postfix: allow postfix pipe to watch mail spool

type=AVC msg=audit(1719451104.395:18364): avc: denied { watch } for pid=288883 comm="deliver" path="/var/spool/mail/domains/concord.sh/me@concord.sh/mail/dovecot-uidlist.lock" dev="dm-0" ino=17638966 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-27 13:20:12 -04:00 · 2024-06-27 13:20:12 -04:00 · bfcaec9bab
commit bfcaec9bab
parent 06a80c3d8a
1 changed files with 1 additions and 0 deletions
--- a/policy/modules/services/postfix.te
+++ b/policy/modules/services/postfix.te
@ -615,6 +615,7 @@ optional_policy(`

 optional_policy(`
 	mta_manage_spool(postfix_pipe_t)
+	mta_watch_spool(postfix_pipe_t)
 	mta_send_mail(postfix_pipe_t)
 ')