From Debian package 0.2.20100524-9

  * Allow user_mail_t to transition to postfix_master_t for postalias, confined
    by roles.  Uses domain_system_change_exemption() for user_mail_t via
    postfix_domtrans_master() which isn't ideal.

Index: policy/modules/services/mta.if
===================================================================
--- policy/modules/services/mta.if.orig
+++ policy/modules/services/mta.if
@@ -106,6 +106,8 @@
 
 	optional_policy(`
 		postfix_domtrans_user_mail_handler($1_mail_t)
+		# for postalias - role stops unpriv user from doing it
+		postfix_domtrans_master($1_mail_t)
 	')
 
 	optional_policy(`
Index: policy/modules/services/postfix.if
===================================================================
--- policy/modules/services/postfix.if.orig
+++ policy/modules/services/postfix.if
@@ -375,6 +375,7 @@
 	')
 
 	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+	domain_system_change_exemption($1)
 ')
 
 ########################################