From: cgzones@googlemail.com (=?UTF-8?q?Christian=20G=C3=B6ttsche?=)
Date: Mon,  1 Jan 2018 12:22:30 +0100
Subject: [refpolicy] [PATCH 2/2] dkim: update
In-Reply-To: <20180101112230.15168-1-cgzones@googlemail.com>
References: <20180101112230.15168-1-cgzones@googlemail.com>
Message-ID: <20180101112230.15168-2-cgzones@googlemail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

---
 dkim.te | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/dkim.te b/dkim.te
index 4ddefbf8..29880efb 100644
--- a/dkim.te
+++ b/dkim.te
@@ -23,23 +23,24 @@ init_daemon_pid_file(dkim_milter_data_t, dir, "opendkim")
 # Local policy
 #
 
-allow dkim_milter_t self:capability { dac_override setgid setuid };
+allow dkim_milter_t self:capability { dac_read_search dac_override setgid setuid };
 allow dkim_milter_t self:process { signal signull };
 allow dkim_milter_t self:unix_stream_socket create_stream_socket_perms;
 
 read_files_pattern(dkim_milter_t, dkim_milter_private_key_t, dkim_milter_private_key_t)
 
+# /proc/sys/kernel/ngroups_max
 kernel_read_kernel_sysctls(dkim_milter_t)
 kernel_read_vm_overcommit_sysctl(dkim_milter_t)
 
 corenet_udp_bind_generic_node(dkim_milter_t)
 corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
-corenet_dontaudit_udp_bind_all_ports(dkim_milter_t)
 
 dev_read_urand(dkim_milter_t)
 # for cpu/online
 dev_read_sysfs(dkim_milter_t)
 
+files_pid_filetrans(dkim_milter_t, dkim_milter_data_t, { dir file })
 files_read_usr_files(dkim_milter_t)
 files_search_spool(dkim_milter_t)
 
-- 
2.15.1