From: aranea@aixah.de (Luis Ressel)
Date: Tue, 12 Sep 2017 03:52:21 +0200
Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search
 denials
In-Reply-To: <c5c76ed3-bb54-0e61-16b3-753a222141d4@ieee.org>
References: <20170911031829.4163-1-aranea@aixah.de>
	<20170911031829.4163-2-aranea@aixah.de>
	<c5c76ed3-bb54-0e61-16b3-753a222141d4@ieee.org>
Message-ID: <20170912035221.276a0233@vega.skynet.aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Mon, 11 Sep 2017 20:10:28 -0400
Chris PeBenito via refpolicy <refpolicy@oss.tresys.com> wrote:

> On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote:
> > As far as I can see, dac_override is indeed required everywhere.  
> 
> Is this tested on a kernel with the swapped
> dac_override/dac_read_search checks? (4.12+)

Yes, exactly. As for dac_override being required, it seems the daemons
open some unix sockets which only the postfix user has permission for,
while they're still running with root permissions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/0ecf9640/attachment.bin