DevHeads.net

Postings by Lukas Vrabec

SELinux support for boltd service

Hi,

I saw several bugs where boltd daemon runs as unconfined_service_t. I
have prepared new SELinux module for it.

I'll push it to Fedora Rawhide and also Fedora 28 soon. This module will
be in permissive mode, which means policy for boltd won't be enforced by
kernel, just AVCs will be logged even if the whole system will be in
Enforcing state.

If you'll find some AVCs related to boltd, please use this bugzilla[1]
to report them.

[1] <a href="https://bugzilla.redhat.com/show_bug.cgi?id=1607974" title="https://bugzilla.redhat.com/show_bug.cgi?id=1607974">https://bugzilla.redhat.com/show_bug.cgi?id=1607974</a>.

Thanks,
Lukas.

Default value of SELinux boolean httpd_graceful_shutdown will changed.

I'm planning change the default value of httpd_graceful_shutdown boolean
in Fedora Rawhide because of improving SELinux configuration. Rawhide
builds with this change will be available in ~5 days.

Together with Dan Walsh, we agreed on that httpd_graceful_shutdown
boolean should be by default turned off. This boolean allows HTTPD to
connect to port 80 for graceful shutdown, but it's breaking the
functionality of another boolean called: httpd_can_network_connect.

Removing unnecessary dac_override capability in SELinux modules

Hi Everybody,

I'll push builds with updated SELinux security policy into Rawhide soon,
this build will remove unnecessary dac_override capability in domains
where it's not needed. Because of this change, we're able to remove a
lot of unnecessary rules allowing dac_override, which means tightened
security in whole Fedora from SELinux POV.

This change will be part of build: selinux-policy-3.13.1-288.fc28.noarch

Tracker bug is here:
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1494520" title="https://bugzilla.redhat.com/show_bug.cgi?id=1494520">https://bugzilla.redhat.com/show_bug.cgi?id=1494520</a>

This may result in some AVCs related to missing DAC_OVERRIDE capability.