## <summary>Smart Mail Filter milters</summary>

########################################
## <summary>
##	"Smart Mail Filter" suite variant of milter template.
## </summary>
## <param name="milter_name">
##	<summary>
##	The name to be used for deriving type names.
##	</summary>
## </param>
#
template(`smf_milter_template',`

	milter_template(smf_$1)

	# Milters remove any existing socket (not owned by root) whilst running as root
	# and then call setgid() and setuid() to drop privileges
	allow smf_$1_milter_t self:capability { setuid setgid dac_override };

	# Look up username for dropping privs
	auth_use_nsswitch(smf_$1_milter_t)

	# Allow communication with MTA over a unix-domain socket
	# Note: usage with TCP sockets requires additional policy
	manage_sock_files_pattern(smf_$1_milter_t, smfs_milter_data_t, smfs_milter_data_t)

	# Config is in /etc/mail/smfs/smf-*.conf
	mta_read_config(smf_$1_milter_t)

	# Create other data files and directories in the data directory
	manage_files_pattern(smf_$1_milter_t, smfs_milter_data_t, smfs_milter_data_t)
')