Postfix folks changed their default configuration in the last update, as explained in http://www.postfix.org/announcements/postfix-2.10.0.html: ''Laptop-friendly configuration. By default, Postfix now uses UNIX-domain sockets instead of FIFOs, and thus avoids MTIME file system updates on an idle mail system.'' It results in the following modification in the master.cf: -pickup fifo n - n 60 1 pickup +pickup unix n - n 60 1 pickup cleanup unix n - n - 0 cleanup -qmgr fifo n - n 300 1 qmgr -#qmgr fifo n - n 300 1 oqmgr +qmgr unix n - n 300 1 qmgr +#qmgr unix n - n 300 1 oqmgr As a result, the corresponding fifo/socket changes, e.g: before: /var/spool/postfix/public/pickup: fifo (named pipe) after: /var/spool/postfix/public/pickup: socket The current selinux module already contains the following rule: rw_fifo_files_pattern(postfix_postdrop_t, postfix_public_t, postfix_public_t) After the change, no mail seems to be dropped, but the following line appears in mail.warn on every mail sent locally: Apr 10 16:35:05 lerya postfix/postdrop[10083]: warning: unable to look up public/pickup: Permission denied Apr 10 16:35:06 lerya postfix/postdrop[10086]: warning: unable to look up public/pickup: Permission denied Apr 10 16:41:14 lerya postfix/postdrop[10170]: warning: unable to look up public/pickup: Permission denied Apr 10 17:00:04 lerya postfix/postdrop[10409]: warning: unable to look up public/pickup: Permission denied Apr 10 17:00:09 lerya postfix/postdrop[10412]: warning: unable to look up public/pickup: Permission denied Apr 10 17:35:04 lerya postfix/postdrop[10846]: warning: unable to look up public/pickup: Permission denied Apr 10 17:35:09 lerya postfix/postdrop[10853]: warning: unable to look up public/pickup: Permission denied Apr 10 17:35:11 lerya postfix/postdrop[10849]: warning: unable to look up public/pickup: Permission denied Apr 10 17:45:05 lerya postfix/postdrop[11046]: warning: unable to look up public/pickup: Permission denied Apr 10 17:45:11 lerya postfix/postdrop[11054]: warning: unable to look up public/pickup: Permission denied Apr 10 17:45:12 lerya postfix/postdrop[11049]: warning: unable to look up public/pickup: Permission denied Adding the following rule (I didn't check for proper interfaces) removed those warnings: allow postfix_postdrop_t postfix_public_t:sock_file getattr;
Thanks, added in an rw_sock_files_pattern() call (which includes getattr). From the other domains (and the existing rw_fifo_files_pattern) I think that's better than only allowing getattr... Is in repo, will be in rev 13
In main tree, ~arch'ed (20130424-r1 release)
Now stable in repo