< Changes
The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "edit" link.
Copy the source to a new page before making changes! DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.
SELinux policy dac_override clean up
Summary
This change removes dac_override capabilities which are no longer needed for selected SELinux domain.
Owner
- Name: Miroslav Grepl
- Email: mgrepl@redhat.com
- Release notes owner:
Current status
- Targeted release: Fedora 23
- Last updated: 2015-05-26
- Tracker bug: <will be assigned by the Wrangler>
Detailed Description
Currently, we have a large number of dac_override capabilities in Fedora SELinux policy
$ sesearch -A -p dac_override -C |grep -v ^DT |wc -l 387
and most of them are no longer needed. dac_override is very powerful capability which allows a process to ignore Discretionary Access Controls including access lists.
Benefit to Fedora
The major benefit to Fedora is increased security. Since, no process will be allowed to read files/directories with a different ownership in the defined SELinux namespace. Meaning, if you are running a service which is exploited and has wide SELinux rules, you won't be allowed to pass DAC check.
Scope
- Proposal owners:
- Other developers: N/A (not a System Wide Change)
- Release engineering: N/A (not a System Wide Change)
- Policies and guidelines: N/A (not a System Wide Change)
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
N/A (not a System Wide Change)
How To Test
N/A (not a System Wide Change)
User Experience
N/A (not a System Wide Change)
Dependencies
N/A (not a System Wide Change)
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
- Contingency deadline: N/A (not a System Wide Change)
- Blocks release? N/A (not a System Wide Change), Yes/No
- Blocks product? product
Documentation
N/A (not a System Wide Change)