dac_override is a very broad SELinux capability that allows a process with the given label to bypass file permissions and access a file regardless of its permissions.

In most cases, allowing something this wide shouldn't be necessary. A change in code or deployment setting (e.g. to adjust the permission of a required file) should be sufficient to resolve the denial, as opposed to giving blanket permission to ignore file access checks across the entire system.

Both the issue, why it should be fixed, and how to debug it is explained in more details in this blog post from Dan Walsh: https://danwalsh.livejournal.com/79643.html

A few services have this capability in OpenStack. As part of our efforts to tighten security, we want to get rid of this really broad rule. This will likely require changes in the services, although it's also possible that some of these are no longer needed with the move to containers.


The five services currently requiring dac_override:

1. In os-glance.te:

        allow glance_api_t self:capability { dac_override };

This was added in commit [1] due to bug 1475378 and bug 1447779 (around glance and cinder interoperability).

[1] https://github.com/redhat-openstack/openstack-selinux/commit/5002b373 (2017)

2. In os-keepalived.te:

        allow keepalived_t self:capability { dac_override };

This was added in commit [2], for bug 1180881 from what I can tell based on the dates and logs, related to HA - VRRP.

[2] https://github.com/redhat-openstack/openstack-selinux/commit/8d5d6bb (2015)

3. In os-nova.te:

        allow virtlogd_t self:capability dac_override;

This was added in commit [3] as part of the work to resolve bug 1377272 and related duplicates around VMs not booting.

[3] https://github.com/redhat-openstack/openstack-selinux/commit/36861f0 (2016)

4. In os-octavia.te:

        allow haproxy_t self:capability { dac_override };

This was added in commit [4] as part of the work to resolve bug 1715492 related to Amphora/HAProxy not starting.

[4] https://github.com/redhat-openstack/openstack-selinux/commit/38c2a78a (2019)

5. In os-ovs.te:

        allow openvswitch_t self:capability { dac_override };

This was added in commit [5] for bug 1498797 around ovsdb not starting. (It looks like the upstream openvswitch policy also carries this setting [6] since the first commit [7].)

[5] https://github.com/redhat-openstack/openstack-selinux/commit/2775ec70 (2017)
[6] https://pagure.io/openvswitch-selinux-policy/blob/5c172a5/f/openvswitch-custom.te#_59
[7] https://pagure.io/openvswitch-selinux-policy/c/eac9842


---

The first part of the work will be to move each of these rules behind booleans that are enabled by default (aka a noop for now). Then we can turn them off individually as they get fixed.