Hi SELinux list,
Some weeks ago was introduced patch swapping hooks for dac_override /
dac_read_search capabilities. This allow us to remove some unnecessary
dac_override rules and tighten security in Fedora.
In Fedora, every domain with dac_override capability has also
dac_read_search capability to fix AVCs.
Workflow for removing unnecessary is quite simple. I created scratch
build with no dac_override capability. Right now, I'm trying to use this
build on Rawhide and collecting AVCs. After fixing AVCs collected by me,
I'll try to push it to Fedora Rawhide builds (after discussion with Adam
Williamson and Fedora devel list)
If you're interested, feel free to help me with collecting AVCs. Here is
the link with scratch builds:
https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-dac/
Thanks,
Lukas.
--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
