Bug 1494520

Summary: Remove all unnecessary dac_override capability in SELinux modules
Product: [Fedora] Fedora Reporter: Lukas Vrabec <lvrabec>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: rawhideCC: dwalsh, lsm5, lvrabec, lzap, plautrba
Target Milestone: ---Keywords: Tracking
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-05 11:22:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Vrabec 2017-09-22 12:13:03 UTC 
In Linux v4.12 checks for dac_override and dac_read_search capabilities were reordered. This ensures that dac_override is only checked for operations where it is required.

For more info see:
http://www.paul-moore.com/blog/d/2017/07/linux-v412.html

Because of this change, we're able to remove a lot of unnecessary rules allowing dac_override, which means tightened security in whole Fedora from SELinux POV. 

I created copr repo with these changes here:
https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-dac/

and also issue tracking here:
https://github.com/fedora-selinux/selinux-policy/issues/200

After some testing we're ready to push these changes to Fedora Rawhide. 

This bug can serve as issue tracker for possible bugs related to dac_override in the future.


Commits affecting this change:
https://github.com/fedora-selinux/selinux-policy/commit/3fd139f8b19fc5f2862dde2370dff4132cd1a8c9

https://github.com/fedora-selinux/selinux-policy-contrib/commit/cc5d0d7c98d06866f26dd1f54b34f70fd3b531f9

Changes will be part of build: selinux-policy-3.13.1-288.fc28.noarch
Comment 1 Lukas Zapletal 2019-06-04 12:59:39 UTC 
Guys, not sure if this is relevant but this change with the same title broke Satellite 6.6 on RHEL8: https://bugzilla.redhat.com/show_bug.cgi?id=1716944

commit cc5d0d7c98d06866f26dd1f54b34f70fd3b531f9
Author:     Lukas Vrabec <lvrabec>
AuthorDate: Mon Aug 28 12:35:07 2017 +0200
Commit:     Lukas Vrabec <lvrabec>
CommitDate: Fri Sep 22 13:46:04 2017 +0200

    Remove all unnecessary dac_override capability in SELinux modules.

Just letting you know, we are going to add this rule back in our policy.
Comment 2 Lukas Vrabec 2019-06-05 11:22:03 UTC 
Thanks for update Lukas.
Comment 3 Lukas Vrabec 2019-06-05 11:22:55 UTC 
Closing bug as CURRENTRELEASE, as was mentioned in description, this is already fixed in Fedora 28.