policy_module(milter_greylist, 1.0.0)

########################################
#
# Declarations
#

milter_template(greylist)

########################################
#
# Local policy
#

# It removes any existing socket (not owned by root) whilst running as root,
# fixes permissions, renices itself and then calls setgid() and setuid() to
# drop privileges
allow milter_greylist_t self:capability { chown dac_override setgid setuid sys_nice };
allow milter_greylist_t self:process { setsched getsched };

# It creates a pid file /var/run/milter-greylist.pid
files_pid_filetrans(milter_greylist_t, milter_greylist_data_t, file)

kernel_read_kernel_sysctls(milter_greylist_t)

# Allow the milter to read a GeoIP database in /usr/share
files_read_usr_files(milter_greylist_t)
# The milter runs from /var/lib/milter-greylist and maintains files there
files_search_var_lib(milter_greylist_t)

# Look up username for dropping privs
auth_use_nsswitch(milter_greylist_t)

# Config is in /etc/mail/greylist.conf
mta_read_config(milter_greylist_t)