[refpolicy] dac_override question

From: cgzones@googlemail.com (cgzones)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] dac_override question
Date: Thu, 29 Dec 2016 12:49:58 +0100	[thread overview]
Message-ID: <CAJ2a_DfBZ9opOV8yWByd-n+oA81i4d2oNVnHLacDwkFsy9mPmQ@mail.gmail.com> (raw)

Hi,
I am encountering a problem regarding the dac_override capability.

I am running monit (a process monitoring tool), which needs to monitor
exim4 read its pidfile: /run/exim4/exim.pid.
The directory /run/exim4 is owned by Debian-exim:Debian-exim with mode
0750 and due to monit running as root I granted: allow monit_t
self:capability dac_read_search;
But I am still getting dac_override denials, why?
I do not want to dontaudit dac_override, cause maybe in the future
monit might really need the capability and I would miss it.

type=PROCTITLE msg=audit(12/29/16 12:26:00.849:42386) :
proctitle=/usr/bin/monit -c /etc/monit/monitrc
type=PATH msg=audit(12/29/16 12:26:00.849:42386) : item=0
name=/run/exim4/exim.pid inode=68815 dev=00:13 mode=file,644 ouid=root
ogid=Debian-exim rdev=00:00 obj=system_u:object_r:exim_run_t:s0
nametype=NORMAL
type=CWD msg=audit(12/29/16 12:26:00.849:42386) : cwd=/
type=SYSCALL msg=audit(12/29/16 12:26:00.849:42386) : arch=armeb
syscall=stat64 per=PER_LINUX_32BIT success=yes exit=0 a0=0x207bcf8
a1=0x7ef258e0 a2=0x7ef25950 a3=0x3 items=1 ppid=1 pid=393 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=monit exe=/usr/bin/monit
subj=system_u:system_r:monit_t:s0 key=(null)
type=AVC msg=audit(12/29/16 12:26:00.849:42386) : avc:  denied  {
dac_override } for  pid=393 comm=monit capability=dac_override
scontext=system_u:system_r:monit_t:s0
tcontext=system_u:system_r:monit_t:s0 tclass=capability permissive=0

Kernel version:
Linux raspberrypi 4.9.0-v7+ #1 SMP Thu Dec 15 17:58:19 CET 2016 armv7l GNU/Linux
https://github.com/raspberrypi/linux/tree/rpi-4.9.y

Kindly Regards,
     Christian G?ttsche