Postfix vs. SELinux

I banged my head against this one for a couple hours:

Jun 10 18:40:38 myhost postfix/tlsmgr[17113]: fatal: tls_prng_exch_open: cannot open PRNG exchange file /var/lib/postfix/tls/prng_exch: Permission denied
Jun 10 18:40:39 myhost postfix/master[29715]: warning: process /usr/libexec/postfix/tlsmgr pid 17113 exit status 1
Jun 10 18:40:39 myhost postfix/master[29715]: warning: /usr/libexec/postfix/tlsmgr: bad command startup -- throttling

I should have checked /var/log/messages, not just /var/log/maillog. It never occurred to me that it wasn’t an application error. Next time I connected to the xen console I found it was full of:

Jun 10 18:40:38 myhost kernel: audit(1181515238.322:6732): avc:  denied  { read write } for  pid=17113 comm="tlsmgr" name="prng_exch" dev=xvda3 ino=491990 scontext=user_u:system_r:postfix_master_t:s0 tcontext=user_u:object_r:var_lib_t:s0 tclass=file

Ugh. Disable SELinux and everything worked fine. If somebody knows the SELinux incantation to make this work properly with SELinux on, please leave a comment.