What were you trying to do that didn't work?

Hi guys.

Perhaps introduction of new sebools could be a saviour, for these:

SELinux is preventing /usr/sbin/postdrop from write access on the fifo_file /var/spool/postfix/pipe:[4675943]. For complete SELinux messages run: sealert -l 66b3add6-9242-49ce-b1e1-d84038ce749a

SELinux is preventing /usr/sbin/postdrop from write access on the fifo_file fifo_file. For complete SELinux messages run: sealert -l 51a4b053-c7cc-43aa-8631-b46554d906fb

...

• • • • •  Plugin leaks (86.2 confidence) suggests   *****************************

If you want to ignore postdrop trying to write access the fifo_file fifo_file, because you believe it should not need this access.
Then you should report this as a bug.  
You can generate a local policy module to dontaudit this access.
Do

1. ausearch -x /usr/sbin/postdrop --raw | audit2allow -D -M my-postdrop
2. semodule -X 300 -i my-postdrop.pp

• • • • •  Plugin catchall (14.7 confidence) suggests   **************************

If you believe that postdrop should be allowed write access on the fifo_file fifo_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:

1. ausearch -c 'postdrop' --raw | audit2allow -M my-postdrop
2. semodule -X 300 -i my-postdrop.pp

Additional Information:
Source Context                system_u:system_r:postfix_postdrop_t:s0
Target Context                system_u:system_r:cluster_t:s0
Target Objects                fifo_file [ fifo_file ]
Source                        postdrop
Source Path                   /usr/sbin/postdrop
Port                          <Unknown>
Host                          dzien.mine.priv
Source RPM Packages           postfix-3.5.9-24.el9.x86_64
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-38.1.27-1.el9.noarch
Local Policy RPM              selinux-policy-targeted-38.1.27-1.el9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     dzien.mine.priv
Platform                      Linux dzien.mine.priv 5.14.0-391.el9.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Tue Nov 28 20:35:49 UTC 2023
                              x86_64 x86_64
Alert Count                   13525
First Seen                    2023-12-07 12:18:08 CET
Last Seen                     2023-12-13 15:17:11 CET
Local ID                      51a4b053-c7cc-43aa-8631-b46554d906fb

Raw Audit Messages
type=AVC msg=audit(1702477031.549:25310): avc:  denied  { write } for  pid=469848 comm="postdrop" path="pipe:[1449476]" dev="pipefs" ino=1449476 scontext=system_u:system_r:postfix_postdrop_t:s0 tcontext=system_u:system_r:cluster_t:s0 tclass=fifo_file permissive=0

type=SYSCALL msg=audit(1702477031.549:25310): arch=x86_64 syscall=execve success=yes exit=0 a0=55b22cc69270 a1=55b22cc692a0 a2=55b22cc68770 a3=55b22cc6b940 items=0 ppid=469847 pid=469848 auid=4294967295 uid=189 gid=189 euid=189 suid=189 fsuid=189 egid=90 sgid=90 fsgid=90 tty=(none) ses=4294967295 comm=postdrop exe=/usr/sbin/postdrop subj=system_u:system_r:postfix_postdrop_t:s0 key=(null)

Hash: postdrop,postfix_postdrop_t,cluster_t,fifo_file,write

perhaps even more - should be easy to reproduce

Please provide the package NVR for which bug is seen:

selinux-policy-38.1.27-1.el9.noarch

How reproducible:

Steps to reproduce

Expected results

Actual results