From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 20:10:28 -0400 Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials In-Reply-To: <20170911031829.4163-2-aranea@aixah.de> References: <20170911031829.4163-1-aranea@aixah.de> <20170911031829.4163-2-aranea@aixah.de> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote: > As far as I can see, dac_override is indeed required everywhere. Is this tested on a kernel with the swapped dac_override/dac_read_search checks? (4.12+) > --- > postfix.te | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/postfix.te b/postfix.te > index eb4af6c..9b140af 100644 > --- a/postfix.te > +++ b/postfix.te > @@ -171,7 +171,7 @@ optional_policy(` > # Common postfix server domain local policy > # > > -allow postfix_server_domain self:capability { dac_override setgid setuid }; > +allow postfix_server_domain self:capability { dac_read_search dac_override setgid setuid }; > allow postfix_master_t self:process getsched; > > allow postfix_server_domain postfix_master_t:unix_stream_socket { connectto rw_stream_socket_perms }; > @@ -190,7 +190,7 @@ corenet_tcp_sendrecv_all_ports(postfix_server_domain) > # Common postfix user domain local policy > # > > -allow postfix_user_domains self:capability dac_override; > +allow postfix_user_domains self:capability { dac_read_search dac_override }; > > domain_use_interactive_fds(postfix_user_domains) > > @@ -199,7 +199,7 @@ domain_use_interactive_fds(postfix_user_domains) > # Master local policy > # > > -allow postfix_master_t self:capability { chown dac_override fowner kill setgid setuid sys_tty_config }; > +allow postfix_master_t self:capability { chown dac_read_search dac_override fowner kill setgid setuid sys_tty_config }; > allow postfix_master_t self:capability2 block_suspend; > allow postfix_master_t self:process setrlimit; > allow postfix_master_t self:tcp_socket create_stream_socket_perms; > @@ -485,7 +485,7 @@ optional_policy(` > # Map local policy > # > > -allow postfix_map_t self:capability { dac_override setgid setuid }; > +allow postfix_map_t self:capability { dac_read_search dac_override setgid setuid }; > allow postfix_map_t self:tcp_socket { accept listen }; > > allow postfix_map_t postfix_etc_t:dir manage_dir_perms; > -- Chris PeBenito