From: aranea@aixah.de (Luis Ressel) Date: Mon, 11 Sep 2017 05:18:28 +0200 Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials In-Reply-To: <20170911031829.4163-1-aranea@aixah.de> References: <20170911031829.4163-1-aranea@aixah.de> Message-ID: <20170911031829.4163-2-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com As far as I can see, dac_override is indeed required everywhere. --- postfix.te | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/postfix.te b/postfix.te index eb4af6c..9b140af 100644 --- a/postfix.te +++ b/postfix.te @@ -171,7 +171,7 @@ optional_policy(` # Common postfix server domain local policy # -allow postfix_server_domain self:capability { dac_override setgid setuid }; +allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid }; allow postfix_master_t self:process getsched; allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; @@ -190,7 +190,7 @@ corenet_tcp_sendrecv_all_ports(postfix_server_domain) # Common postfix user domain local policy # -allow postfix_user_domains self:capability dac_override; +allow postfix_user_domains self:capability { dac_read_search dac_override }; domain_use_interactive_fds(postfix_user_domains) @@ -199,7 +199,7 @@ domain_use_interactive_fds(postfix_user_domains) # Master local policy # -allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config }; +allow postfix_master_t self:capability { chown dac_read_search dac_override fowner kill setgid setuid sys_tty_config }; allow postfix_master_t self:capability2 block_suspend; allow postfix_master_t self:process setrlimit; allow postfix_master_t self:tcp_socket create_stream_socket_perms; @@ -485,7 +485,7 @@ optional_policy(` # Map local policy # -allow postfix_map_t self:capability { dac_override setgid setuid }; +allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid }; allow postfix_map_t self:tcp_socket { accept listen }; allow postfix_map_t postfix_etc_t:dir manage_dir_perms; -- 2.14.1