SELinux with omarine policy: Disabling policy rules

  

Total views

2,595,056

Posted by: Tuyen Pham Thanh 4 years, 4 months ago

Because of the diverse needs of users, Omarine by default allows processes in the user domain (ie staff_t, user_t) to read the password file (/etc/shadow). This may cause vulnerabilities if there are such tasks. It is best to be able to read the password file only for the dedicated program 'passwd'.

I have defined a logical condition so that users can turn it off if necessary. The condition is allow_user_domain_read_shadow. You can view its status by running this command, as the root user:

getsebool allow_user_domain_read_shadow

The default status is on. The rules that allow reading the password file depend on this condition. To disable the rules, you switch the status of the condition to off, as the root user:

setsebool -P allow_user_domain_read_shadow off

Of course you can turn on the status, as the root user:

setsebool -P allow_user_domain_read_shadow on

Note: The above applies only when you update the security policy using Omarine Update because the allow_user_domain_read_shadow condition is only available in the updated version.

Comments

There are currently no comments

SELinux with omarine policy: Disabling policy rules

Posted by: Tuyen Pham Thanh 4 years, 4 months ago

Comments

New Comment

Top Posts & Pages

Omarine (405,077 hits)

An unsuccessful small file transfer experience! (113,330 hits)

SELinux with omarine policy: An in-depth look at the security policy – secure program with its own domain: Part 8 (45,384 hits)

Preparing to install GRUB on the GPT drive (15,973 hits)

SELinux: kernel: The steps for security checking a program before it runs and the corresponding security rules (12,627 hits)

Recent Posts

Does OpenVAS work on SELinux?

SQLi attack

Reflected XSS attack

PFS

TLS