stray procmail execs

refpolicy/policy/modules/services/mta.if

@@ -145,11 +145,11 @@ template(`mta_per_userdomain_template',`
 		postfix_list_spool($1_mail_t)
 	')
 
-	ifdef(`TODO',`
 	optional_policy(`procmail.te',`
-		procmail_execute($1_mail_t)
+		procmail_exec($1_mail_t)
 	')
 
+	ifdef(`TODO',`
 	# Read user temporary files.
 	allow $1_mail_t $1_tmp_t:file r_file_perms;
 	dontaudit $1_mail_t $1_tmp_t:file append;

refpolicy/policy/modules/services/mta.te

@@ -1,5 +1,5 @@
 
-policy_module(mta,1.0)
+policy_module(mta,1.0.1)
 
 ########################################
 #
@@ -207,6 +207,10 @@ optional_policy(`postfix.te',`
 	type_transition postfix_master_t postfix_etc_t:dir etc_aliases_t;
 ')
 
+optional_policy(`procmail.te',`
+	procmail_exec(system_mail_t)
+')
+
 optional_policy(`sendmail.te',`
 	sendmail_stub(system_mail_t)
 
@@ -222,10 +226,6 @@ optional_policy(`sendmail.te',`
 ')
 
 ifdef(`TODO',`
-optional_policy(`procmail.te',`
-	procmail_exec(system_mail_t)
-')
-
 optional_policy(`sendmail.te',`
 	allow system_mail_t { var_t var_spool_t }:dir getattr;
 	dontaudit system_mail_t userpty_type:chr_file { getattr read write };

refpolicy/policy/modules/services/procmail.if

@@ -22,3 +22,21 @@ interface(`procmail_domtrans',`
 	allow procmail_t $1:fifo_file rw_file_perms;
 	allow procmail_t $1:process sigchld;
 ')
+
+########################################
+## <summary>
+##	Execute procmail in the caller domain.
+## </summary>
+## <param name="domain">
+##	Domain allowed access.
+## </param>
+#
+interface(`procmail_exec',`
+	gen_require(`
+		type procmail_exec_t;
+	')
+
+	files_search_usr($1)
+	corecmd_search_bin($1)
+	can_exec($1,procmail_exec_t)
+')