(→Scope) |
|||
Line 23: | Line 23: | ||
<!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name. This keeps all change proposals in the same namespace --> | ||
= | = SELinux policy dac_override clean up = | ||
== Summary == | == Summary == | ||
This change removes dac_override capabilities which are no longer needed for selected SELinux domain. | |||
<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. --> | <!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. --> | ||
Line 33: | Line 35: | ||
This should link to your home wiki page so we know who you are. | This should link to your home wiki page so we know who you are. | ||
--> | --> | ||
* Name: [[User: | * Name: [[User:mgrepl| Miroslav Grepl]] | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: | * Email: mgrepl@redhat.com | ||
* Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> | * Release notes owner: <!--- To be assigned by docs team [[User:FASAccountName| Release notes owner name]] <email address> --> | ||
<!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo) | ||
Line 46: | Line 48: | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/ | * Targeted release: [[Releases/23 | Fedora 23 ]] | ||
* Last updated: | * Last updated: 2015-05-26 | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
Bugzilla states meaning as usual: | Bugzilla states meaning as usual: | ||
Line 60: | Line 62: | ||
== Detailed Description == | == Detailed Description == | ||
Currently, we have a large number of dac_override capabilities in Fedora SELinux policy | |||
$ sesearch -A -p dac_override -C |grep -v ^DT |wc -l | |||
387 | |||
and most of them are no longer needed. dac_override is very powerful capability which allows a process to ignore Discretionary Access Controls including access lists. | |||
<!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | <!-- Expand on the summary, if appropriate. A couple sentences suffices to explain the goal, but the more details you can provide the better. --> | ||
== Benefit to Fedora == | == Benefit to Fedora == | ||
The major benefit to Fedora is increased security. Since, no process will be allowed to read files/directories with a different ownership in the defined SELinux namespace. Meaning, if you are running a service which is exploited and has wide SELinux rules, you won't be allowed to pass DAC check. | |||
<!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?--> | <!-- What is the benefit to the platform? If this is a major capability update, what has changed? If this is a new functionality, what capabilities does it bring? Why will Fedora become a better distribution or project because of this proposal?--> | ||
Line 76: | Line 83: | ||
* Release engineering: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Release engineering: N/A (not a System Wide Change) <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Does this feature require coordination with release engineering (e.g. | <!-- Does this feature require coordination with release engineering (e.g. changs to installer image generation or update package delivery)? Is a mass rebuid required? If a rel-eng ticket exists, add a link here. | ||
Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook --> | Please work with releng prior to feature submission, and ensure that someone is on board to do any process development work and testing; don't just assume that a bullet point in a change puts someone else on the hook --> | ||
Revision as of 12:50, 26 May 2015
SELinux policy dac_override clean up
Summary
This change removes dac_override capabilities which are no longer needed for selected SELinux domain.
Owner
- Name: Miroslav Grepl
- Email: mgrepl@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 23
- Last updated: 2015-05-26
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Currently, we have a large number of dac_override capabilities in Fedora SELinux policy
$ sesearch -A -p dac_override -C |grep -v ^DT |wc -l 387
and most of them are no longer needed. dac_override is very powerful capability which allows a process to ignore Discretionary Access Controls including access lists.
Benefit to Fedora
The major benefit to Fedora is increased security. Since, no process will be allowed to read files/directories with a different ownership in the defined SELinux namespace. Meaning, if you are running a service which is exploited and has wide SELinux rules, you won't be allowed to pass DAC check.
Scope
- Proposal owners:
- Other developers: N/A (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
N/A (not a System Wide Change)
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)