diff --git a/policy/modules/services/apache.te b/policy/modules/services/apache.te
index e2c50da23..5587583a1 100644
--- a/policy/modules/services/apache.te
+++ b/policy/modules/services/apache.te
@@ -896,6 +896,14 @@ optional_policy(`
 	snmp_dontaudit_write_snmp_var_lib_files(httpd_t)
 ')
 
+optional_policy(`
+	sympa_manage_runtime_sock_files(httpd_t)
+	sympa_map_var_files(httpd_t)
+	sympa_read_conf(httpd_t)
+	sympa_read_var_files(httpd_t)
+')
+
+
 ########################################
 #
 # Helper local policy
@@ -1237,6 +1245,8 @@ files_read_var_symlinks(httpd_sys_script_t)
 files_search_var_lib(httpd_sys_script_t)
 files_search_spool(httpd_sys_script_t)
 
+miscfiles_read_generic_certs(httpd_sys_script_t)
+
 apache_domtrans_rotatelogs(httpd_sys_script_t)
 
 auth_use_nsswitch(httpd_sys_script_t)
@@ -1319,6 +1329,11 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	sympa_manage_var_files(httpd_sys_script_t)
+	sympa_read_conf(httpd_sys_script_t)
+')
+
 ########################################
 #
 # Rotatelogs local policy
diff --git a/policy/modules/services/exim.te b/policy/modules/services/exim.te
index 1aab4002c..5e001b37b 100644
--- a/policy/modules/services/exim.te
+++ b/policy/modules/services/exim.te
@@ -250,3 +250,9 @@ optional_policy(`
 	spamassassin_exec(exim_t)
 	spamassassin_exec_client(exim_t)
 ')
+
+optional_policy(`
+	# each of these should probably be for mailserver_delivery or mailserver_domain
+	sympa_append_inherited_var_files(exim_t)
+	sympa_read_var_files(exim_t)
+')
diff --git a/policy/modules/services/mta.if b/policy/modules/services/mta.if
index 779c9a971..a20b2c09d 100644
--- a/policy/modules/services/mta.if
+++ b/policy/modules/services/mta.if
@@ -805,6 +805,26 @@ interface(`mta_read_spool_symlinks',`
 	allow $1 mail_spool_t:lnk_file read;
 ')
 
+#######################################
+## <summary>
+##	read and write fifo files inherited from delivery domains
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to use fifo files
+##	</summary>
+## </param>
+#
+interface(`mta_rw_inherited_delivery_pipes',`
+	gen_require(`
+		attribute mailserver_delivery;
+	')
+
+	allow $1 mailserver_delivery:fd use;
+	allow $1 mailserver_delivery:fifo_file rw_inherited_fifo_file_perms;
+')
+
+
 #######################################
 ## <summary>
 ##	Do not audit attempts to read
diff --git a/policy/modules/services/mta.te b/policy/modules/services/mta.te
index d4569fce2..817cbfe49 100644
--- a/policy/modules/services/mta.te
+++ b/policy/modules/services/mta.te
@@ -297,6 +297,11 @@ optional_policy(`
 	smartmon_read_tmp_files(system_mail_t)
 ')
 
+optional_policy(`
+	sympa_append_inherited_var_files(system_mail_t)
+	symba_dontaudit_rw_inherited_tcp_sockets(system_mail_t)
+')
+
 optional_policy(`
 	unconfined_use_fds(system_mail_t)
 ')
@@ -387,6 +392,11 @@ optional_policy(`
 	postfix_rw_inherited_master_pipes(mailserver_delivery)
 ')
 
+optional_policy(`
+	symba_dontaudit_rw_inherited_tcp_sockets(mailserver_delivery)
+	sympa_domtrans(mailserver_delivery)
+')
+
 optional_policy(`
 	uucp_domtrans_uux(mailserver_delivery)
 ')
diff --git a/policy/modules/services/sympa.fc b/policy/modules/services/sympa.fc
new file mode 100644
index 000000000..c40da944e
--- /dev/null
+++ b/policy/modules/services/sympa.fc
@@ -0,0 +1,9 @@
+/etc/mail/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
+/etc/sympa(/.*)?		gen_context(system_u:object_r:sympa_etc_t,s0)
+
+/run/sympa(/.*)?		gen_context(system_u:object_r:sympa_runtime_t,s0)
+
+/usr/lib/sympa/bin/.*	--	gen_context(system_u:object_r:sympa_exec_t,s0)
+
+/var/lib/sympa(/.*)?		gen_context(system_u:object_r:sympa_var_t,s0)
+/var/spool/sympa(/.*)?		gen_context(system_u:object_r:sympa_var_t,s0)
diff --git a/policy/modules/services/sympa.if b/policy/modules/services/sympa.if
new file mode 100644
index 000000000..79ed3b2a8
--- /dev/null
+++ b/policy/modules/services/sympa.if
@@ -0,0 +1,190 @@
+## <summary>Sympa mailing list manager</summary>
+## <desc>
+## Sympa is a popular mailing list manager.
+## https://www.sympa.org/
+## </desc>
+
+########################################
+## <summary>
+##      Allow appending to sympa_var_t (for error log)
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_append_inherited_var_files',`
+	gen_require(`
+		type sympa_t, sympa_var_t;
+	')
+
+        allow $1 sympa_t:fd use;
+	allow $1 sympa_var_t:file append_inherited_file_perms;
+')
+
+########################################
+## <summary>
+##      Allow reading sympa_var_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_read_var_files',`
+	gen_require(`
+		type sympa_var_t;
+	')
+
+	allow $1 sympa_var_t:dir list_dir_perms;
+	allow $1 sympa_var_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##      Allow managing sympa_var_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_manage_var_files',`
+	gen_require(`
+		type sympa_var_t;
+	')
+
+        manage_files_pattern($1, sympa_var_t, sympa_var_t)
+')
+
+########################################
+## <summary>
+##      Allow mapping sympa_var_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_map_var_files',`
+	gen_require(`
+		type sympa_var_t;
+	')
+
+	allow $1 sympa_var_t:file map;
+')
+
+########################################
+## <summary>
+##      Transition to sympa_t when executing sympa_exec_t
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sympa_domtrans',`
+	gen_require(`
+		type sympa_exec_t, sympa_t;
+	')
+
+	domain_auto_transition_pattern($1, sympa_exec_t, sympa_t)
+')
+
+########################################
+## <summary>
+##      Dontaudit access to inherited sympa tcp sockets
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`symba_dontaudit_rw_inherited_tcp_sockets',`
+	gen_require(`
+		type sympa_t;
+	')
+
+	dontaudit $1 sympa_t:tcp_socket { read write };
+')
+
+########################################
+## <summary>
+##	Allow reading sympa config files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_read_conf',`
+	gen_require(`
+		type sympa_etc_t;
+	')
+
+	allow $1 sympa_etc_t:dir list_dir_perms;
+	allow $1 sympa_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow rw sympa runtime dirs and manage sympa runtime files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_manage_runtime_files',`
+	gen_require(`
+		type sympa_runtime_t;
+	')
+
+	allow $1 sympa_runtime_t:dir rw_dir_perms;
+	allow $1 sympa_runtime_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+##	Allow rw sympa runtime dirs and manage sympa runtime sock files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_manage_runtime_sock_files',`
+	gen_require(`
+		type sympa_runtime_t;
+	')
+
+	allow $1 sympa_runtime_t:dir rw_dir_perms;
+	allow $1 sympa_runtime_t:sock_file { setattr create unlink write };
+')
+
+########################################
+## <summary>
+##	Allow domain to connect to sympa socket
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to allow
+##      </summary>
+## </param>
+#
+interface(`sympa_connect_runtime_sock_files',`
+	gen_require(`
+		type sympa_t;
+	')
+
+	allow $1 sympa_t:unix_stream_socket connectto;
+')
diff --git a/policy/modules/services/sympa.te b/policy/modules/services/sympa.te
new file mode 100644
index 000000000..b2aea679d
--- /dev/null
+++ b/policy/modules/services/sympa.te
@@ -0,0 +1,87 @@
+policy_module(sympa)
+
+########################################
+#
+# Declarations
+#
+
+type sympa_t;
+type sympa_exec_t;
+init_daemon_domain(sympa_t, sympa_exec_t)
+
+type sympa_etc_t;
+files_config_file(sympa_etc_t)
+
+type sympa_runtime_t;
+files_runtime_file(sympa_runtime_t)
+
+type sympa_tmp_t;
+files_tmp_file(sympa_tmp_t)
+
+type sympa_var_t;
+files_type(sympa_var_t)
+
+########################################
+#
+# Local policy
+#
+
+allow sympa_t self:capability { chown dac_override setgid setuid };
+allow sympa_t self:fifo_file rw_fifo_file_perms;
+allow sympa_t self:tcp_socket create_socket_perms;
+allow sympa_t self:unix_dgram_socket create_socket_perms;
+allow sympa_t self:process signull;
+
+allow sympa_t sympa_etc_t:dir list_dir_perms;
+allow sympa_t sympa_etc_t:file read_file_perms;
+
+allow sympa_t sympa_runtime_t:dir manage_dir_perms;
+allow sympa_t sympa_runtime_t:file manage_file_perms;
+allow sympa_t sympa_runtime_t:sock_file manage_sock_file_perms;
+
+allow sympa_t sympa_var_t:dir manage_dir_perms;
+allow sympa_t sympa_var_t:file manage_file_perms;
+
+allow sympa_t sympa_tmp_t:file manage_file_perms;
+files_tmp_filetrans(sympa_t, sympa_tmp_t, { file })
+
+can_exec(sympa_t, sympa_exec_t)
+
+auth_dontaudit_read_shadow(sympa_t)
+
+# for setting SE Linux context in systemd unit file
+corecmd_bin_entry_type(sympa_t)
+
+corecmd_exec_bin(sympa_t)
+corecmd_exec_shell(sympa_t)
+
+dev_read_urand(sympa_t)
+
+files_read_etc_files(sympa_t)
+files_read_usr_files(sympa_t)
+files_search_spool(sympa_t)
+files_search_var_lib(sympa_t)
+
+kernel_read_kernel_sysctls(sympa_t)
+
+logging_send_syslog_msg(sympa_t)
+
+miscfiles_read_generic_certs(sympa_t)
+miscfiles_read_localization(sympa_t)
+
+sysnet_read_config(sympa_t)
+
+optional_policy(`
+	apache_search_sys_scripts(sympa_t)
+')
+
+optional_policy(`
+	mta_read_config(sympa_t)
+	mta_send_mail(sympa_t)
+	mta_rw_inherited_delivery_pipes(sympa_t)
+')
+
+optional_policy(`
+	mysql_tcp_connect(sympa_t)
+	mysql_stream_connect(sympa_t)
+')
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 341763730..cf7ef1721 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1069,7 +1069,7 @@ interface(`logging_append_all_inherited_logs',`
 		attribute logfile;
 	')
 
-	allow $1 logfile:file { getattr append ioctl lock };
+	allow $1 logfile:file append_inherited_file_perms;
 ')
 
 ########################################
diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 804a01b46..e62863f6f 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -155,6 +155,7 @@ define(`mmap_read_file_perms',`{ getattr open map read ioctl }')
 define(`mmap_exec_inherited_file_perms',`{ getattr map read execute ioctl }')
 define(`mmap_exec_file_perms',`{ getattr open map read execute ioctl }')
 define(`exec_file_perms',`{ getattr open map read execute ioctl execute_no_trans }')
+define(`append_inherited_file_perms',`{ getattr append lock ioctl }')
 define(`append_file_perms',`{ getattr open append lock ioctl }')
 define(`write_inherited_file_perms',`{ getattr write append lock ioctl }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')