From: aranea@aixah.de (Luis Ressel) Date: Wed, 15 Nov 2017 08:10:14 +0100 Subject: [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability Message-ID: <20171115071015.2168-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com It already has dac_override, and depending on the pam modules being used, this may actually be neccessary. Due to the 4.13 changes, I'm now getting dac_read_search denials. --- policy/modules/system/locallogin.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 92679ce36..ff8df49df 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -32,7 +32,7 @@ role system_r types sulogin_t; # Local login local policy # -allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; dontaudit local_login_t self:capability net_admin; allow local_login_t self:process { setexec setrlimit setsched }; allow local_login_t self:fd use; -- 2.15.0