diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 38c0c70..f5387ab 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -2,6 +2,7 @@
   build phase instead of during the generation phase.  
 - DISTRO=redhat now implies DIRECT_INITRC=y.
 - Added policies:
+	cyrus
 	dovecot
 	distcc
 
diff --git a/refpolicy/policy/modules/services/cron.te b/refpolicy/policy/modules/services/cron.te
index 4457dc0..10d17a8 100644
--- a/refpolicy/policy/modules/services/cron.te
+++ b/refpolicy/policy/modules/services/cron.te
@@ -143,6 +143,10 @@ tunable_policy(`fcron_crond', `
 	allow crond_t system_cron_spool_t:file create_file_perms;
 ')
 
+optional_policy(`cyrus.te',`
+	cyrus_manage_data(system_crond_t)
+')
+
 optional_policy(`inn.te',`
 	inn_manage_log(system_crond_t)
 	inn_manage_pid(system_crond_t)
diff --git a/refpolicy/policy/modules/services/cyrus.fc b/refpolicy/policy/modules/services/cyrus.fc
new file mode 100644
index 0000000..86a9d7e
--- /dev/null
+++ b/refpolicy/policy/modules/services/cyrus.fc
@@ -0,0 +1,4 @@
+
+/usr/lib(64)?/cyrus-imapd/cyrus-master	--	gen_context(system_u:object_r:cyrus_exec_t,s0)
+
+/var/lib/imap(/.*)?				gen_context(system_u:object_r:cyrus_var_lib_t,s0)
diff --git a/refpolicy/policy/modules/services/cyrus.if b/refpolicy/policy/modules/services/cyrus.if
new file mode 100644
index 0000000..ec53160
--- /dev/null
+++ b/refpolicy/policy/modules/services/cyrus.if
@@ -0,0 +1,20 @@
+## <summary>Cyrus is an IMAP service intended to be run on sealed servers</summary>
+
+########################################
+## <summary>
+##	Allow caller to create, read, write,
+##	and delete cyrus data files.
+## </summary>
+## <param name="domain">
+##      Domain allowed access.
+## </param>
+#
+interface(`cyrus_manage_data',`
+	gen_require(`
+		type cyrus_var_lib_t;
+	')
+
+	files_search_var_lib($1)
+	allow $1 cyrus_var_lib_t:dir rw_dir_perms;
+	allow $1 cyrus_var_lib_t:file manage_file_perms;
+')
diff --git a/refpolicy/policy/modules/services/cyrus.te b/refpolicy/policy/modules/services/cyrus.te
new file mode 100644
index 0000000..2a84c78
--- /dev/null
+++ b/refpolicy/policy/modules/services/cyrus.te
@@ -0,0 +1,146 @@
+
+policy_module(cyrus,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type cyrus_t;
+type cyrus_exec_t;
+init_daemon_domain(cyrus_t,cyrus_exec_t)
+
+type cyrus_tmp_t;
+files_tmp_file(cyrus_tmp_t)
+
+type cyrus_var_lib_t;
+files_type(cyrus_var_lib_t)
+
+type cyrus_var_run_t;
+files_pid_file(cyrus_var_run_t)
+
+########################################
+#
+# Local policy
+#
+
+allow cyrus_t self:capability { dac_override net_bind_service setgid setuid sys_resource };
+dontaudit cyrus_t self:capability sys_tty_config;
+allow cyrus_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow cyrus_t self:process setrlimit;
+allow cyrus_t self:fd use;
+allow cyrus_t self:fifo_file rw_file_perms;
+allow cyrus_t self:shm create_shm_perms;
+allow cyrus_t self:sem create_sem_perms;
+allow cyrus_t self:msgq create_msgq_perms;
+allow cyrus_t self:msg { send receive };
+allow cyrus_t self:unix_dgram_socket create_socket_perms;
+allow cyrus_t self:unix_stream_socket create_stream_socket_perms;
+allow cyrus_t self:unix_dgram_socket sendto;
+allow cyrus_t self:unix_stream_socket connectto;
+allow cyrus_t self:tcp_socket create_stream_socket_perms;
+allow cyrus_t self:udp_socket create_socket_perms;
+
+allow cyrus_t cyrus_tmp_t:dir create_dir_perms;
+allow cyrus_t cyrus_tmp_t:file create_file_perms;
+files_create_tmp_files(cyrus_t, cyrus_tmp_t, { file dir })
+
+allow cyrus_t cyrus_var_lib_t:dir create_dir_perms;
+allow cyrus_t cyrus_var_lib_t:{file sock_file lnk_file} create_file_perms;
+
+allow cyrus_t cyrus_var_run_t:dir rw_dir_perms;
+allow cyrus_t cyrus_var_run_t:sock_file create_file_perms;
+allow cyrus_t cyrus_var_run_t:file create_file_perms;
+files_create_pid(cyrus_t,cyrus_var_run_t,{ file sock_file })
+
+kernel_read_kernel_sysctl(cyrus_t)
+kernel_read_system_state(cyrus_t)
+kernel_read_all_sysctl(cyrus_t)
+
+corenet_tcp_sendrecv_all_if(cyrus_t)
+corenet_udp_sendrecv_all_if(cyrus_t)
+corenet_raw_sendrecv_all_if(cyrus_t)
+corenet_tcp_sendrecv_all_nodes(cyrus_t)
+corenet_udp_sendrecv_all_nodes(cyrus_t)
+corenet_raw_sendrecv_all_nodes(cyrus_t)
+corenet_tcp_sendrecv_all_ports(cyrus_t)
+corenet_udp_sendrecv_all_ports(cyrus_t)
+corenet_tcp_bind_all_nodes(cyrus_t)
+corenet_udp_bind_all_nodes(cyrus_t)
+corenet_tcp_bind_mail_port(cyrus_t)
+corenet_tcp_bind_pop_port(cyrus_t)
+corenet_tcp_connect_all_ports(cyrus_t)
+
+dev_read_rand(cyrus_t)
+dev_read_urand(cyrus_t)
+dev_read_sysfs(cyrus_t)
+
+fs_getattr_all_fs(cyrus_t)
+fs_search_auto_mountpoints(cyrus_t)
+
+term_dontaudit_use_console(cyrus_t)
+
+corecmd_exec_bin(cyrus_t)
+
+domain_use_wide_inherit_fd(cyrus_t)
+
+files_list_var_lib(cyrus_t)
+files_read_etc_files(cyrus_t)
+files_read_etc_runtime_files(cyrus_t)
+files_create_pid(cyrus_t,cyrus_var_run_t)
+
+init_use_fd(cyrus_t)
+
+libs_use_ld_so(cyrus_t)
+libs_use_shared_libs(cyrus_t)
+libs_exec_lib_files(cyrus_t)
+
+logging_send_syslog_msg(cyrus_t)
+
+miscfiles_read_localization(cyrus_t)
+miscfiles_read_certs(cyrus_t)
+
+sysnet_read_config(cyrus_t)
+
+userdom_dontaudit_use_unpriv_user_fd(cyrus_t)
+userdom_dontaudit_search_sysadm_home_dir(cyrus_t)
+userdom_use_unpriv_users_fd(cyrus_t)
+userdom_use_sysadm_pty(cyrus_t)
+
+mta_manage_spool(cyrus_t)
+
+ifdef(`targeted_policy',`
+	term_dontaudit_use_unallocated_tty(cyrus_t)
+	term_dontaudit_use_generic_pty(cyrus_t)
+	files_dontaudit_read_root_file(cyrus_t)
+')
+
+optional_policy(`cron.te',`
+	cron_system_entry(cyrus_t,cyrus_exec_t)
+')
+
+optional_policy(`mount.te',`
+	mount_send_nfs_client_request(cyrus_t)
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(cyrus_t)
+')
+
+optional_policy(`sasl.te',`
+	sasl_connect(cyrus_t)
+')
+
+optional_policy(`selinuxutil.te',`
+	seutil_sigchld_newrole(cyrus_t)
+')
+
+optional_policy(`udev.te',`
+	udev_read_db(cyrus_t)
+')
+
+ifdef(`TODO',`
+optional_policy(`rhgb.te',`
+	rhgb_domain(cyrus_t)
+')
+')
diff --git a/refpolicy/policy/modules/services/mta.fc b/refpolicy/policy/modules/services/mta.fc
index 59c4189..494c989 100644
--- a/refpolicy/policy/modules/services/mta.fc
+++ b/refpolicy/policy/modules/services/mta.fc
@@ -10,8 +10,8 @@ ifdef(`sendmail.te',`',`
 
 /var/mail(/.*)?				gen_context(system_u:object_r:mail_spool_t,s0)
 
+/var/spool/imap(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
 /var/spool/(client)?mqueue(/.*)?	gen_context(system_u:object_r:mqueue_spool_t,s0)
-
 /var/spool/mail(/.*)?			gen_context(system_u:object_r:mail_spool_t,s0)
 
 ifdef(`postfix.te', `', `
diff --git a/refpolicy/policy/modules/services/sasl.if b/refpolicy/policy/modules/services/sasl.if
index 3cba13b..d085472 100644
--- a/refpolicy/policy/modules/services/sasl.if
+++ b/refpolicy/policy/modules/services/sasl.if
@@ -1 +1,20 @@
 ## <summary>SASL authentication server</summary>
+
+########################################
+## <summary>
+##	Connect to SASL.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`sasl_connect',`
+	gen_require(`
+		type saslauthd_t, saslauthd_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 saslauthd_var_run_t:dir search;
+	allow $1 saslauthd_var_run_t:sock_file { read write };
+	allow $1 saslauthd_t:unix_stream_socket connectto;
+')
diff --git a/refpolicy/policy/modules/system/corecommands.fc b/refpolicy/policy/modules/system/corecommands.fc
index 6f1686d..1c00508 100644
--- a/refpolicy/policy/modules/system/corecommands.fc
+++ b/refpolicy/policy/modules/system/corecommands.fc
@@ -74,6 +74,7 @@ ifdef(`distro_suse', `
 
 /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
 
+/usr/lib(64)?/cyrus-imapd/.* --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/sftp-server --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/emacsen-common/.*	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(64)?/ipsec/.*	--	gen_context(system_u:object_r:sbin_t,s0)