On Wed, Sep 16, 2015 at 12:10:42AM +0530, Divya Vyas wrote: > Hi, > How do I write a policy rule to stop http server reading /etc/passwd > file. > neverallow ~can_read_shadow_passwords httpd_t:file read; > > Will this work? That is not what neverallow statements do. If you want to remove the ability for something to read a file, you have to remove the allow rule. There is no deny rule. Neverallow means there will instead be a compile error if you try and add that rule. There should already be a neverallow for shadow and you need to grant an exception. But more importantly, have you checked that your http server is actually allowed to read shadow? Almost nothing can. sesearch -ACT -s httpd_t -t shadow_t this will tell you all the perms that httpd can do on shadow. If file read is not one of them you do not have to do anything. -- Jason _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
