The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
SELinux policy dac_override clean up
Summary
This change removes dac_override capabilities which are no longer needed for selected SELinux domain.
Owner
- Name: Miroslav Grepl
- Email: mgrepl@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 23
- Last updated: 2015-05-26
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Currently, we have a large number of dac_override capabilities in Fedora SELinux policy
$ sesearch -A -p dac_override -C |grep -v ^DT |wc -l 387
and most of them are no longer needed. dac_override is very powerful capability which allows a process to ignore Discretionary Access Controls including access lists.
Benefit to Fedora
The major benefit to Fedora is increased security. Since, no process will be allowed to read files/directories with a different ownership in the defined SELinux namespace. Meaning, if you are running a service which is exploited and has wide SELinux rules, you won't be allowed to pass DAC check.
Scope
- Proposal owners:
- Other developers: N/A (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
N/A (not a System Wide Change)
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)