DevHeads.net

Postings by Lukas Vrabec

Default value of SELinux boolean httpd_graceful_shutdown will changed.

I'm planning change the default value of httpd_graceful_shutdown boolean
in Fedora Rawhide because of improving SELinux configuration. Rawhide
builds with this change will be available in ~5 days.

Together with Dan Walsh, we agreed on that httpd_graceful_shutdown
boolean should be by default turned off. This boolean allows HTTPD to
connect to port 80 for graceful shutdown, but it's breaking the
functionality of another boolean called: httpd_can_network_connect.

Removing unnecessary dac_override capability in SELinux modules

Hi Everybody,

I'll push builds with updated SELinux security policy into Rawhide soon,
this build will remove unnecessary dac_override capability in domains
where it's not needed. Because of this change, we're able to remove a
lot of unnecessary rules allowing dac_override, which means tightened
security in whole Fedora from SELinux POV.

This change will be part of build: selinux-policy-3.13.1-288.fc28.noarch

Tracker bug is here:
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1494520" title="https://bugzilla.redhat.com/show_bug.cgi?id=1494520">https://bugzilla.redhat.com/show_bug.cgi?id=1494520</a>

This may result in some AVCs related to missing DAC_OVERRIDE capability.