From ec9999a499d364c691915cefc2693f5695a64e05 Mon Sep 17 00:00:00 2001 From: Luis Ressel Date: Wed, 15 Nov 2017 08:10:14 +0100 Subject: [PATCH] locallogin: Grant local_login_t the dac_read_search capability It already has dac_override, and depending on the pam modules being used, this may actually be neccessary. Due to the 4.13 changes, I'm now getting dac_read_search denials. --- policy/modules/system/locallogin.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te index 92679ce36..ff8df49df 100644 --- a/policy/modules/system/locallogin.te +++ b/policy/modules/system/locallogin.te @@ -32,7 +32,7 @@ role system_r types sulogin_t; # Local login local policy # -allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; +allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; dontaudit local_login_t self:capability net_admin; allow local_login_t self:process { setexec setrlimit setsched }; allow local_login_t self:fd use;