Hi SELinux list,

Some weeks ago was introduced patch swapping hooks for dac_override / dac_read_search capabilities. This allow us to remove some unnecessary dac_override rules and tighten security in Fedora.

In Fedora, every domain with dac_override capability has also dac_read_search capability to fix AVCs.

Workflow for removing unnecessary is quite simple. I created scratch build with no dac_override capability. Right now, I'm trying to use this build on Rawhide and collecting AVCs. After fixing AVCs collected by me, I'll try to push it to Fedora Rawhide builds (after discussion with Adam Williamson and Fedora devel list)

If you're interested, feel free to help me with collecting AVCs. Here is the link with scratch builds: https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-dac/

Thanks, Lukas.