Hi Everybody,
I'll push builds with updated SELinux security policy into Rawhide soon, this build will remove unnecessary dac_override capability in domains where it's not needed. Because of this change, we're able to remove a lot of unnecessary rules allowing dac_override, which means tightened security in whole Fedora from SELinux POV.
This change will be part of build: selinux-policy-3.13.1-288.fc28.noarch
Tracker bug is here: https://bugzilla.redhat.com/show_bug.cgi?id=1494520
This may result in some AVCs related to missing DAC_OVERRIDE capability. Feel free to create a bugzilla or add AVCs to this issue on github: https://github.com/fedora-selinux/selinux-policy/issues/200
I'll be lurking around fedora rawhide bugs very often and I'm ready to fix all these bugs asap also with new builds. Feel free to use selinux-policy nightly builds to get fixes ASAP: https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-nightly/
Thanks, Lukas.
selinux@lists.fedoraproject.org