From f4706daf3b853ea4470c13f576ffd53a9db55100 Mon Sep 17 00:00:00 2001
From: Guido Trentalancia <guido@trentalancia.net>
Date: Fri, 28 Apr 2017 01:45:33 +0200
Subject: [PATCH] locallogin: fine tune DAC override permissions

Improve the locallogin module by curbing on dac_override permissions
in the sulogin domain (read/search permissions only).

Thanks to Dominick Grift for suggesting this.

Other modules are likely affected by the same issue.

Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
---
 policy/modules/system/locallogin.te | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 0a114c0c7..2b5e96e1b 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -216,7 +216,8 @@ optional_policy(`
 # Sulogin local policy
 #
 
-allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
+dontaudit sulogin_t self:capability dac_override;
+allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
 allow sulogin_t self:process setexec;
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;