> On Jul 17, 2018, at 11:54, Dusan Obradovic <[email protected]> wrote: > > Systemd unit file from epel has some interesting security settings. > > /usr/lib/systemd/system/amavisd.service: > > #the bounding set is reset to the empty capability set CapabilityBoundingSet= > > #mounts /usr /boot /etc directories read-only for processes invoked by this > unit ProtectSystem=full
You're a lifesaver, I never would have thought about this. Solved using the following changes: $ systemctl edit amavisd [Service] CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_AUDIT_WRITE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE $ systemctl restart amavisd Thank you very much.
