The journal throws this error on booting Tumbleweed, up-to-date:
SELinux hindert postalias daran, mit write-Zugriff auf Datei aliases.lmdb zuzugreifen.Zum Anzeigen der kompletten SELinux-Benachrichtigung führen Sie folgenden Befehl aus: se>
Nov 20 10:38:11 X-eins setroubleshoot[1687]: SELinux hindert postalias daran, mit write-Zugriff auf Datei aliases.lmdb zuzugreifen.
***** Plugin catchall_labels (83.8 Wahrscheinlichkeit) schlägt vor *******
Wenn Sie erlauben wollen, dass postalias write Zugriff auf aliases.lmdb file
Dann you need to change the label on aliases.lmdb
Ausführen
# semanage fcontext -a -t FILE_TYPE 'aliases.lmdb'
where FILE_TYPE is one of the following: afs_cache_t, etc_aliases_t, initrc_tmp_t, krb5_host_rcache_t, mailman_data_t, postfix_data_t, postfix_etc_t, postfix_private_t, postf>
Then execute:
restorecon -v 'aliases.lmdb'
***** Plugin catchall (17.1 Wahrscheinlichkeit) schlägt vor **************
If you believe that postalias should be allowed write access on the aliases.lmdb file by default.
Dann you should report this as a bug.
You can generate a local policy module to allow this access.
Ausführen
allow this access for now by executing:
# ausearch -c 'postalias' --raw | audit2allow -M my-postalias
# semodule -X 300 -i my-postalias.pp
I’ve seen this question here: SELinux has detected a problem --- The source process postalias attempted this access write on this file aliases.lmdb
And no, I haven’t tampered the text above, it really says “Dann you should…”
Do I need to file a bug report? Or can I tell selinux to allow postalias do whatever?
arvidjaar:
ls -lRZ /etc/postfix
ls -lRZ /etc/postfix
/etc/postfix:
insgesamt 408
drwxr-xr-x. 1 root root system_u:object_r:postfix_etc_t:s0 24 19. Aug 19:45 ssl
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 21398 19. Aug 19:45 access
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 3. Sep 10:41 access.lmdb
-rw-r--r--. 1 root root system_u:object_r:etc_aliases_t:s0 11516 19. Aug 19:45 aliases
-rw-r--r--. 1 root root system_u:object_r:etc_aliases_t:s0 32768 3. Sep 10:41 aliases.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 3547 19. Aug 19:45 bounce.cf.default
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 13097 19. Aug 19:45 canonical
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 3. Sep 10:41 canonical.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 10496 19. Aug 19:45 generic
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 23371 19. Aug 19:45 header_checks
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 123 27. Mai 2009 helo_access
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 21. Mär 2025 helo_access.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 33317 21. Mär 2025 main.cf
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 41150 19. Aug 19:45 main.cf.default
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 32997 21. Mai 2025 main.cf.rpmnew
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8962 11. Apr 2025 master.cf
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 2259 26. Jul 2019 openssl_postfix.conf.in
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 37 27. Mai 2009 relay
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 199 15. Apr 2004 relay_ccerts
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 21. Mär 2025 relay_ccerts.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 21. Mär 2025 relay.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 47 24. Jun 2021 relay_recipients
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 21. Mär 2025 relay_recipients.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 7127 19. Aug 19:45 relocated
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 3. Sep 10:41 relocated.lmdb
-rw-------. 1 root root system_u:object_r:postfix_etc_t:s0 172 15. Apr 2004 sasl_passwd
-rw-------. 1 root root system_u:object_r:postfix_etc_t:s0 8192 21. Mär 2025 sasl_passwd.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 412 15. Apr 2004 sender_canonical
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 21. Mär 2025 sender_canonical.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 13442 19. Aug 19:45 transport
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 3. Sep 10:41 transport.lmdb
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 14494 19. Aug 19:45 virtual
-rw-r--r--. 1 root root system_u:object_r:postfix_etc_t:s0 8192 3. Sep 10:41 virtual.lmdb
/etc/postfix/ssl:
insgesamt 4
lrwxrwxrwx. 1 root root system_u:object_r:postfix_etc_t:s0 15 19. Aug 19:45 cacerts -> ../../ssl/certs
drwxr-xr-x. 1 root root system_u:object_r:postfix_etc_t:s0 0 19. Aug 19:45 certs
/etc/postfix/ssl/certs:
insgesamt 0
Sorry for the german language terms in my posts, “insgesamt” means “in total”. If you have an idea how to tell journalctl to speak english, I’ll give it a try.
The label is correct:
andrei@tumbleweed:~> matchpathcon /etc/postfix/access.lmdb
/etc/postfix/access.lmdb system_u:object_r:postfix_etc_t:s0
andrei@tumbleweed:~>
Show
ausearch -m avc -ts boot
I am afraid if the message is already stored in journal in different language, you cannot. I never set system-wide language to non-English precisely to avoid it.
arvidjaar:
ausearch -m avc -ts boot
Being root:
ausearch -m avc -ts boot
----
time->Thu Nov 20 11:00:15 2025
type=AVC msg=audit(1763632815.896:69): avc: denied { write } for pid=1414 comm="postalias" name="aliases.lmdb" dev="nvme0n1p3" ino=312758 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Is it the same file?
date
lsblk -f
ls -i /etc/postfix
date
Do 20. Nov 15:39:53 CET 2025
AW@X-eins:~> lsblk -f
NAME FSTYPE FSVER LABEL UUID FSAVAIL FSUSE% MOUNTPOINTS
nvme0n1
├─nvme0n1p1 vfat FAT16 SYSTEM xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx 253,8M 2% /boot/efi
├─nvme0n1p2 swap 1 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx [SWAP]
├─nvme0n1p3 btrfs xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx 67,7G 41% /var
│ /usr/local
│ /srv
│ /root
│ /opt
│ /boot/grub2/x86_64-efi
│ /boot/grub2/i386-pc
│ /
├─nvme0n1p4 ext4 1.0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx 9,2G 71% /local
└─nvme0n1p5 crypto_LUKS 2 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx
└─cr-auto-1 ext4 1.0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx 283,1G 57% /home
AW@X-eins:~> ls -i /etc/postfix
143651 ssl 312762 canonical.lmdb 567821 main.cf.rpmnew 143647 relay_recipients 312763 sender_canonical.lmdb
143634 access 143638 generic 143643 master.cf 312769 relay_recipients.lmdb 143654 transport
312761 access.lmdb 143639 header_checks 143644 openssl_postfix.conf.in 143648 relocated 312760 transport.lmdb
143635 aliases 143640 helo_access 143645 relay 312764 relocated.lmdb 143655 virtual
312770 aliases.lmdb 312767 helo_access.lmdb 143646 relay_ccerts 143649 sasl_passwd 312759 virtual.lmdb
143636 bounce.cf.default 143641 main.cf 312766 relay_ccerts.lmdb 312765 sasl_passwd.lmdb
143637 canonical 1620190 main.cf.default 312768 relay.lmdb 143650 sender_canonical
I replaced the IDs of the partitions with xxx.
Same file?
Have you tried these commands?
@Sauerland
Your first command prints a huge list, just the first lines here:
ausearch -c 'postalias' --raw
type=AVC msg=audit(1746551901.274:72): avc: denied { write } for pid=1484 comm="postalias" name="aliases.lmdb" dev="nvme0n1p3" ino=312758 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1746553576.988:72): avc: denied { write } for pid=1501 comm="postalias" name="aliases.lmdb" dev="nvme0n1p3" ino=312758 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
type=AVC msg=audit(1746566381.699:72): avc: denied { write } for pid=1429 comm="postalias" name="aliases.lmdb" dev="nvme0n1p3" ino=312758 scontext=system_u:system_r:postfix_master_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
audit2allow would produce a policymodule, right?
And semodule would properly install that module, as far as I understand.
I’ll wait, what @arvidjaar says, because if it’s a bug, maybe we can squash it. But if not, I’m happy about your idea – a tool to deal with selinux denials.
2 command and try it as root…
ausearch -c 'postalias' --raw | audit2allow -M my-postalias
semodule -X 300 -i my-postalias.pp
For me it has worked with openvpn and sshd.
But a restart was necessary.
Ah, okay, I had trouble with openvpn as well. Isn’t there a process in openSuse-world how to get all these selinux troubles solved, one by one?
For me, it was inside the logs…
cookie170:
312770 aliases.lmdb
cookie170:
Same file?
No.
The file from the error message has inode 312758.
It is possible that this file has already been deleted and re-created with the correct attributes. Try restarting postfix service. Do you get the same error?
Yes, as it turns out:
systemctl restart postfix
X-eins:/home/AW # systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-11-20 18:54:51 CET; 1s ago
Invocation: 08c1aa62b27f4129a8f08c6e15530c22
Process: 28681 ExecStartPre=/bin/echo Starting mail service (Postfix) (code=exited, status=0/SUCCESS)
Process: 28684 ExecStartPre=/usr/bin/touch /var/spool/postfix/pid/master.pid (code=exited, status=0/SUCCESS)
Process: 28686 ExecStartPre=/sbin/restorecon -Rv /var/spool/postfix/pid/master.pid (code=exited, status=0/SUCCESS)
Process: 28687 ExecStartPre=/usr/lib/postfix/systemd/config_postfix (code=exited, status=0/SUCCESS)
Process: 28689 ExecStartPre=/usr/lib/postfix/systemd/update_chroot (code=exited, status=0/SUCCESS)
Process: 28691 ExecStartPre=/usr/lib/postfix/systemd/update_postmaps (code=exited, status=0/SUCCESS)
Process: 28706 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 28780 ExecStartPost=/usr/lib/postfix/systemd/wait_qmgr 60 (code=exited, status=0/SUCCESS)
Process: 28784 ExecStartPost=/usr/lib/postfix/systemd/cond_slp register (code=exited, status=0/SUCCESS)
Main PID: 28776 (master)
Tasks: 3 (limit: 37969)
CPU: 364ms
CGroup: /system.slice/postfix.service
├─28776 /usr/lib/postfix/bin//master -w
├─28777 pickup -l -t fifo -u
└─28778 qmgr -l -t fifo -u
Nov 20 18:54:50 X-eins systemd[1]: Starting Postfix Mail Transport Agent...
Nov 20 18:54:50 X-eins echo[28681]: Starting mail service (Postfix)
Nov 20 18:54:50 X-eins restorecon[28686]: Relabeled /var/spool/postfix/pid/master.pid from system_u:object_r:var_run_t:s0 to system_u:object_r:postfix_var_>
Nov 20 18:54:50 X-eins update_postmaps[28705]: postalias: fatal: open database /etc/aliases.lmdb: Permission denied
Nov 20 18:54:50 X-eins postfix/postalias[28705]: fatal: open database /etc/aliases.lmdb: Permission denied
Nov 20 18:54:51 X-eins postfix[28774]: postfix/postlog: starting the Postfix mail system
X-eins:/home/AW # systemctl status postfix
● postfix.service - Postfix Mail Transport Agent
Loaded: loaded (/usr/lib/systemd/system/postfix.service; enabled; preset: enabled)
Active: active (running) since Thu 2025-11-20 18:54:51 CET; 34s ago
Invocation: 08c1aa62b27f4129a8f08c6e15530c22
Process: 28681 ExecStartPre=/bin/echo Starting mail service (Postfix) (code=exited, status=0/SUCCESS)
Process: 28684 ExecStartPre=/usr/bin/touch /var/spool/postfix/pid/master.pid (code=exited, status=0/SUCCESS)
Process: 28686 ExecStartPre=/sbin/restorecon -Rv /var/spool/postfix/pid/master.pid (code=exited, status=0/SUCCESS)
Process: 28687 ExecStartPre=/usr/lib/postfix/systemd/config_postfix (code=exited, status=0/SUCCESS)
Process: 28689 ExecStartPre=/usr/lib/postfix/systemd/update_chroot (code=exited, status=0/SUCCESS)
Process: 28691 ExecStartPre=/usr/lib/postfix/systemd/update_postmaps (code=exited, status=0/SUCCESS)
Process: 28706 ExecStart=/usr/sbin/postfix start (code=exited, status=0/SUCCESS)
Process: 28780 ExecStartPost=/usr/lib/postfix/systemd/wait_qmgr 60 (code=exited, status=0/SUCCESS)
Process: 28784 ExecStartPost=/usr/lib/postfix/systemd/cond_slp register (code=exited, status=0/SUCCESS)
Main PID: 28776 (master)
Tasks: 3 (limit: 37969)
CPU: 364ms
CGroup: /system.slice/postfix.service
├─28776 /usr/lib/postfix/bin//master -w
├─28777 pickup -l -t fifo -u
└─28778 qmgr -l -t fifo -u
Nov 20 18:54:50 X-eins systemd[1]: Starting Postfix Mail Transport Agent...
Nov 20 18:54:50 X-eins echo[28681]: Starting mail service (Postfix)
Nov 20 18:54:50 X-eins restorecon[28686]: Relabeled /var/spool/postfix/pid/master.pid from system_u:object_r:var_run_t:s0 to system_u:object_r:postfix_var_>
Nov 20 18:54:50 X-eins update_postmaps[28705]: postalias: fatal: open database /etc/aliases.lmdb: Permission denied
Nov 20 18:54:50 X-eins postfix/postalias[28705]: fatal: open database /etc/aliases.lmdb: Permission denied
Nov 20 18:54:51 X-eins postfix[28774]: postfix/postlog: starting the Postfix mail system
Nov 20 18:54:51 X-eins postfix/postfix-script[28774]: starting the Postfix mail system
Nov 20 18:54:51 X-eins postfix/master[28776]: daemon started -- version 3.10.4, configuration /etc/postfix
Nov 20 18:54:51 X-eins systemd[1]: Started Postfix Mail Transport Agent.
cookie170:
/etc/aliases.lmdb
You see the difference? Either use the default location (/etc/postfix/aliases.lmdb) or add the needed label to the SELinux policy.
So here is the bug, because I haven’t – as far as I know – chosen another location!
How can I use the default location?
Well, I looked at my system and I have
bor@leap16:~> LANG=C ll -Z /etc/aliases*
-rw-r--r--. 1 root root system_u:object_r:etc_aliases_t:s0 2579 May 22 15:41 /etc/aliases
-rw-r--r--. 1 root root system_u:object_r:etc_aliases_t:s0 12288 Nov 20 21:07 /etc/aliases.lmdb
/etc/aliases.d:
total 0
bor@leap16:~>
which is the correct label. The file /etc/aliases.lmdb did not exist before I started postfix. Show
ls -lZ /etc/aliases
ls -lZ /etc/aliases
-rw-r--r--. 1 root root unconfined_u:object_r:etc_t:s0 2548 6. Mai 2025 /etc/aliases
OK, I found /etc aliases.lmdb , changed on 21. March 2025 and /etc/postfix/main.cf, same date, as well as main.cf.rpmnew. Then there is /etc/postfix/main.cf.default from 19. August 2025.
I guess, a package installation on March 21st changed the postfix installation. As it turns out, I reinstalled this notebook on this date.