From: aranea@aixah.de (Luis Ressel)
Date: Wed, 15 Nov 2017 08:10:14 +0100
Subject: [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the
	dac_read_search capability
Message-ID: <20171115071015.2168-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

It already has dac_override, and depending on the pam modules being
used, this may actually be neccessary. Due to the 4.13 changes, I'm now
getting dac_read_search denials.
---
 policy/modules/system/locallogin.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 92679ce36..ff8df49df 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
 # Local login local policy
 #
 
-allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
 allow local_login_t self:process { setexec setrlimit setsched };
 allow local_login_t self:fd use;
-- 
2.15.0