However, it isn't even able to invoke the python script. To make
work, does the policy need to allow postfix_pipe_t to run python?
Yes. It seems like it's currently able to run shells (shell_exec_t).
Doesn't appear like it can run python (bin_t).
The python script isn't that complicated; I could rewrite it in C
This shouldn't be necessary.
I tried my hand at adding mailman rules to postfix.te:
domain_auto_trans(postfix_pipe_t, mailman_exec_t, mailman_t)
but that doesn't appear to work,
When you say something doesn't work, that
could mean anything - to find
out what is going on, you need to look at the audit log, and see exactly
what is denied. Then you can try to write policy to fix it.
Also, I think enumerating what can be run in the postfix policy is not a
very good idea - should have a macro instead, to be called by client
domains. The macro would go into postfix.if.
possibly because mailman.te defines
mailman_$1_t, and I don't have any idea what $1 is.
That's probably defined inside an m4 macro of some sort.
$1 expands to the first argument of that macro - it's a variable.
Usually it stands for a "prefix", which most of the time simply means a
selinux role (user, staff, or sysadm)
To find out for sure you have to grep for that macro, and see what
argument it's called with.
The XML spec in the .if file should explain what each argument stands for.