SELinux with omarine policy: Disabling policy rules

Because of the diverse needs of users, Omarine by default allows processes in the user domain (ie staff_t, user_t) to read the password file (/etc/shadow). This may cause vulnerabilities if there are such tasks. It is best to be able to read the password file only for the dedicated program ‘passwd’.

I have defined a logical condition so that users can turn it off if necessary. The condition is allow_user_domain_read_shadow. You can view its status by running this command, as the root user:

getsebool allow_user_domain_read_shadow

The default status is on. The rules that allow reading the password file depend on this condition. To disable the rules, you switch the status of the condition to off, as the root user:

setsebool -P allow_user_domain_read_shadow off

Of course you can turn on the status, as the root user:

setsebool -P allow_user_domain_read_shadow on

Note: The above applies only when you update the security policy using Omarine Update because the allow_user_domain_read_shadow condition is only available in the updated version.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.