On Thursday, 3 January 2019 4:16:14 PM AEDT Jason Zaman wrote:
> > > -allow consolekit_t self:capability { chown dac_override fowner setgid
> > > setuid sys_admin sys_nice sys_ptrace sys_tty_config }; +allow
> > > consolekit_t self:capability { chown dac_override dac_read_search
> > > fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };>
> > Since you're getting the dac_read_search denial, the dac_override
> > probably isn't necessary anymore. Can you retest without it?
>
> No, consolekit definitely needs dac_override. It needs to be able to
> nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
> say grant the perm instead of dontaudit makes things easier if doing
> semodule -DB.
Thanks for that comment.
As an aside we might consider a policy of having all capabilities documented
in future. For the existing policy it's going to be an unpleasant task to
comment things. But for greenfields stuff I think it makes sense to require
it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
