From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 18 Nov 2017 05:55:17 -0500 Subject: [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability In-Reply-To: <20171115071015.2168-1-aranea@aixah.de> References: <20171115071015.2168-1-aranea@aixah.de> Message-ID: <215c4287-5e50-cbdf-5d03-6722f173f78a@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 11/15/2017 02:10 AM, Luis Ressel via refpolicy wrote: > It already has dac_override, and depending on the pam modules being > used, this may actually be neccessary. Due to the 4.13 changes, I'm now > getting dac_read_search denials. > --- > policy/modules/system/locallogin.te | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te > index 92679ce36..ff8df49df 100644 > --- a/policy/modules/system/locallogin.te > +++ b/policy/modules/system/locallogin.te > @@ -32,7 +32,7 @@ role system_r types sulogin_t; > # Local login local policy > # > > -allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; > +allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; > dontaudit local_login_t self:capability net_admin; > allow local_login_t self:process { setexec setrlimit setsched }; > allow local_login_t self:fd use; Merged. -- Chris PeBenito