Index: policy/modules/services/milters.te
===================================================================
--- policy/modules/services/milters.te	(revision 0)
+++ policy/modules/services/milters.te	(revision 0)
@@ -0,0 +1,44 @@
+policy_module(milters,0.0.7)
+
+require {
+	attribute port_type;
+}
+
+type milter_port_t, port_type;
+
+#============= milter-regex policy ==============
+milter_template(regex)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(milter_regex_t)
+
+# The milter creates a socket in /var/spool/milter-regex/
+# for communication with sendmail
+files_search_spool(milter_regex_t)
+manage_sock_files_pattern(milter_regex_t,milter_regex_spool_t,milter_regex_spool_t)
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow milter_regex_t self:capability { setuid setgid dac_override };
+
+
+#============= spamass-milter policy ==============
+milter_template(spamass)
+
+# The milter creates a socket in /var/run/spamass-milter/
+# for communication with sendmail
+manage_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t)
+manage_sock_files_pattern(milter_spamass_t,milter_spamass_var_run_t,milter_spamass_var_run_t)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+#
+# The spamassassin_domtrans_spamc interface in Fedora 9 ???
+#spamassassin_domtrans_spamc(milter_spamass_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(milter_spamass_t)
+corecmd_read_bin_symlinks(milter_spamass_t)
+corecmd_search_bin(milter_spamass_t)
+kernel_read_system_state(milter_spamass_t)
+mta_send_mail(milter_spamass_t)
Index: policy/modules/services/sendmail.te
===================================================================
--- policy/modules/services/sendmail.te	(revision 2710)
+++ policy/modules/services/sendmail.te	(working copy)
@@ -112,6 +112,14 @@
 ')
 
 optional_policy(`
+	milter_regex_stream_connect(sendmail_t)
+')
+
+optional_policy(`
+	milter_spamass_stream_connect(sendmail_t)
+')
+
+optional_policy(`
 	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
Index: policy/modules/services/milters.fc
===================================================================
--- policy/modules/services/milters.fc	(revision 0)
+++ policy/modules/services/milters.fc	(revision 0)
@@ -0,0 +1,14 @@
+#================= contexts for milter-regex =================
+
+/usr/sbin/milter-regex		--	gen_context(system_u:object_r:milter_regex_exec_t,s0)
+
+/var/spool/milter-regex(/.*)?		gen_context(system_u:object_r:milter_regex_spool_t,s0)
+
+#================= contexts for spamass-milter =================
+
+/usr/sbin/spamass-milter	--	gen_context(system_u:object_r:milter_spamass_exec_t,s0)
+
+/var/run/spamass-milter\.pid	--	gen_context(system_u:object_r:milter_spamass_var_run_t,s0)
+/var/run/spamass-milter(/.*)?		gen_context(system_u:object_r:milter_spamass_var_run_t,s0)
+
+
Index: policy/modules/services/mta.te
===================================================================
--- policy/modules/services/mta.te	(revision 2710)
+++ policy/modules/services/mta.te	(working copy)
@@ -154,3 +154,7 @@
 		cron_read_system_job_tmp_files(mta_user_agent)
 	')
 ')
+
+optional_policy(`
+	milter_spamass_rw_stream_sockets(system_mail_t)
+')
Index: policy/modules/services/milters.if
===================================================================
--- policy/modules/services/milters.if	(revision 0)
+++ policy/modules/services/milters.if	(revision 0)
@@ -0,0 +1,117 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`milter_template',`
+
+	# Type that the milter application runs as
+	type milter_$1_t;
+	domain_type(milter_$1_t)
+	role system_r types milter_$1_t;
+
+	# Type for the executable file
+	type milter_$1_exec_t;
+	init_daemon_domain(milter_$1_t, milter_$1_exec_t)
+
+	# This type is for pidfiles etc.
+	type milter_$1_var_run_t;
+	files_type(milter_$1_var_run_t);
+
+	# This type is for spool/cache data etc.
+	type milter_$1_cache_t;
+	files_type(milter_$1_cache_t);
+
+	# This type is for spool/cache data etc.
+	type milter_$1_spool_t;
+	files_type(milter_$1_spool_t);
+
+	# This type is for state data etc.
+	type milter_$1_var_lib_t;
+	files_type(milter_$1_var_lib_t);
+
+	# Generic rules from policygentool
+	files_read_etc_files(milter_$1_t)
+	libs_use_ld_so(milter_$1_t)
+	libs_use_shared_libs(milter_$1_t)
+	miscfiles_read_localization(milter_$1_t)
+	sysnet_dns_name_resolve(milter_$1_t)
+	init_use_fds(milter_$1_t)
+	init_use_script_ptys(milter_$1_t)
+	domain_use_interactive_fds(milter_$1_t)
+
+	# Allow communication with MTA over a TCP socket
+	# hack since this port has no interfaces since it does not have net_contexts
+	gen_require(`
+		type milter_port_t;
+	')
+	allow milter_$1_t milter_port_t:tcp_socket name_bind;
+	corenet_tcp_bind_generic_node(milter_$1_t)
+	allow milter_$1_t self:tcp_socket { listen accept };
+
+	# Things that most milters will need to do
+	allow milter_$1_t self:fifo_file rw_fifo_file_perms;
+	logging_send_syslog_msg(milter_$1_t)
+
+')
+
+########################################
+## <summary>
+##	MTA communication with spamass-milter socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_spamass_stream_connect',`
+	gen_require(`
+		type milter_spamass_var_run_t, milter_spamass_t;
+	')
+	stream_connect_pattern($1,milter_spamass_var_run_t,milter_spamass_var_run_t,milter_spamass_t)
+')
+
+########################################
+## <summary>
+##	Allow read/write unix stream sockets from spamass-milter
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`milter_spamass_rw_stream_sockets',`
+        gen_require(`
+                type milter_spamass_t;
+        ')
+
+	allow $1 milter_spamass_t:unix_stream_socket { read write };
+')
+
+
+########################################
+## <summary>
+##	MTA communication with milter-regex socket
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_regex_stream_connect',`
+	gen_require(`
+		type milter_regex_spool_t, milter_regex_t;
+	')
+	stream_connect_pattern($1,milter_regex_spool_t,milter_regex_spool_t,milter_regex_t)
+')
Index: policy/modules/services/spamassassin.fc
===================================================================
--- policy/modules/services/spamassassin.fc	(revision 2710)
+++ policy/modules/services/spamassassin.fc	(working copy)
@@ -10,7 +10,6 @@
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)