Package: postfix
Version: 3.10.1-1
Dear Maintainer,
the newly hardened (thanks!) service file for postfix limits the
granted Linux capabilities.
The capability CAP_DAC_OVERRIDE is permitted but not
CAP_DAC_READ_SEARCH, which is basically CAP_DAC_OVERRIDE minus write
access.
This affects e.g. SELinux policies where the different postfix
processes run in different domains and by not granting
CAP_DAC_READ_SEARCH they now fall back and require CAP_DAC_OVERRIDE.
So please also permit CAP_DAC_READ_SEARCH in the service file.
Kind regards,
Christian Göttsche
