IIRC this is not entirely possible.
ICMP packets like port unreachables contain the original packet information inside and are matched against the outbound session so would not be matching an ICMP policy.
So an ICMP port unreachable for a syslog packet sent to a server which had the syslog service disabled would match syslog policy and session that allowed the packet through and not ICMP policy.
Laters
Ben