Hi there,

I have confined an application with an AA profile and AA has now asked for adding 2 capabilities, namely dac_read_search and dac_override.
I now wonder, does adding these capabilties now override file permissions I made within this AA profile?

For example, there is this rule:

deny /var/spool/ r,

Does adding the capabilities from above override this rule?

Do these capabilities still respect the file permissions in that AA profile?
I just don´t fully get it, why the application asks for that capabilities instead of complaining about missing rw permission to a certain file....