When postfix starts up, it calls the post-install script inside /usr/libexec/postfix. This script has some logic to validate if a minimum set of parameters is defined in the configuration file (main.cf) and, if not, will write the default value of those parameters in the main configuration file. The list of parameters is defined in the MOST_PARAMETERS variable inside this script. One of those parameters is "shlib_directory" which has the following value: shlib_directory = /usr/lib64/postfix/${mail_version} The check in post-install evaluates the key and value which, given the $ sign, always misses. As a result, this code is always triggered and on start-up it always rewrites the main.cf file. For security reasons, many people will not want the daemons to write their own configuration file. With the default SELinux policy, this is also not allowed. Sadly, this results in postfix on SELinux systems to refuse to start. I personally removed shlib_directory from MOST_PARAMETERS to quickly resolve it (I would rather not hardcode the mail_version as that changes with every postfix upgrade) although it is probably preferred to fix the check so that ${mail_version} is not evaluated itself. Reproducible: Always
I misinterpreted the reason why it writes - apparently if all the values are default, it will not force-write the settings. However, because of shlib_directory is always finds that there is a deviation and writes it. If I remove shlib_directory from MOST_PARAMETERS none of them are force-written to the main.cf file (as they are all default values).
This bug was fixed upstream in Postfix 3.0.1: <http://www.postfix.org/announcements/postfix-3.0.1.html>.
I can verify that 3.0.1 starts properly