Hi there,
I have confined an application with an AA profile and AA has now asked for adding 2 capabilities, namely dac_read_search and dac_override.
I now wonder, does adding these capabilties now override file permissions I made within this AA profile?
For example, there is this rule:
deny /var/spool/ r,
Does adding the capabilities from above override this rule?
Do these capabilities still respect the file permissions in that AA profile?
I just don´t fully get it, why the application asks for that capabilities instead of complaining about missing rw permission to a certain file…