From: aranea@aixah.de (Luis Ressel) Date: Sun, 17 Sep 2017 12:30:03 +0200 Subject: [refpolicy] [PATCH 2/3] postfix: Silence cap_dac_read_search denials In-Reply-To: <20170912063203.GC6678@julius.enp8s0.d30> References: <20170911031829.4163-1-aranea@aixah.de> <20170911031829.4163-2-aranea@aixah.de> <20170912035221.276a0233@vega.skynet.aixah.de> <20170912063203.GC6678@julius.enp8s0.d30> Message-ID: <20170917122952.32fadcf4@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Tue, 12 Sep 2017 08:32:03 +0200 Dominick Grift via refpolicy wrote: > On Tue, Sep 12, 2017 at 03:52:21AM +0200, Luis Ressel via refpolicy > wrote: > > On Mon, 11 Sep 2017 20:10:28 -0400 > > Chris PeBenito via refpolicy wrote: > > > > > On 09/10/2017 11:18 PM, Luis Ressel via refpolicy wrote: > > > > As far as I can see, dac_override is indeed required > > > > everywhere. > > > > > > Is this tested on a kernel with the swapped > > > dac_override/dac_read_search checks? (4.12+) > > > > Yes, exactly. As for dac_override being required, it seems the > > daemons open some unix sockets which only the postfix user has > > permission for, while they're still running with root permissions. > > Then the dac_read_search could be dontaudited (although i suppose it > doesnt strictly have to since dac_override is a superset of it) Given that there's zero difference in the permissions that postfix will ultimately end up with, I'd prefer to allow it. Both because it keeps the policy a few lines shorter, and because there can be a /lot/ of denials for this perm depending on the postfix setup, which may be annoying when one has to disable dontaudit rules to debug something. (CCing Chris in case he has forgotten about this patch.) Regards, Luis Ressel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170917/34f94350/attachment.bin