Looking at the policy postfix_pipe_t is able to write to postfix_spool_t or postfix_var_run_t, So you could change the labeling of the file to one of those context.
I realized that postfix_pipe_t ( postfix/pipe command actually runs under postfix_pipe_exec_t context ) cannot do write, add_name , remove_name and unlink either postfix_spool_t or postfix_var_run_t therefore i had to set it myself.
I'll resume what i've done :
1 - I put my db in /var/spool/postfix/vacation 2 - chcon -u system_u -r object_r -t postfix_spool_t -R /var/spool/postfix/vacation 3 - chown -R postfix:vacation /var/spool/postfix/vacation 4 - i created vacation.te :
module vacationpolicy 1.0;
require { type postfix_pipe_t; type postfix_spool_t; class dir { write remove_name add_name }; class file { create unlink }; }
#============= postfix_pipe_t ============== allow postfix_pipe_t postfix_spool_t:dir { write remove_name add_name }; allow postfix_pipe_t postfix_spool_t:file { create unlink };
5 - I created a package and installed it
It worked
Thanks for your help!
Fabrizio
selinux@lists.fedoraproject.org