Looking at the policy postfix_pipe_t is able to write to
postfix_spool_t
or postfix_var_run_t, So you could change the labeling of the file to
one of those context.
I realized that postfix_pipe_t ( postfix/pipe command actually runs
under postfix_pipe_exec_t context ) cannot do
write, add_name , remove_name and unlink either postfix_spool_t or
postfix_var_run_t therefore i had to set it myself.
I'll resume what i've done :
1 - I put my db in /var/spool/postfix/vacation
2 - chcon -u system_u -r object_r -t postfix_spool_t -R
/var/spool/postfix/vacation
3 - chown -R postfix:vacation /var/spool/postfix/vacation
4 - i created vacation.te :
module vacationpolicy 1.0;
require {
type postfix_pipe_t;
type postfix_spool_t;
class dir { write remove_name add_name };
class file { create unlink };
}
#============= postfix_pipe_t ==============
allow postfix_pipe_t postfix_spool_t:dir { write remove_name add_name };
allow postfix_pipe_t postfix_spool_t:file { create unlink };
5 - I created a package and installed it
It worked
Thanks for your help!
Fabrizio