Running "postfix set-permissions" results in the following log entries: type=AVC msg=audit(1284456712.787:5563): avc: denied { execute } for pid=11266 comm="postfix-script" name="post-install" dev=dm-0 ino=1147458 scontext=user_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file type=SYSCALL msg=audit(1284456712.787:5563): arch=40000003 syscall=11 success=no exit=-13 a0=8c1d230 a1=8c1d308 a2=8c12e98 a3=0 items=0 ppid=11265 pid=11266 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=875 comm="postfix-script" exe="/bin/bash" subj=user_u:system_r:postfix_master_t:s0 key=(null) type=AVC msg=audit(1284456712.787:5564): avc: denied { execute } for pid=11266 comm="postfix-script" name="post-install" dev=dm-0 ino=1147458 scontext=user_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_etc_t:s0 tclass=file type=SYSCALL msg=audit(1284456712.787:5564): arch=40000003 syscall=33 success=no exit=-13 a0=8c1d230 a1=1 a2=11 a3=8c1d230 items=0 ppid=11265 pid=11266 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=875 comm="postfix-script" exe="/bin/bash" subj=user_u:system_r:postfix_master_t:s0 key=(null)
Fixed in selinux-policy-2.4.6-291.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: With SELinux running in the enforcing mode, using the "postfix set-permissions" command failed with the following error message: /etc/postfix/postfix-script: line 263: /etc/postfix/post-install: Permission denied With this update, the "postfix_domtrans_master(unconfined_t)" transition has been removed, and the above command no longer fails to run.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html