From 0febf90353e67ab8fc20bbfeb899e708fe8f1433 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 4 Dec 2023 13:54:39 +0100
Subject: [PATCH] Allow postfix-master map postfix data files

The commit addresses the following AVC denial:
Nov 03 16:25:28 audit[294288]: AVC avc:  denied  { map } for  pid=294288 comm="postscreen" path="/var/lib/postfix/postscreen_cache.lmdb" dev="dm-1" ino=25200449 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:postfix_data_t:s0 tclass=file permissive=0

Resolves: rhbz#2247848
---
 policy/modules/contrib/postfix.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/postfix.te b/policy/modules/contrib/postfix.te
index cd8729673e..36fa0589c8 100644
--- a/policy/modules/contrib/postfix.te
+++ b/policy/modules/contrib/postfix.te
@@ -124,7 +124,7 @@ mta_filetrans_aliases(postfix_master_t, postfix_etc_t)
 can_exec(postfix_master_t, postfix_exec_t)
 
 allow postfix_master_t postfix_data_t:dir manage_dir_perms;
-allow postfix_master_t postfix_data_t:file manage_file_perms;
+allow postfix_master_t postfix_data_t:file { manage_file_perms map };
 
 allow postfix_master_t postfix_keytab_t:file read_file_perms;