[HEADS UP] Removing unnecessary dac_override capability in SELinux modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Everybody,

I'll push builds with updated SELinux security policy into Rawhide soon, this build will remove unnecessary dac_override capability in domains where it's not needed. Because of this change, we're able to remove a lot of unnecessary rules allowing dac_override, which means tightened security in whole Fedora from SELinux POV.

This change will be part of build: selinux-policy-3.13.1-288.fc28.noarch

Tracker bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1494520

This may result in some AVCs related to missing DAC_OVERRIDE capability. Feel free to create a bugzilla or add AVCs to this issue on github:
https://github.com/fedora-selinux/selinux-policy/issues/200

I'll be lurking around fedora rawhide bugs very often and I'm ready to fix all these bugs asap also with new builds.
Feel free to use selinux-policy nightly builds to get fixes ASAP:
https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-nightly/

Thanks,
Lukas.

--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux