[HEADS UP] Removing unnecessary dac_override capability in SELinux modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Everybody,

I'll push builds with updated SELinux security policy into Rawhide soon, this build will remove unnecessary dac_override capability in domains where it's not needed. Because of this change, we're able to remove a lot of unnecessary rules allowing dac_override, which means tightened security in whole Fedora from SELinux POV.

This change will be part of build: selinux-policy-3.13.1-288.fc28.noarch

Tracker bug is here:
https://bugzilla.redhat.com/show_bug.cgi?id=1494520

This may result in some AVCs related to missing DAC_OVERRIDE capability. Feel free to create a bugzilla or add AVCs to this issue on github:
https://github.com/fedora-selinux/selinux-policy/issues/200

I'll be lurking around fedora rawhide bugs very often and I'm ready to fix all these bugs asap also with new builds.
Feel free to use selinux-policy nightly builds to get fixes ASAP:
https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-nightly/

Thanks,
Lukas.

--
Lukas Vrabec
Software Engineer, Security Technologies
Red Hat, Inc.
_______________________________________________
selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux