The postmap application is used by postfix admins to regenerate databases, like so: ~# postmap hash:/etc/postfix/hold However, in the current policy, output of the postmap command (postfix_map_t) is not allowed to be send to user terminals. It requires the following additions: + domain_use_interactive_fds(postfix_map_t) + userdom_use_user_terminals(postfix_map_t) Next to this, the postmap application needs library access to /usr/lib64/postfix/3.0.0/libpostfix-*. By default, those are labeled as postfix_exec_t. This is plain wrong, libraries should be of a library type. Removing the /usr/lib/postfix/.* catchall fixes this. Reproducible: Always
Fixed in repo, will be in rev 6
r6 policy is in ~arch
Now stable