I’ve been moving email off of Google recently to the excellent service by Hey. But the temporary forwarding solution hit a snag with lots of apparently simple “Permission denied” messages.

postfix/bounce[26281]: fatal: open lock file pid/unix.bounce: cannot open file: Permission denied

Even with my [extremely] rusty tech skills I figured I could fix this one. postfix set-permissions is simple enough. Only, this didn’t fix it. A quick search showed a few promising results — it’s an SELinux problem. Almost every result therefore said setenforce 0 solved it!

That’s not the right answer. SELinux is very useful to have in place for anything connected to the internet, so rather than disable it, I looked into fixing the issue properly. Luckily I’ve been here before, many years ago. So referring to my previous blog post about SELinux, it took me all of 10 minutes to fix.

sesearch -s postfix_bounce_t -t var_run_t -c dir -A
ausearch -m avc --start today | audit2allow -m postfix_pid_write -o postfix_pid_write.te
ausearch -m avc --start today | audit2allow -M postfix_pid_write
semodule -i postfix_pid_write.pp
semodule -l | grep postfix

Problem solved. SELinux still very much in place.