From: dac.override@gmail.com (Dominick Grift) Date: Tue, 12 Sep 2017 08:32:03 +0200 Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials In-Reply-To: <20170912035221.276a0233@vega.skynet.aixah.de> References: <20170911031829.4163-1-aranea@aixah.de> <20170911031829.4163-2-aranea@aixah.de> <20170912035221.276a0233@vega.skynet.aixah.de> Message-ID: <20170912063203.GC6678@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, Sep 12, 2017 at 03:52:21AM +0200, Luis Ressel via refpolicy wrote: > On Mon, 11 Sep 2017 20:10:28 -0400 > Chris PeBenito via refpolicy wrote: > > > On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote: > > > As far as I can see, dac_override is indeed required everywhere. > > > > Is this tested on a kernel with the swapped > > dac_override/dac_read_search checks? (4.12+) > > Yes, exactly. As for dac_override being required, it seems the daemons > open some unix sockets which only the postfix user has permission for, > while they're still running with root permissions. Then the dac_read_search could be dontaudited (although i suppose it doesnt strictly have to since dac_override is a superset of it) > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/b128a1a2/attachment.bin