefix">
+##	<summary>
+##	The prefix of the child domain
+##	</summary>
+## </param>
+## <param name="parent_domain">
+##	<summary>
+##	The name of the parent domain.
+##	</summary>
+## </param>
+#
+template(`qmail_child_domain_template',`
+	type $1_t;
+	domain_type($1_t)
+	type $1_exec_t;
+	domain_entry_file($1_t,$1_exec_t)
+	domain_auto_trans($2, $1_exec_t, $1_t)
+	role system_r types $1_t;
+
+	allow $1_t self:process signal_perms;
+
+	allow $1_t $2:fd use;
+	allow $1_t $2:fifo_file rw_file_perms;
+	allow $1_t $2:process sigchld;
+
+	allow $1_t qmail_etc_t:dir { getattr read search };
+	allow $1_t qmail_etc_t:file { getattr read };
+	allow $1_t qmail_etc_t:lnk_file { getattr read };
+
+	allow $1_t qmail_start_t:fd use;
+
+	kernel_list_proc($2)
+	kernel_read_proc_symlinks($2)
+
+	corecmd_search_bin($1_t)
+
+	files_search_var($1_t)
+
+	fs_getattr_xattr_fs($1_t)
+
+	libs_use_ld_so($1_t)
+	libs_use_shared_libs($1_t)
+
+	miscfiles_read_localization($1_t)
+')
+
+########################################
+## <summary>
+##	Transition to qmail_inject_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`qmail_domtrans_inject',`
+	gen_require(`
+		type qmail_inject_t;
+		type qmail_inject_exec_t;
+	')
+
+	domain_auto_trans($1, qmail_inject_exec_t, qmail_inject_t)
+	allow qmail_inject_t $1:fd use;
+	allow qmail_inject_t $1:fifo_file { read write };
+	allow qmail_inject_t $1:process sigchld;
+
+	ifdef(`distro_debian',`
+		files_search_usr($1)
+		corecmd_search_sbin($1)
+	',`
+		files_search_var($1)
+		corecmd_search_bin($1)
+	')
+')
+
+########################################
+## <summary>
+##	Transition to qmail_queue_t
+## </summary>
+## <param name="domain">
+##	<summary>
+##		Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`qmail_domtrans_queue',`
+	gen_require(`
+		type qmail_queue_t;
+		type qmail_queue_exec_t;
+	')
+
+	domain_auto_trans($1, qmail_queue_exec_t, qmail_queue_t)
+
+	allow qmail_queue_t $1:fd use;
+	allow qmail_queue_t $1:fifo_file { read write };
+	allow qmail_queue_t $1:process sigchld;
+
+	ifdef(`distro_debian',`
+		files_search_usr($1)
+		corecmd_search_sbin($1)
+	',`
+		files_search_var($1)
+		corecmd_search_bin($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read qmail configuration files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`qmail_read_config',`
+	gen_require(`
+		type qmail_etc_t;
+	')
+
+	allow $1 qmail_etc_t:dir { getattr read search };
+	allow $1 qmail_etc_t:file { getattr read };
+	allow $1 qmail_etc_t:lnk_file { getattr read };
+	files_search_var($1)
+
+	ifdef(`distro_debian',`
+		# handle /etc/qmail
+		files_search_etc($1)
+	')
+')
+
+########################################
+## <summary>
+##	Define the specified domain as a qmail-smtp service. 
+##	Needed by antivirus/antispam filters.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+## <param name="entrypoint">
+##	<summary>
+##	The type associated with the process program.
+##	</summary>
+## </param>
+#
+interface(`qmail_smtpd_service_domain',`
+	gen_require(`
+		type qmail_smtpd_t;
+	')
+
+        domain_auto_trans(qmail_smtpd_t, $2, $1)
+
+	allow $1 qmail_smtpd_t:fd use;
+	allow $1 qmail_smtpd_t:fifo_file { read write };
+	allow $1 qmail_smtpd_t:process sigchld;
+')
diff --git a/refpolicy/policy/modules/services/qmail.te b/refpolicy/policy/modules/services/qmail.te
new file mode 100644
index 00000000..5209a066
--- /dev/null
+++ b/refpolicy/policy/modules/services/qmail.te
@@ -0,0 +1,313 @@
+
+policy_module(qmail,1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+attribute qmail_user_domains;
+
+type qmail_alias_home_t;
+files_type(qmail_alias_home_t)
+
+qmail_child_domain_template(qmail_clean, qmail_start_t)
+
+type qmail_etc_t;
+files_type(qmail_etc_t)
+
+type qmail_exec_t;
+files_type(qmail_exec_t)
+
+type qmail_inject_t, qmail_user_domains;
+type qmail_inject_exec_t;
+domain_type(qmail_inject_t)
+domain_entry_file(qmail_inject_t,qmail_inject_exec_t)
+mta_mailserver_user_agent(qmail_inject_t)
+role system_r types qmail_inject_t;
+
+qmail_child_domain_template(qmail_local, qmail_lspawn_t)
+mta_mailserver_delivery(qmail_local_t)
+
+qmail_child_domain_template(qmail_lspawn, qmail_start_t)
+mta_mailserver_delivery(qmail_lspawn_t)
+
+qmail_child_domain_template(qmail_queue, qmail_inject_t)
+typeattribute qmail_queue_t qmail_user_domains;
+mta_mailserver_user_agent(qmail_queue_t)
+
+qmail_child_domain_template(qmail_remote, qmail_rspawn_t)
+mta_mailserver_sender(qmail_remote_t)
+
+qmail_child_domain_template(qmail_rspawn, qmail_start_t)
+
+qmail_child_domain_template(qmail_send, qmail_start_t)
+
+qmail_child_domain_template(qmail_smtpd, qmail_tcp_env_t)
+
+qmail_child_domain_template(qmail_splogger, qmail_start_t)
+
+type qmail_spool_t;
+files_type(qmail_spool_t)
+
+type qmail_start_t;
+type qmail_start_exec_t;
+init_daemon_domain(qmail_start_t,qmail_start_exec_t)
+
+type qmail_tcp_env_t;
+type qmail_tcp_env_exec_t;
+domain_type(qmail_tcp_env_t)
+domain_entry_file(qmail_tcp_env_t,qmail_tcp_env_exec_t)
+
+########################################
+#
+# qmail-clean local policy
+#   this component cleans up the queue directory
+#
+
+allow qmail_clean_t qmail_spool_t:dir rw_dir_perms;
+allow qmail_clean_t qmail_spool_t:file { unlink read getattr };
+
+########################################
+#
+# qmail-inject local policy
+#   this component preprocesses mail from stdin and invokes qmail-queue
+#
+
+allow qmail_inject_t self:fifo_file write;
+allow qmail_inject_t self:process signal_perms;
+
+allow qmail_inject_t qmail_queue_exec_t:file read;
+
+corecmd_search_bin(qmail_inject_t)
+corecmd_search_sbin(qmail_inject_t)
+
+files_search_var(qmail_inject_t)
+
+libs_use_ld_so(qmail_inject_t)
+libs_use_shared_libs(qmail_inject_t)
+
+qmail_read_config(qmail_inject_t)
+
+########################################
+#
+# qmail-local local policy
+#   this component delivers a mail message
+#
+
+allow qmail_local_t self:fifo_file write;
+allow qmail_local_t self:process signal_perms;
+allow qmail_local_t self:unix_stream_socket create_stream_socket_perms;
+
+allow qmail_local_t qmail_alias_home_t:dir create_dir_perms;
+allow qmail_local_t qmail_alias_home_t:file create_file_perms;
+
+allow qmail_local_t qmail_queue_exec_t:file read;
+
+allow qmail_local_t qmail_spool_t:file r_file_perms;
+
+kernel_read_system_state(qmail_local_t)
+
+corecmd_exec_shell(qmail_local_t)
+corecmd_search_sbin(qmail_local_t)
+
+files_read_etc_files(qmail_local_t)
+files_read_etc_runtime_files(qmail_local_t)
+
+mta_append_spool(qmail_local_t)
+
+qmail_domtrans_queue(qmail_local_t)
+
+########################################
+#
+# qmail-lspawn local policy
+#   this component schedules local deliveries
+#
+
+allow qmail_lspawn_t self:capability { setuid setgid };
+allow qmail_lspawn_t self:process signal_perms;
+allow qmail_lspawn_t self:fifo_file { read write };
+allow qmail_lspawn_t self:unix_stream_socket create_socket_perms;
+
+can_exec(qmail_lspawn_t, qmail_exec_t)
+
+allow qmail_lspawn_t qmail_local_exec_t:file read;
+
+allow qmail_lspawn_t qmail_spool_t:dir search;
+allow qmail_lspawn_t qmail_spool_t:file { read getattr };
+
+corecmd_search_sbin(qmail_lspawn_t)
+
+files_read_etc_files(qmail_lspawn_t)
+files_search_pids(qmail_lspawn_t)
+files_search_tmp(qmail_lspawn_t)
+
+########################################
+#
+# qmail-queue local policy
+#   this component places a mail in a delivery queue, later to be processed by qmail-send
+#
+
+allow qmail_queue_t qmail_lspawn_t:fd use;
+allow qmail_queue_t qmail_lspawn_t:fifo_file write;
+
+allow qmail_queue_t qmail_smtpd_t:fd use;
+allow qmail_queue_t qmail_smtpd_t:fifo_file read;
+allow qmail_queue_t qmail_smtpd_t:process sigchld;
+
+allow qmail_queue_t qmail_spool_t:dir create_dir_perms;
+allow qmail_queue_t qmail_spool_t:fifo_file { read write };
+allow qmail_queue_t qmail_spool_t:file create_file_perms;
+
+optional_policy(`
+	daemontools_ipc_domain(qmail_queue_t)
+')
+
+########################################
+#
+# qmail-remote local policy
+#   this component sends mail via SMTP
+#
+
+allow qmail_remote_t self:tcp_socket create_socket_perms;
+allow qmail_remote_t self:udp_socket create_socket_perms;
+
+allow qmail_remote_t qmail_spool_t:dir search;
+allow qmail_remote_t qmail_spool_t:file rw_file_perms;
+
+corenet_non_ipsec_sendrecv(qmail_remote_t)
+corenet_tcp_sendrecv_generic_if(qmail_remote_t)
+corenet_udp_sendrecv_generic_if(qmail_remote_t)
+corenet_tcp_sendrecv_generic_node(qmail_remote_t)
+corenet_udp_sendrecv_generic_node(qmail_remote_t)
+corenet_tcp_sendrecv_smtp_port(qmail_remote_t)
+corenet_udp_sendrecv_dns_port(qmail_remote_t)
+corenet_tcp_connect_smtp_port(qmail_remote_t)
+
+dev_read_rand(qmail_remote_t)
+dev_read_urand(qmail_remote_t)
+
+sysnet_read_config(qmail_remote_t)
+
+########################################
+#
+# qmail-rspawn local policy
+#   this component scedules remote deliveries
+#
+
+allow qmail_rspawn_t self:process signal_perms;
+allow qmail_rspawn_t self:fifo_file read;
+
+allow qmail_rspawn_t qmail_remote_exec_t:file read;
+
+allow qmail_rspawn_t qmail_spool_t:dir search;
+allow qmail_rspawn_t qmail_spool_t:file rw_file_perms;
+
+corecmd_search_bin(qmail_rspawn_t)
+corecmd_search_sbin(qmail_rspawn_t)
+
+########################################
+#
+# qmail-send local policy
+#   this component delivers mail messages from the queue
+#
+
+allow qmail_send_t self:process signal_perms;
+allow qmail_send_t self:fifo_file write;
+
+allow qmail_send_t qmail_spool_t:dir create_dir_perms;
+allow qmail_send_t qmail_spool_t:file create_file_perms;
+allow qmail_send_t qmail_spool_t:fifo_file read;
+
+qmail_domtrans_queue(qmail_send_t)
+
+optional_policy(`
+	daemontools_ipc_domain(qmail_send_t)
+')
+
+########################################
+#
+# qmail-smtpd local policy
+#   this component receives mails via SMTP
+#
+
+allow qmail_smtpd_t self:process signal_perms;
+allow qmail_smtpd_t self:fifo_file write;
+allow qmail_smtpd_t self:tcp_socket create_socket_perms;
+
+allow qmail_smtpd_t qmail_queue_exec_t:file read;
+
+dev_read_rand(qmail_smtpd_t)
+dev_read_urand(qmail_smtpd_t)
+
+qmail_domtrans_queue(qmail_smtpd_t)
+
+optional_policy(`
+	daemontools_ipc_domain(qmail_smtpd_t)
+')
+
+optional_policy(`
+	ucspitcp_service_domain(qmail_smtpd_t, qmail_smtpd_exec_t)
+')
+
+########################################
+#
+# splogger local policy
+#   this component creates entries in syslog
+#
+
+allow qmail_splogger_t self:unix_dgram_socket create_socket_perms;
+
+files_read_etc_files(qmail_splogger_t)
+
+init_dontaudit_use_script_fds(qmail_splogger_t)
+
+miscfiles_read_localization(qmail_splogger_t)
+
+########################################
+#
+# qmail-start local policy
+#   this component starts up the mail delivery component
+#
+
+allow qmail_start_t self:capability { setgid setuid };
+dontaudit qmail_start_t self:capability sys_tty_config;
+allow qmail_start_t self:fifo_file { getattr read write };
+allow qmail_start_t self:process signal_perms;
+
+can_exec(qmail_start_t, qmail_start_exec_t)
+
+corecmd_search_bin(qmail_start_t)
+corecmd_search_sbin(qmail_start_t)
+
+files_search_var(qmail_start_t)
+
+libs_use_ld_so(qmail_start_t)
+libs_use_shared_libs(qmail_start_t)
+
+qmail_read_config(qmail_start_t)
+
+optional_policy(`
+	daemontools_service_domain(qmail_start_t, qmail_start_exec_t)
+	daemontools_ipc_domain(qmail_start_t)
+')
+
+########################################
+#
+# tcp-env local policy
+#   this component sets up TCP-related environment variables
+#
+
+allow qmail_tcp_env_t qmail_smtpd_exec_t:file read;
+
+corecmd_search_sbin(qmail_tcp_env_t)
+
+sysnet_read_config(qmail_tcp_env_t)
+
+optional_policy(`
+	inetd_tcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
+
+optional_policy(`
+	ucspitcp_service_domain(qmail_tcp_env_t, qmail_tcp_env_exec_t)
+')
diff --git a/refpolicy/policy/modules/services/ucspitcp.te b/refpolicy/policy/modules/services/ucspitcp.te
index 81ee26c8..9d596022 100644
--- a/refpolicy/policy/modules/services/ucspitcp.te
+++ b/refpolicy/policy/modules/services/ucspitcp.te
@@ -1,5 +1,5 @@
 
-policy_module(ucspitcp,1.0.0)
+policy_module(ucspitcp,1.0.1)
 
 ########################################
 #
@@ -56,6 +56,7 @@ allow ucspitcp_t self:capability { net_bind_service setgid setuid };
 allow ucspitcp_t self:fifo_file { read write };
 allow ucspitcp_t self:process { fork sigchld };
 allow ucspitcp_t self:tcp_socket create_stream_socket_perms;
+allow ucspitcp_t self:udp_socket create_socket_perms;
 
 corecmd_search_bin(ucspitcp_t)
 corecmd_search_sbin(ucspitcp_t)
@@ -68,6 +69,7 @@ corenet_tcp_sendrecv_all_ports(ucspitcp_t)
 corenet_udp_sendrecv_all_ports(ucspitcp_t)
 corenet_non_ipsec_sendrecv(ucspitcp_t)
 corenet_tcp_bind_all_nodes(ucspitcp_t)
+corenet_udp_bind_all_nodes(ucspitcp_t)
 corenet_tcp_bind_ftp_port(ucspitcp_t)
 corenet_tcp_bind_ftp_data_port(ucspitcp_t)
 corenet_tcp_bind_http_port(ucspitcp_t)
diff --git a/refpolicy/policy/modules/system/daemontools.fc b/refpolicy/policy/modules/system/daemontools.fc
index 7b7968bd..b93222bf 100644
--- a/refpolicy/policy/modules/system/daemontools.fc
+++ b/refpolicy/policy/modules/system/daemontools.fc
@@ -36,6 +36,10 @@
 /var/dnscache/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
 /var/dnscache/log/run	--	gen_context(system_u:object_r:svc_run_exec_t,s0)
 
+/var/qmail/supervise(/.*)?	gen_context(system_u:object_r:svc_svc_t,s0)
+/var/qmail/supervise/.*/run --	gen_context(system_u:object_r:svc_run_exec_t,s0)
+/var/qmail/supervise/.*/log/run -- gen_context(system_u:object_r:svc_run_exec_t,s0)
+
 /var/service/.*			gen_context(system_u:object_r:svc_svc_t,s0)
 /var/service/.*/env(/.*)?	gen_context(system_u:object_r:svc_conf_t,s0)
 /var/service/.*/log/main(/.*)?	gen_context(system_u:object_r:svc_log_t,s0)
diff --git a/refpolicy/policy/modules/system/daemontools.te b/refpolicy/policy/modules/system/daemontools.te
index 0c617298..7f4a387e 100644
--- a/refpolicy/policy/modules/system/daemontools.te
+++ b/refpolicy/policy/modules/system/daemontools.te
@@ -1,5 +1,5 @@
 
-policy_module(daemontools,1.0.0)
+policy_module(daemontools,1.0.1)
 
 ########################################
 #
@@ -90,6 +90,10 @@ libs_use_shared_libs(svc_run_t)
 daemontools_domtrans_multilog(svc_run_t)
 daemontools_read_svc(svc_run_t)
 
+optional_policy(`
+	qmail_read_config(svc_run_t)
+')
+
 ########################################
 #
 # local policy for service monitoring programs