diff -urdP --new-file src.new/policy/domains/program/mta.te src/policy/domains/program/mta.te
--- src.new/policy/domains/program/mta.te	2005-04-29 01:38:24.696744299 +0200
+++ src/policy/domains/program/mta.te	2005-04-07 21:36:53.000000000 +0200
@@ -20,7 +20,18 @@
 # "mail user@domain"
 mail_domain(system)
 
-ifdef(`targeted_policy', `', `
+ifdef(`targeted_policy', `
+# rules are currently defined in sendmail.te, but it is not included in 
+# targeted policy.  We could move these rules permanantly here.
+ifdef(`postfix.te', `', `can_exec_any(system_mail_t)')
+allow system_mail_t self:dir { search };
+r_dir_file(system_mail_t, proc_t)
+allow system_mail_t fs_t:filesystem getattr;
+allow system_mail_t { var_t var_spool_t }:dir getattr;
+create_dir_file(system_mail_t, mqueue_spool_t)
+create_dir_file(system_mail_t, mail_spool_t)
+allow system_mail_t mail_spool_t:fifo_file rw_file_perms;
+', `
 ifdef(`sendmail.te', `
 # sendmail has an ugly design, the one process parses input from the user and
 # then does system things with it.
@@ -50,8 +61,7 @@
 allow mta_delivery_agent home_root_t:dir { getattr search };
 
 # for /var/spool/mail
-ra_dir_file(mta_delivery_agent, mail_spool_t)
-allow mta_delivery_agent mail_spool_t:file create;
+ra_dir_create_file(mta_delivery_agent, mail_spool_t)
 
 # for piping mail to a command
 can_exec(mta_delivery_agent, shell_exec_t)
@@ -60,14 +70,5 @@
 allow mta_delivery_agent devtty_t:chr_file rw_file_perms;
 allow mta_delivery_agent { etc_runtime_t proc_t }:file { getattr read };
 
-# rules are currently defined in sendmail.te, but it is not included in 
-# targeted policy.  We could move these rules permanantly here.
-ifdef(`targeted_policy', `
-allow system_mail_t self:dir { search };
-allow system_mail_t proc_t:dir search;
-allow system_mail_t proc_t:{ file lnk_file } { getattr read };
-allow system_mail_t fs_t:filesystem getattr;
-allow system_mail_t { var_t var_spool_t }:dir getattr;
-create_dir_file( system_mail_t, mqueue_spool_t)
-')
 allow system_mail_t etc_runtime_t:file { getattr read };
+allow system_mail_t { random_device_t urandom_device_t }:chr_file read;
diff -urdP --new-file src.new/policy/file_contexts/program/mta.fc src/policy/file_contexts/program/mta.fc
--- src.new/policy/file_contexts/program/mta.fc	2005-04-29 01:38:22.585111894 +0200
+++ src/policy/file_contexts/program/mta.fc	2005-04-07 21:36:53.000000000 +0200
@@ -5,3 +5,8 @@
 /etc/aliases\.db	--	system_u:object_r:etc_aliases_t
 /var/spool/mail(/.*)?		system_u:object_r:mail_spool_t
 /var/mail(/.*)?			system_u:object_r:mail_spool_t
+ifdef(`postfix.te', `', `
+/usr/sbin/sendmail.postfix --	system_u:object_r:sendmail_exec_t
+/var/spool/postfix(/.*)?		system_u:object_r:mail_spool_t
+')
+