Index: policy/modules/kernel/corenetwork.te.in
===================================================================
--- policy/modules/kernel/corenetwork.te.in	(revision 2770)
+++ policy/modules/kernel/corenetwork.te.in	(working copy)
@@ -119,6 +119,7 @@
 type lrrd_port_t, port_type; dnl network_port(lrrd_port_t) # no defined portcon
 network_port(lmtp, tcp,24,s0, udp,24,s0)
 network_port(mail, tcp,2000,s0)
+type milter_port_t, port_type; dnl network_port(milter) # no defined portcon
 network_port(mmcc, tcp,5050,s0, udp,5050,s0)
 network_port(monopd, tcp,1234,s0)
 network_port(msnp, tcp,1863,s0, udp,1863,s0)
Index: policy/modules/services/milters.te
===================================================================
--- policy/modules/services/milters.te	(revision 0)
+++ policy/modules/services/milters.te	(revision 0)
@@ -0,0 +1,42 @@
+policy_module(milters,0.1.4)
+
+require {
+	attribute port_type;
+}
+
+#============= declarations ================
+
+# attributes common to all milters
+attribute milter_domains;
+attribute milter_socket_directories;
+attribute milter_socket_type;
+
+
+#============= milter-regex policy ==============
+milter_template(regex)
+
+# Config is in /etc/mail/milter-regex.conf
+mta_read_config(milter_regex_t)
+
+# The milter's socket directory lives under /var/spool
+files_search_spool(milter_regex_t)
+
+# It removes any existing socket (not owned by root) whilst running as root
+# and then calls setgid() and setuid() to drop privileges
+allow milter_regex_t self:capability { setuid setgid dac_override };
+
+
+#============= spamass-milter policy ==============
+milter_template(spamass)
+
+# The main job of the milter is to pipe spam through spamc and act on the result
+spamassassin_domtrans_spamc(milter_spamass_t)
+
+# When used with -b or -B options, the milter invokes sendmail to send mail
+# to a spamtrap address, using popen()
+corecmd_exec_shell(milter_spamass_t)
+corecmd_read_bin_symlinks(milter_spamass_t)
+corecmd_search_bin(milter_spamass_t)
+kernel_read_system_state(milter_spamass_t)
+mta_send_mail(milter_spamass_t)
+
Index: policy/modules/services/sendmail.te
===================================================================
--- policy/modules/services/sendmail.te	(revision 2770)
+++ policy/modules/services/sendmail.te	(working copy)
@@ -112,6 +112,10 @@
 ')
 
 optional_policy(`
+	milter_stream_connect(sendmail_t)
+')
+
+optional_policy(`
 	postfix_exec_master(sendmail_t)
 	postfix_read_config(sendmail_t)
 	postfix_search_spool(sendmail_t)
Index: policy/modules/services/milters.fc
===================================================================
--- policy/modules/services/milters.fc	(revision 0)
+++ policy/modules/services/milters.fc	(revision 0)
@@ -0,0 +1,13 @@
+/usr/sbin/milter-regex				--	gen_context(system_u:object_r:milter_regex_exec_t,s0)
+/var/spool/milter-regex				-d	gen_context(system_u:object_r:milter_regex_data_dir_t,s0)
+/var/spool/milter-regex/sock			-s	gen_context(system_u:object_r:milter_regex_socket_t,s0)
+/var/spool/milter-regex/.+				gen_context(system_u:object_r:milter_regex_data_t,s0)
+
+/usr/sbin/spamass-milter			--	gen_context(system_u:object_r:milter_spamass_exec_t,s0)
+/var/run/spamass-milter				-d	gen_context(system_u:object_r:milter_spamass_data_dir_t,s0)
+/var/run/spamass-milter\.pid			--	gen_context(system_u:object_r:milter_spamass_data_t,s0)
+/var/run/spamass-milter/spamass-milter\.sock	-s	gen_context(system_u:object_r:milter_spamass_socket_t,s0)
+/var/run/spamass-milter/.+				gen_context(system_u:object_r:milter_spamass_data_t,s0)
+/var/run/spamass-milter/postfix			-d	gen_context(system_u:object_r:milter_spamass_data_dir_t,s0)
+/var/run/spamass-milter/postfix/sock		-s	gen_context(system_u:object_r:milter_spamass_socket_t,s0)
+
Index: policy/modules/services/mta.te
===================================================================
--- policy/modules/services/mta.te	(revision 2770)
+++ policy/modules/services/mta.te	(working copy)
@@ -105,6 +105,9 @@
 	# postfix needs this for newaliases
 	files_getattr_tmp_dirs(system_mail_t)
 
+	# newaliases runs as system_mail_t when the sendmail initscript does a restart
+	milter_getattr_socket_dir(system_mail_t)
+
 	postfix_exec_master(system_mail_t)
 	postfix_read_config(system_mail_t)
 	postfix_search_spool(system_mail_t)
Index: policy/modules/services/milters.if
===================================================================
--- policy/modules/services/milters.if	(revision 0)
+++ policy/modules/services/milters.if	(revision 0)
@@ -0,0 +1,108 @@
+## <summary>Milter mail filters</summary>
+
+########################################
+## <summary>
+##	Create a set of derived types for various
+##	mail filter applications using the milter interface.
+## </summary>
+## <param name="milter_name">
+##	<summary>
+##	The name to be used for deriving type names.
+##	</summary>
+## </param>
+#
+template(`milter_template',`
+
+	# attributes common to all milters, plus port type for milter TCP sockets
+	gen_require(`
+		attribute milter_socket_directories, milter_socket_type, milter_domains;
+		type milter_port_t;
+	')
+
+	# Type that the milter application runs as
+	type milter_$1_t, milter_domains;
+	domain_type(milter_$1_t)
+	role system_r types milter_$1_t;
+
+	# Type for the executable file
+	type milter_$1_exec_t;
+	init_daemon_domain(milter_$1_t, milter_$1_exec_t)
+
+	# Type for the directory that the unix-domain socket for MTA
+	# communication will live in
+	type milter_$1_data_dir_t, milter_socket_directories;
+	files_type(milter_$1_data_dir_t)
+
+	# Type for the unix-domain socket for MTA communication
+	type milter_$1_socket_t, milter_socket_type;
+	files_type(milter_$1_socket_t);
+	filetrans_pattern(milter_$1_t,milter_$1_data_dir_t,milter_$1_socket_t,sock_file)
+
+	# Any other data the milter puts in a milter_data_dir_t directory
+	type milter_$1_data_t;
+	files_type(milter_$1_data_t);
+	filetrans_pattern(milter_$1_t,milter_$1_data_dir_t,milter_$1_data_t,{ dir file })
+
+	# Generic rules from policygentool
+	files_read_etc_files(milter_$1_t)
+	libs_use_ld_so(milter_$1_t)
+	libs_use_shared_libs(milter_$1_t)
+	miscfiles_read_localization(milter_$1_t)
+	sysnet_dns_name_resolve(milter_$1_t)
+	init_use_fds(milter_$1_t)
+	init_use_script_ptys(milter_$1_t)
+	domain_use_interactive_fds(milter_$1_t)
+
+	# Allow communication with MTA over a TCP socket
+	allow milter_$1_t milter_port_t:tcp_socket name_bind;
+	corenet_tcp_bind_generic_node(milter_$1_t)
+	allow milter_$1_t self:tcp_socket { listen accept };
+
+	# Allow communication with MTA over a unix-domain socket
+	manage_sock_files_pattern(milter_$1_t,milter_$1_data_dir_t,milter_$1_socket_t)
+
+	# Create other data files and directories in the socket directory
+	manage_files_pattern(milter_$1_t,milter_$1_data_dir_t,milter_$1_data_t)
+	manage_files_pattern(milter_$1_t,milter_$1_data_t,milter_$1_data_t)
+
+	# Things that most milters will need to do
+	allow milter_$1_t self:fifo_file rw_fifo_file_perms;
+	logging_send_syslog_msg(milter_$1_t)
+
+')
+
+########################################
+## <summary>
+##	MTA communication with milter sockets
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_stream_connect',`
+	gen_require(`
+		attribute milter_socket_directories, milter_socket_type, milter_domains;
+	')
+	getattr_dirs_pattern($1,milter_socket_directories,milter_socket_directories)
+	stream_connect_pattern($1,milter_socket_directories,milter_socket_type,milter_domains)
+')
+
+########################################
+## <summary>
+##	Allow search of milter socket directory
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_getattr_socket_dir',`
+	gen_require(`
+		attribute milter_socket_directories;
+	')
+	getattr_dirs_pattern($1,milter_socket_directories,milter_socket_directories)
+')
+
Index: policy/modules/services/spamassassin.fc
===================================================================
--- policy/modules/services/spamassassin.fc	(revision 2770)
+++ policy/modules/services/spamassassin.fc	(working copy)
@@ -10,7 +10,6 @@
 /var/lib/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_lib_t,s0)
 
 /var/run/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
-/var/run/spamass-milter(/.*)?	gen_context(system_u:object_r:spamd_var_run_t,s0)
 
 /var/spool/spamassassin(/.*)?	gen_context(system_u:object_r:spamd_spool_t,s0)
 /var/spool/spamd(/.*)?		gen_context(system_u:object_r:spamd_spool_t,s0)
Index: policy/modules/services/postfix.te
===================================================================
--- policy/modules/services/postfix.te	(revision 2770)
+++ policy/modules/services/postfix.te	(working copy)
@@ -530,6 +530,10 @@
 	cyrus_stream_connect(postfix_smtp_t)
 ')
 
+optional_policy(`
+	milter_stream_connect(postfix_smtp_t)
+')
+
 ########################################
 #
 # Postfix smtpd local policy