diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 38c0c70..f5387ab 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,7 @@
build phase instead of during the generation phase.
- DISTRO=redhat now implies DIRECT_INITRC=y.
- Added policies:
+ cyrus
dovecot
distcc
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 4457dc0..10d17a8 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -143,6 +143,10 @@ tunable_policy(`fcron_crond', `
allow crond_t system_cron_spool_t:file create_file_perms;
')
+optional_policy(`cyrus.te',`
+ cyrus_manage_data(system_crond_t)
+')
+
optional_policy(`inn.te',`
inn_manage_log(system_crond_t)
inn_manage_pid(system_crond_t)
diff --git a/refpolicy/policy/modules/services/cyrus.fc b/refpolicy/policy/modules/services/cyrus.fc
new file mode 100644
index 0000000..86a9d7e
--- /dev/null
+++ b/refpolicy/policy/modules/services/cyrus.fc
@@ -0,0 +1,4 @@
+
+/usr/lib(64)?/cyrus-imapd/cyrus-master -- gen_context(system_u:object_r:cyrus_exec_t,s0)
+
+/var/lib/imap(/.*)? gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/cyrus.if b/refpolicy/policy/modules/services/cyrus.if
new file mode 100644
index 0000000..ec53160
--- /dev/null
+++ b/refpolicy/policy/modules/services/cyrus.if
@@ -0,0 +1,20 @@
+## Cyrus is an IMAP service intended to be run on sealed servers
+
+########################################
+##
+## Allow caller to create, read, write,
+## and delete cyrus data files.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`cyrus_manage_data',`
+ gen_require(`
+ type cyrus_var_lib_t;
+ ')
+
+ files_search_var_lib($1)
+ allow $1 cyrus_var_lib_t:dir rw_dir_perms;
+ allow $1 cyrus_var_lib_t:file manage_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
new file mode 100644
index 0000000..2a84c78
--- /dev/null
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -0,0 +1,146 @@
+
+policy_module(cyrus,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyrus_t;
+type cyrus_exec_t;
+init_daemon_domain(cyrus_t,cyrus_exec_t)
+
+type cyrus_tmp_t;
+files_tmp_file(cyrus_tmp_t)
+
+type cyrus_var_lib_t;
+files_type(cyrus_var_lib_t)
+
+type cyrus_var_run_t;
+files_pid_file(cyrus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit cyrus_t self:capability sys_tty_config;
+allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow cyrus_t self:process setrlimit;
+allow cyrus_t self:fd use;
+allow cyrus_t self:fifo_file rw_file_perms;
+allow cyrus_t self:shm create_shm_perms;
+allow cyrus_t self:sem create_sem_perms;
+allow cyrus_t self:msgq create_msgq_perms;
+allow cyrus_t self:msg { send receive };
+allow cyrus_t self:unix_dgram_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
+allow cyrus_t self:unix_dgram_socket sendto;
+allow cyrus_t self:unix_stream_socket connectto;
+allow cyrus_t self:tcp_socket create_stream_socket_perms;
+allow cyrus_t self:udp_socket create_socket_perms;
+
+allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
+allow cyrus_t cyrus_tmp_t:file create_file_perms;
+files_create_tmp_files(cyrus_t, cyrus_tmp_t, { file dir })
+
+allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
+
+allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
+allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
+allow cyrus_t cyrus_var_run_t:file create_file_perms;
+files_create_pid(cyrus_t,cyrus_var_run_t,{ file sock_file })
+
+kernel_read_kernel_sysctl(cyrus_t)
+kernel_read_system_state(cyrus_t)
+kernel_read_all_sysctl(cyrus_t)
+
+corenet_tcp_sendrecv_all_if(cyrus_t)
+corenet_udp_sendrecv_all_if(cyrus_t)
+corenet_raw_sendrecv_all_if(cyrus_t)
+corenet_tcp_sendrecv_all_nodes(cyrus_t)
+corenet_udp_sendrecv_all_nodes(cyrus_t)
+corenet_raw_sendrecv_all_nodes(cyrus_t)
+corenet_tcp_sendrecv_all_ports(cyrus_t)
+corenet_udp_sendrecv_all_ports(cyrus_t)
+corenet_tcp_bind_all_nodes(cyrus_t)
+corenet_udp_bind_all_nodes(cyrus_t)
+corenet_tcp_bind_mail_port(cyrus_t)
+corenet_tcp_bind_pop_port(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+
+dev_read_rand(cyrus_t)
+dev_read_urand(cyrus_t)
+dev_read_sysfs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
+
+term_dontaudit_use_console(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
+
+domain_use_wide_inherit_fd(cyrus_t)
+
+files_list_var_lib(cyrus_t)
+files_read_etc_files(cyrus_t)
+files_read_etc_runtime_files(cyrus_t)
+files_create_pid(cyrus_t,cyrus_var_run_t)
+
+init_use_fd(cyrus_t)
+
+libs_use_ld_so(cyrus_t)
+libs_use_shared_libs(cyrus_t)
+libs_exec_lib_files(cyrus_t)
+
+logging_send_syslog_msg(cyrus_t)
+
+miscfiles_read_localization(cyrus_t)
+miscfiles_read_certs(cyrus_t)
+
+sysnet_read_config(cyrus_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cyrus_t)
+userdom_dontaudit_search_sysadm_home_dir(cyrus_t)
+userdom_use_unpriv_users_fd(cyrus_t)
+userdom_use_sysadm_pty(cyrus_t)
+
+mta_manage_spool(cyrus_t)
+
+ifdef(`targeted_policy',`
+ term_dontaudit_use_unallocated_tty(cyrus_t)
+ term_dontaudit_use_generic_pty(cyrus_t)
+ files_dontaudit_read_root_file(cyrus_t)
+')
+
+optional_policy(`cron.te',`
+ cron_system_entry(cyrus_t,cyrus_exec_t)
+')
+
+optional_policy(`mount.te',`
+ mount_send_nfs_client_request(cyrus_t)
+')
+
+optional_policy(`nis.te',`
+ nis_use_ypbind(cyrus_t)
+')
+
+optional_policy(`sasl.te',`
+ sasl_connect(cyrus_t)
+')
+
+optional_policy(`selinuxutil.te',`
+ seutil_sigchld_newrole(cyrus_t)
+')
+
+optional_policy(`udev.te',`
+ udev_read_db(cyrus_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+ rhgb_domain(cyrus_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc
index 59c4189..494c989 100644
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@@ -10,8 +10,8 @@ ifdef(`sendmail.te',`',`
/var/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
+/var/spool/imap(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
/var/spool/(client)?mqueue(/.*)? gen_context(system_u:object_r:mqueue_spool_t,s0)
-
/var/spool/mail(/.*)? gen_context(system_u:object_r:mail_spool_t,s0)
ifdef(`postfix.te', `', `
diff --git a/refpolicy/policy/modules/services/sasl.if b/refpolicy/policy/modules/services/sasl.if
index 3cba13b..d085472 100644
--- a/refpolicy/policy/modules/services/sasl.if
+++ b/refpolicy/policy/modules/services/sasl.if
@@ -1 +1,20 @@
## SASL authentication server
+
+########################################
+##
+## Connect to SASL.
+##
+##
+## Domain allowed access.
+##
+#
+interface(`sasl_connect',`
+ gen_require(`
+ type saslauthd_t, saslauthd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 saslauthd_var_run_t:dir search;
+ allow $1 saslauthd_var_run_t:sock_file { read write };
+ allow $1 saslauthd_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 6f1686d..1c00508 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -74,6 +74,7 @@ ifdef(`distro_suse', `
/usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib(64)?/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/emacsen-common/.* gen_context(system_u:object_r:bin_t,s0)
/usr/lib(64)?/ipsec/.* -- gen_context(system_u:object_r:sbin_t,s0)