From: aranea@aixah.de (Luis Ressel)
Date: Mon, 11 Sep 2017 05:18:28 +0200
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials
In-Reply-To: <20170911031829.4163-1-aranea@aixah.de>
References: <20170911031829.4163-1-aranea@aixah.de>
Message-ID: <20170911031829.4163-2-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

As far as I can see, dac_override is indeed required everywhere.
---
 postfix.te | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/postfix.te b/postfix.te
index eb4af6c..9b140af 100644
--- a/postfix.te
+++ b/postfix.te
@@ -171,7 +171,7 @@ optional_policy(`
 # Common postfix server domain local policy
 #
 
-allow postfix_server_domain self:capability { dac_override setgid setuid };
+allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid };
 allow postfix_master_t self:process getsched;
 
 allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms };
@@ -190,7 +190,7 @@ corenet_tcp_sendrecv_all_ports(postfix_server_domain)
 # Common postfix user domain local policy
 #
 
-allow postfix_user_domains self:capability dac_override;
+allow postfix_user_domains self:capability { dac_read_search dac_override };
 
 domain_use_interactive_fds(postfix_user_domains)
 
@@ -199,7 +199,7 @@ domain_use_interactive_fds(postfix_user_domains)
 # Master local policy
 #
 
-allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config };
+allow postfix_master_t self:capability { chown dac_read_search dac_override fowner kill setgid setuid sys_tty_config };
 allow postfix_master_t self:capability2 block_suspend;
 allow postfix_master_t self:process setrlimit;
 allow postfix_master_t self:tcp_socket create_stream_socket_perms;
@@ -485,7 +485,7 @@ optional_policy(`
 # Map local policy
 #
 
-allow postfix_map_t self:capability { dac_override setgid setuid };
+allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid };
 allow postfix_map_t self:tcp_socket { accept listen };
 
 allow postfix_map_t postfix_etc_t:dir manage_dir_perms;
-- 
2.14.1