Control: tag -1 + moreinfo
09.03.2025 14:44, Christian Göttsche wrote:
Package: postfix
Version: 3.10.1-1
Dear Maintainer,
the newly hardened (thanks!) service file for postfix limits the
granted Linux capabilities.
The capability CAP_DAC_OVERRIDE is permitted but not
CAP_DAC_READ_SEARCH, which is basically CAP_DAC_OVERRIDE minus write
access.
This affects e.g. SELinux policies where the different postfix
processes run in different domains and by not granting
CAP_DAC_READ_SEARCH they now fall back and require CAP_DAC_OVERRIDE.
With my very limited knowledge of selinux, I don't follow.
Why it would need DAC_READ_SEARCH? If you can provide an example, it
would be great.
FWIW, in my installations, I remove DAC_OVERRIDE *too*, but this requires
adding an ACL for pid/, and private/ dirs in the queue_directory, because
master(8) process (and a few others too) relies on dac_override to access
these dirs as root, and because I don't have other protected files (such
as sql/ldap maps configuration) which can only be opened as root. Sure
thing, such config can't be shipped generally.
So please also permit CAP_DAC_READ_SEARCH in the service file.
Thanks,
/mjt
