From: aranea@aixah.de (Luis Ressel) Date: Tue, 12 Sep 2017 03:52:21 +0200 Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials In-Reply-To: References: <20170911031829.4163-1-aranea@aixah.de> <20170911031829.4163-2-aranea@aixah.de> Message-ID: <20170912035221.276a0233@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 11 Sep 2017 20:10:28 -0400 Chris PeBenito via refpolicy wrote: > On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote: > > As far as I can see, dac_override is indeed required everywhere. > > Is this tested on a kernel with the swapped > dac_override/dac_read_search checks? (4.12+) Yes, exactly. As for dac_override being required, it seems the daemons open some unix sockets which only the postfix user has permission for, while they're still running with root permissions. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/0ecf9640/attachment.bin