In Linux v4.12 checks for dac_override and dac_read_search capabilities were reordered. This ensures that dac_override is only checked for operations where it is required. For more info see: http://www.paul-moore.com/blog/d/2017/07/linux-v412.html Because of this change, we're able to remove a lot of unnecessary rules allowing dac_override, which means tightened security in whole Fedora from SELinux POV. I created copr repo with these changes here: https://copr.fedorainfracloud.org/coprs/lvrabec/selinux-policy-dac/ and also issue tracking here: https://github.com/fedora-selinux/selinux-policy/issues/200 After some testing we're ready to push these changes to Fedora Rawhide. This bug can serve as issue tracker for possible bugs related to dac_override in the future. Commits affecting this change: https://github.com/fedora-selinux/selinux-policy/commit/3fd139f8b19fc5f2862dde2370dff4132cd1a8c9 https://github.com/fedora-selinux/selinux-policy-contrib/commit/cc5d0d7c98d06866f26dd1f54b34f70fd3b531f9 Changes will be part of build: selinux-policy-3.13.1-288.fc28.noarch
Guys, not sure if this is relevant but this change with the same title broke Satellite 6.6 on RHEL8: https://bugzilla.redhat.com/show_bug.cgi?id=1716944 commit cc5d0d7c98d06866f26dd1f54b34f70fd3b531f9 Author: Lukas Vrabec <lvrabec> AuthorDate: Mon Aug 28 12:35:07 2017 +0200 Commit: Lukas Vrabec <lvrabec> CommitDate: Fri Sep 22 13:46:04 2017 +0200 Remove all unnecessary dac_override capability in SELinux modules. Just letting you know, we are going to add this rule back in our policy.
Thanks for update Lukas.
Closing bug as CURRENTRELEASE, as was mentioned in description, this is already fixed in Fedora 28.