From: pebenito@ieee.org (Chris PeBenito)
Date: Sat, 18 Nov 2017 05:55:17 -0500
Subject: [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the
 dac_read_search capability
In-Reply-To: <20171115071015.2168-1-aranea@aixah.de>
References: <20171115071015.2168-1-aranea@aixah.de>
Message-ID: <215c4287-5e50-cbdf-5d03-6722f173f78a@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 11/15/2017 02:10 AM, Luis Ressel via refpolicy wrote:
> It already has dac_override, and depending on the pam modules being
> used, this may actually be neccessary. Due to the 4.13 changes, I'm now
> getting dac_read_search denials.
> ---
>   policy/modules/system/locallogin.te | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 92679ce36..ff8df49df 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -32,7 +32,7 @@ role system_r types sulogin_t;
>   # Local login local policy
>   #
>   
> -allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> +allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
>   dontaudit local_login_t self:capability net_admin;
>   allow local_login_t self:process { setexec setrlimit setsched };
>   allow local_login_t self:fd use;

Merged.

-- 
Chris PeBenito