From Debian package 0.2.20100524-9
Updated in 0.2.20110726-12
0075-postfix-policy-adjustments-Allow-user_mail_t-to-tran.patch (part of)
0230-Label-postalias-as-postfix_master_exec_t-for-newalia.patch

0.2.2010524-9
  * Allow user_mail_t to transition to postfix_master_t for postalias, confined
    by roles.  Uses domain_system_change_exemption() for user_mail_t via
    postfix_domtrans_master() which isn't ideal.

0.2.20110726-12
  * Label postalias as postfix_master_exec_t for newaliases

Index: policy/modules/contrib/mta.if
===================================================================
--- policy/modules/contrib/mta.if.orig
+++ policy/modules/contrib/mta.if
@@ -106,6 +106,8 @@
 
 	optional_policy(`
 		postfix_domtrans_user_mail_handler($1_mail_t)
+		# for postalias - role stops unpriv user from doing it
+		postfix_domtrans_master($1_mail_t)
 	')
 
 	optional_policy(`
Index: policy/modules/contrib/postfix.if
===================================================================
--- policy/modules/contrib/postfix.if.orig
+++ policy/modules/contrib/postfix.if
@@ -377,6 +377,7 @@
 	')
 
 	domtrans_pattern($1, postfix_master_exec_t, postfix_master_t)
+	domain_system_change_exemption($1)
 ')
 
 ########################################
Index: policy/modules/contrib/postfix.fc
===================================================================
--- policy/modules/contrib/postfix.fc.orig
+++ policy/modules/contrib/postfix.fc
@@ -32,6 +32,7 @@
 ')
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
 /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)