Because of the diverse needs of users, Omarine by default allows processes in the user domain (ie staff_t, user_t) to read the password file (/etc/shadow). This may cause vulnerabilities if there are such tasks. It is best to be able to read the password file only for the dedicated program ‘passwd’.
I have defined a logical condition so that users can turn it off if necessary. The condition is
allow_user_domain_read_shadow. You can view its status by running this command, as the
The default status is on. The rules that allow reading the password file depend on this condition. To disable the rules, you switch the status of the condition to off, as the
setsebool -P allow_user_domain_read_shadow off
Of course you can turn on the status, as the
setsebool -P allow_user_domain_read_shadow on
Note: The above applies only when you update the security policy using
Omarine Update because the
allow_user_domain_read_shadow condition is only available in the updated version.