diff --git a/Changelog b/Changelog
index 2233075..3fae533 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- Milter state directory patch from Paul Howarth.
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
- Drop write permission from fs_read_rpc_sockets().
- Remove unused udev_runtime_t type.
diff --git a/policy/modules/services/milter.fc b/policy/modules/services/milter.fc
index 4634dba..8528050 100644
--- a/policy/modules/services/milter.fc
+++ b/policy/modules/services/milter.fc
@@ -2,5 +2,7 @@
/var/spool/milter-regex(/.*)? gen_context(system_u:object_r:regex_milter_data_t,s0)
/usr/sbin/spamass-milter -- gen_context(system_u:object_r:spamass_milter_exec_t,s0)
+
+/var/lib/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_state_t,s0)
/var/run/spamass-milter(/.*)? gen_context(system_u:object_r:spamass_milter_data_t,s0)
/var/run/spamass-milter\.pid -- gen_context(system_u:object_r:spamass_milter_data_t,s0)
diff --git a/policy/modules/services/milter.if b/policy/modules/services/milter.if
index 1155cb7..55d25cd 100644
--- a/policy/modules/services/milter.if
+++ b/policy/modules/services/milter.if
@@ -77,3 +77,24 @@ interface(`milter_getattr_all_sockets',`
getattr_dirs_pattern($1, milter_data_type, milter_data_type)
getattr_sock_files_pattern($1, milter_data_type, milter_data_type)
')
+
+########################################
+##
+## Manage spamassassin milter state
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`milter_manage_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_search_var_lib($1)
+ manage_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_dirs_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+ manage_lnk_files_pattern($1, spamass_milter_state_t, spamass_milter_state_t)
+')
diff --git a/policy/modules/services/milter.te b/policy/modules/services/milter.te
index 908cb61..cedcf41 100644
--- a/policy/modules/services/milter.te
+++ b/policy/modules/services/milter.te
@@ -1,5 +1,5 @@
-policy_module(milter, 1.0.0)
+policy_module(milter, 1.0.1)
########################################
#
@@ -14,6 +14,12 @@ attribute milter_data_type;
milter_template(regex)
milter_template(spamass)
+# Type for the spamass-milter home directory, under which spamassassin will
+# store system-wide preferences, bayes databases etc. if not configured to
+# use per-user configuration
+type spamass_milter_state_t;
+files_type(spamass_milter_state_t)
+
########################################
#
# milter-regex local policy
@@ -41,6 +47,10 @@ mta_read_config(regex_milter_t)
# http://savannah.nongnu.org/projects/spamass-milt/
#
+# The milter runs from /var/lib/spamass-milter
+allow spamass_milter_t spamass_milter_state_t:dir search_dir_perms;
+files_search_var_lib(spamass_milter_t)
+
kernel_read_system_state(spamass_milter_t)
# When used with -b or -B options, the milter invokes sendmail to send mail
diff --git a/policy/modules/services/spamassassin.te b/policy/modules/services/spamassassin.te
index 622b4b2..50b62dd 100644
--- a/policy/modules/services/spamassassin.te
+++ b/policy/modules/services/spamassassin.te
@@ -1,5 +1,5 @@
-policy_module(spamassassin, 2.1.2)
+policy_module(spamassassin, 2.1.3)
########################################
#
@@ -280,6 +280,11 @@ optional_policy(`
')
optional_policy(`
+ # Needed for pyzor/razor called from spamd
+ milter_manage_spamass_state(spamc_t)
+')
+
+optional_policy(`
nis_use_ypbind(spamc_t)
')
@@ -419,6 +424,10 @@ optional_policy(`
')
optional_policy(`
+ milter_manage_spamass_state(spamd_t)
+')
+
+optional_policy(`
mysql_search_db(spamd_t)
mysql_stream_connect(spamd_t)
')