SELinux with omarine policy: Disabling policy rules


(0 comments)

Because of the diverse needs of users, Omarine by default allows processes in the user domain (ie staff_t, user_t) to read the password file (/etc/shadow). This may cause vulnerabilities if there are such tasks. It is best to be able to read the password file only for the dedicated program 'passwd'.


I have defined a logical condition so that users can turn it off if necessary. The condition is allow_user_domain_read_shadow. You can view its status by running this command, as the root user:


getsebool allow_user_domain_read_shadow


The default status is on. The rules that allow reading the password file depend on this condition. To disable the rules, you switch the status of the condition to off, as the root user:


setsebool -P allow_user_domain_read_shadow off



Of course you can turn on the status, as the root user:


setsebool -P allow_user_domain_read_shadow on


Note: The above applies only when you update the security policy using Omarine Update because the allow_user_domain_read_shadow condition is only available in the updated version.


Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required