Petr Menšík wrote:
> It is about 2 years when we were removing CAP_DAC_OVERRIDE from our
> services, because selinux-policy does not grant it anymore. I think it
> is a good thing. Running as openvpn user, but requiring then
> CAP_DAC_OVERRIDE is insecure! It gives it more rights than just root
> users without this permission would have. I would suggest reconsider
> such design and run netcfg as root, just with dropped capabilities
> except CAP_NET_ADMIN, if it needs to modify resolv.conf. resolvconf call
> should not pose significant threat.
IMHO, the proper fix would be to have a proper facl on resolv.conf for the
openvpn user.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
